Festive season security myth: "If there are no links in an email, it can't be a phish."

Filed Under: Featured, Phishing, Security threats

Technological defences can help a lot in protecting you from phishing and fraud.

We're sure you're familiar with many of them: prompt patching, anti-virus scanners with regular updates, spam blockers, web filters, firewalls, and so on.

But you'll also have heard us urging you not to use technology as a replacement for your own caution, intuition, perspicacity, street smarts, call it what you will.

In particular, if the computer fails to say, "Don't do it," that's not an automatic invitation for you to say, "She'll be right."

Sometimes, she won't be right, and the crooks will have enticed you into a final step you come to regret.

Keeping street smart online

That's why we urge you to think before you click on links in unsolicited emails, especially if they are urging you to use the link to sign in to an online service.

That's to protect you from phishing, where cybercriminals take to you a login screen that looks like the real deal but isn't, causing you to give away your username and password to an imposter website.

We also urge you to be cautious of email attachments, especially if you weren't expecting them.

That's to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.

So far, so good.

But what if you do open an innocent-sounding attachment, and everything seems OK - no exploit, no booby-trap, no drive-by malware install?

You didn't click on any links in the original email, so perhaps you think that you're past the stage of being phished, and are ready to let your guard down?

Don't do that, not least because documents such as PDF files can contain clickable links, just like the HTML in an email or on a web page.

And if the email contains the attachment, and the attachment contains the link, then the rules of transitivity apply.

You may remember that from school - it sounds fancy but it isn't: for example, if A is bigger than B, and B is bigger than C, then A is bigger than C.

In other words, if you click on a link in an attachment, and the attachment came in an email, you are effectively clicking a link in the email.

It's easy to lose track of that fact, not least because when you launch an attachment, it usually opens in an application like Adobe Reader or Microsoft Word, not in your browser - giving you the feeling that you have left email and its related risks behind.

Link-free phishing emails

The crooks are aware of this cognitive disconnect, and here's a perfect example that Savio Lau and his fellow threat researchers in SophosLabs Vancouver just spotted.

You receive an unsolicited email that's supposed to be from a real estate company:

It's not exactly the most believable invitation in the world.

(Reputable real estate agents wouldn't make so many errors of grammar and formatting in such a short message. They probably wouldn't say, "Hi." And if they worked for RE/MAX in a managerial role, they'd know how to write the company's name properly.)

But it contains no links, which seems like a good sign - if phishing needs links, then surely no links means no phishing?

Also, the attachment isn't booby-trapped, and it contains real data, plus the ripped-off logo of a genuine real estate company:

Again, it's not the most believable document, not least because you just vaulted from one realtor to another.

But by simple cutting and pasting from a genuine web page into a Word document, followed by printing out that document as a PDF, the crooks have moved their clickable links out of the original email, and into a file that opens neither in your browser, nor in your email client.

Better yet for the crooks, it all works equally well on Windows, Mac, Linux and even mobile devices.

If you click on one of the links in the PDF, you supposedly return to the real estate website, but you are asked to login first:

You really shouldn't fall for this, not least because Windows Live and the Hotmail brand were consigned to the scrapheap of history nearly nine months ago - you won't have seen them anywhere official recently.

On the other hand, the idea of a site such as a real estate company piggy-backing its login process on an existing service provider - Facebook and Twitter are very popular for this - is surprisingly common these days.

And some PDF readers (Preview on OS X, for example), don't make it easy to see where a clickable link is going to take you, a precaution you are probably used to in your browser.

Of course, if you do fall for the login dialog, you're not just giving away your credentials to the crooks.

You're revealing them to anyone sniffing the network between your PC and the server, because the crooks aren't using HTTPS:

(Incidentally, in the fake login window above, clicking [Close] and [Sign in] have exactly the same effect: whatever is in the input boxes is sent unencrypted to the crooks.)

What to do

Technology would probably have saved you up front: a decent email filter or endpoint anti-virus would block the email or its attachment before you opened it, and a decent web filter would stop you clicking through from the PDF itself.

But the street smart advice we mentioned at the start would save you too:

  • Think before you click on links in unsolicited emails.
  • Be cautious of email attachments, especially if you weren't expecting them.

And if you're the go-to guy for IT amongst your friends and family, keep on reminding them this holiday season, won't you?

Note. Sophos products detect and block the bogus attachment shown above as Troj/Phish-DC.

Image of topiary chain courtesy of Shutterstock.

, , , ,

You might like

10 Responses to Festive season security myth: "If there are no links in an email, it can't be a phish."

  1. Suzanne · 673 days ago

    So here's a question: In Mozilla Thunderbird, I have my inbox set so that I can see the body of an email as soon as I click the subject line. I NEVER click on attachments unless I know the sender and am expecting it. If I don't click on any links within the body of the email, am I at risk for the kind of phishing you're talking about?

    • Paul Ducklin · 673 days ago

      In this case, the crooks get your username and password only if you:

      1. Read the email.

      2. Open the PDF attachment.

      3. Click one of the malicious links in the attachment.

      4. Click on one of the email icons on the phishing web page.

      5. Click [Close] or [Sign in].

      You can't click on a link in the email body in this case, because there isn't one.

      Your precaution of not opening attachments unless you know the sender *and* are expecting something would therefore protect you well - the attack would fail at step 2.

      • beth herzhaft (@herzco) · 672 days ago

        But Paul, I think she is saying that once she clicks on the *title* of the email, that the email displays.... I have the same exact thing in that I use mac mail. Once I click on the subject, the email opens (not attachments) but the email is there is all its glory.

        If you click on a subject in mac mail and the email is visible, but attachments are not clicked, is this OK? That is the only option for readingmac mail.

        And no way to remove an unread email, unless you were to click on the emails on *either side of it* in the subject pane (so you have to remove emails you might want if you want to quarantine a suspicious one)

        • Paul Ducklin · 672 days ago

          In this case, if you don't click on the attachment, there is no harm done.

          If you do open the attachment but you realise it's bogus and exit without clicking any of the links in it, there is no harm done.

        • 4caster · 671 days ago

          As I understand it, if an email displays (even in part) when you highlight the title, you are viewing it directly from your ISP server. The sender's server records the email as having been viewed, thus confirming that your address is a real one. You can prevent this, causing the email to be returned to the sender as undeliverable.
          In Mac Mail, go to Preferences>Viewing and check the box "Use Classic Layout". Then drag the horizontal separator (between the list of emails and the one that's displayed) to the bottom of the window.

  2. Bovlk · 672 days ago

    I applied the transitiveness rules even before reading the post (link in an attachment is effectively the same as a link in the email). So I wondered all the time if the post is to reveal a new kind of exploits or weakness that can let the crooks get my details even by viewing plain text email. For example, I received an email about two days ago with subject "Thank you" and the entire contents being "Thomas", sent from an email address I have never seen before by someone whose name is very common (e.g. John Smith) and sent to the generic info@mydomain.root address instead of myname@mydomain.root. I wonder what was the goal of the email or if any attachments/links were removed by server-side sw.

    • Paul Ducklin · 672 days ago

      I regularly get empty spams, or spams with a salution, such as "Hello," but no further content.

      Could just be that the sending spambot crashed/broke/has a bug, I suppose.

      If you're sending 10,000,000 copies of a spam, you probably don't worry about the "corner cases" that cause 1000 of the recipients to get a garbled message.

  3. MikeP_UK · 672 days ago

    Good item, well worth re-iterating over and over.

    But also worth pointing out that there are still a great many people who still use a @hotmail address, with either a .com or a .uk or some other suffix. These are people who see no benefit in transferring to an @outlook.com address and have to waste time telling everyone and changing their stationery, etc. The issue, as rightly pointed out in the item, is the use of the 'Hotmail' epithet in the dialogue.

  4. Anonymous · 618 days ago

    After being hit with a crash virus when accidentally not recognizing the fake Window Virus Warning, I'm super cautious. I think the best advice I ever received from an IT, nothing good can come from an unsolicited email. Problem is during shopping season you lose track of who you sign up with, I use a password tracking program to help me remember, so I wouldn't open where I did not enroll, placing email address into Window Rules that permanently deletes & I never see it again. Once a friends email was hijacked, but when I went to reply I noticed the address was very different. I've done this with an unsolicited email from companies I recognize & it also worked to help determine if legitimate.

  5. Vern Mastel · 329 days ago

    What about Email where the body is all HTML.... What prevents some goofball from embedding malicious JavaScript that executes when the Email is opened/viewed?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog