How someone tried to phish me



A couple of weeks ago I received an email that looked like this.



This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email.



I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station.




Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict here.



So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server.

Let's dig some more. This requires viewing the actual email. That's right, what you're reading in your inbox is (generally) a prettified version with all the technical mumbo-jumbo hidden from your sight.



Let's try to make sense of what happened. The way to read email headers is from the bottom up since each mail server that touches an email pre-pends headers to the message.


The first line tells us someone connected to KKFI's mail server from somewhere in Thailand.




The second line indicates that the email possibly originated from an iPhone - however we can't be absolutely certain this is the case.


The last two lines indicate the sender may have been authenticated as rebecca[at]kkfi[.]org. Again, we don't know for sure because these lines could have been made up.


It's possible that this spammer hijacked an account at that radio station and used it to send the email, but the other possibility is that the email was spoofed. Spoofing is forging the sender's address. Read more about spoofing here. What we do know for certain is that when Gmail received the email, it checked for an SPF record for kkfi.org and found nothing, so that's why the SPF check resulted in neutral.

SPF is a framework which fights spam by allowing companies to specify where mail from their domain should be originating from. It essentially disallows people from spoofing your domain in an email. Below is the SPF record for Gmail.


This record will cause the mail server to look up records that will eventually lead it to a list of IP addresses that Gmail emails will originate from. Read up on SPF here.

Had KKFI implemented its own SPF record, this email would never have reached my inbox if the email was in fact spoofed.

Phishing - what and why?

Phishing is a form of deception that requires anywhere from a little bit of creativity to troves of information about your target. Because many people check email with their brains in neutral, phishing is often easy to perform, however some individuals are keen on spotting phishing emails and are very hard to trick. If you are creative enough, you can eventually trick anyone.

The "why?" really is a good question... It's my personal opinion that people like tricking others for personal gain, and I think many security professionals would agree with that statement. Opinions aside, there are people in the thriving business of cyber crime whose job it is to steal money from unwitting people or acquire additional computers and devices for use in a botnet.

Note that a phishing email is not the same as a spam email. Gmail has two distinct buttons that you can use to report an email as a phishing email or a spam email.


Spam emails do not attempt to gather sensitive information from you or infect your computer, but phishing emails do.


Steps to take

When it comes to email, there are several things to remember in order to avoid being taken advantage of.
  • Hyperlinks - don't click them if you don't know where they will take you
  • Attachments - don't open them if you don't know where they came from
  • Responses - don't respond to an email with personal sensitive information; email cannot be considered confidential!
For both hyperlinks and attachments, a free service called VirusTotal exists that can check them for you, but it requires an extra step on your part. You can upload the file you received and copy/paste hyperlinks into the search to see if anyone has reported it before.  Another good service called PhishTank is a place where you can submit or search for phishing hyperlinks.

Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more