I recently received two emails, sent to two different addresses and both from different senders.
The first email was allegedly from Apple and was sent to my work account.
The second email was allegedly from the Bank of Montreal (BMO) and was sent to my personal account.
Both were unsolicited and were asking me to click on links contained in the body of the email.
At this point, most readers are probably getting a distinct whiff of phish.
Let me tell you why, for one email, that wasn’t the case and how we need to re-think some of our advice.
It doesn’t take an ichthyologist
By now, we are all aware of the damage that a phishing campaign can have on an organization.
And for a very long time, we’ve been telling everyone who ever goes near an email client to:
- beware of unsolicited email;
- never click on links;
- and never open attachments.
Sage advice it would seem – but is it still correct?
As IT professionals we are constantly fighting a battle on at least three fronts.
The first is the cyber crooks who doggedly attack us on a daily basis.
The second is our users who may unwittingly manage to undermine the security systems we’ve put in place to protect them and their data.
And the third is company management who don’t necessarily understand the magnitude of the threat of phishing and its impact on the business, and who therefore don’t provide the budget needed to combat it.
I’ll start by addressing the first two.
By some accounts, spam has been on the decline. However, we still see an enormous number of spam emails every year, and spam still accounts for the largest percentage of all email sent.
As long as we continue to use email, spammers will continue to send spam.
So let’s have a closer look at the two emails in question.
I’ll start with the one from the Bank of Montreal:
At first glance the header looks OK. It was sent from firstname.lastname@example.org which seems plausible enough, but a closer look at the source tells a different story.
What we see here is that the reply-to email address has been set to email@example.com which is what gets displayed in the email client.
This particular receiving mail server also does a Sender Policy Framework (SPF) check.
In short, SPF validates whether the message is being sent from a host that is authorized to send mail for that domain. In this particular instance we get the following SPF message:
domain of transitioning firstname.lastname@example.org does not designate 184.108.40.206 as permitted sender
So it would appear that our SPF check failed and that the IP – 220.127.116.11 – which happens to be a web hosting company registered in Germany, is not an approved sender.
What about the body?
Here’s where most casual observers might ascertain that this message was not legitimate.
I’ve picked out a few pieces that contribute to our level of suspicion:
The email is not addressed to anyone. Usually, even with bulk emails, your name or a more specific title is used here.
If you are the rightful holder of the account you must verify your BMO account!
This is the call to action. Most phishing campaigns include one. It’s meant to add a sense of urgency to the message and compel you to do something.
If you receive this email and you are not the rightful holder of the account please be informed that BMO works with the International Police and any illegal acts will be punished according with the law!
The threat. Another common tool to make sure you make you think that a) this is legitimate; b) the sender has the law on their side; and c) they will use said law enforcement affiliations, should you be up to something dodgy.
They’re the crook, not us.
Simply hovering over the link shows that your browser would actually be going to: http://dues[.]lojavirtualdoacrilico[.]com[.]br.
Odd that a server in Germany is sending emails on behalf of a Canadian bank with web servers in Brazil. Blame it on globalization, I guess.
If you choose to ignore our request, your account will remain disabled until you verify your information.
Another threat. This time they’re effectively telling you that you will not have access to your bank account should you not act on the above. For anyone who relies on online banking exclusively, this should do the trick.
Finally, if we look at BMO’s website, we find this statement:
BMO will never request personal or financial information through unsolicited emails. For further assistance, contact our Customer Service Centre by calling the phone numbers on the back of your credit/debit card or published on bmo.com or harrisbank.com.
The dead giveaway, of course, is that I’m not a customer of BMO.
To give credit where credit is due, for an email allegedly coming from a Canadian institution, they did spell ‘centre’ correctly.
At any rate, that was a pretty easy one. Let’s look at the one from Apple now.
It does take a critical eye
In my email client, the sender address appears as Apple "News@InsideApple.Apple.com". This was the first red flag. Besides not expecting this email, something about the sub-domain.domain.tld format didn’t feel right.
As with the previous email, let’s look at the body for some clues.
Dear iTunes account owner,
A little better than the last time. At least now it’s more specific to the subject at hand.
Apple is committed to providing parents and kids with a great experience on the App Store.
“We’re here to help”. With this and the following few sentences, they’re trying to establish a rapport and trust with the reader. They want you to know they have you and your children’s best interests in mind.
Our records show that you made some in-app purchases, and if any of these were unauthorized purchases by a minor, you might be eligible for a refund from Apple.
Now we’re talkin’! There’s a potential for a cash ‘reward’ if we comply with the requests.
Please follow the steps below to submit a refund request:
This is the section where they start introducing links. This email has four of them so there’s no shortage of trouble to be gotten into.
All refund requests must be submitted no later than April 15, 2015.
A deadline! Again, nothing screams “act now!” like a deadline.
In true Apple style, the email’s look and feel is clean and crisp. The only image being the Apple logo above the text and some legalese and supporting links at the bottom.
So was this a phish?
A closer look at the source reveals the following:
As we can see, this particular sender has included a DomainKeys Identified Mail (DKIM) signature.
DKIM digitally signs emails for a given domain and establishes authenticity.
A quick search with your favourite search engine also reveals that the email address News@InsideApple.Apple.com is legitimate. Although you do have to wade through quite a bit of opposite opinion.
Nobody said security was easy!
The links all lead to where they promise and, more importantly, those are all Apple servers.
It appears that this particular email was sent in response to the class action lawsuit levied against Apple for in-app purchases made by minors.
For good measure, I also checked with SophosLabs and they agreed that the message was legitimate.
Our weakest link?
We often hear sysadmins bemoaning the fact that users are the bane of secure computing and we would all be better without them.
Where I think we go wrong is that we’ve put too much pressure on the users to always get it right.
Users are not only here to stay but they are also – contrary to what some sysadmins may think – on the front line of the fight against cyber crooks.
It’s easy to get fooled.
I’ll admit that when I first saw the email from Apple land in my inbox – not my spam folder since it was correctly identified by Sophos Email Gateway as legitimate – I quickly scanned it and clicked on the first link.
Half a second later I realized what I had done and quickly shut down the browser tab before the page had a chance to load fully. And I’m a so-called ‘security expert’.
That’s when I took the time to look at the email in greater depth and came up with the idea for this post.
Users don’t have to be the weakest link. With the right education, empowerment and motivation, they can be the proverbial canary in a coal mine.
They can become a most valuable asset.
We know that cyber crooks will continue to bombard us with endless threats, including spam. Luckily there are technologies available to help minimize that problem.
We also have users that are hyper-aware of the dangers lurking in their inbox, but outbreaks and breaches still happen.
Let’s look at the usual advice – is it still relevant?
“Beware of unsolicited emails”
Always worth keeping in mind but, as we’ve seen, not every unsolicited email is dodgy.
Email is convenient, cheap and ubiquitous. There’s no reason we shouldn’t be using it in the method demonstrated by Apple.
So, teach your users to beware of unsolicited mail but also teach them to recognize the overt signs of a scam email – i.e. poor spelling and grammar, suspicious senders, uncommon requests, terrible formatting, bogus links, among others.
Apple and other sites also send me an email each time someone tries to reset my password. You want to know if this happens and if I were to receive a raft of them all at once from different services, I might conclude that something wasn’t quite right with my online accounts.
Unsolicited emails such as these are not unwelcome.
We should still be careful but let judgement based on knowledge guide us.
“Never click on links”
Still a great piece of advice. But what about the Apple email seen above?
There’s also the valid use of email to remotely deploy things like mobile device management profiles or endpoint protection agents.
Typically when I receive an email asking me to click on a link, I open a browser tab and go to the site myself.
Another great tip from Naked Security’s Chester Wisniewski is to bookmark those sites that are particularly vulnerable to phishing attacks (e.g. banking sites).
Hover over the link, if it matches the text on the screen, go to your browser and access the site independently of the email.
If the link is too long because it contains some base-64 encoded string as a unique identifier, a little bit of careful research will let you know if it’s safe or not.
Even so, most of the time you can simply log into the site in question and resolve the issue that prompted the email.
“Never open attachments”
This is also good advice but is sometimes tough to follow.
Obviously this is again where judgement comes in. If you’re at work and it was sent internally by someone you know, it’s most likely safe. But it’s still a good idea to scan email internally.
If you’re at home, things get a little murkier. People you know will send you all kinds of attachments and it can be difficult to discern the genuine from the malicious.
For example, I have a few relatives who can’t help but send e-cards for any and all occasions. This is where a bit of human heuristics comes in handy.
There’s also the proliferation of electronic statements, many of which include the statement as an attachment, if not a link. While going green is a great and noble idea, it contrasts with our advice.
So what are we to do?
In the corporate world this problem can largely be solved by making sure your email security gateway does not allow malicious or suspicious attachments into the organization.
Much like the Sophos Email Gateway, it should strip executables by default.
You can also rely on your web gateway to back you up should you make a poor decision.
Home users can also take advantage of such technologies. Most popular webmail services go to great lengths to ensure that spam (including dodgy link detection) and malicious attachments are not delivered to your inbox.
If you want to take matters into your own hands, you could also run your own gateway protection such as the free Sophos UTM Home Edition.
A competent AV solution with proactive defence and a host-based firewall will round out your protection.
In the security community we often decry the use of email for anything but direct, text-based communication. The fact is that the world is a much richer place and so is email communication today.
We should still be able to enjoy all of the features that modern electronic mail can bring us without an ever-present and crippling fear of TEOTWAWKI.
If you didn’t order the airline ticket, aren’t expecting a shipment, didn’t sign up for e-statements or aren’t a member of that social media site, it’s probably a scam.
Finally, IT people, make certain your users know that it’s OK to come to you when they suspect something’s wrong or when they know they messed up.
Better you find out about a problem now rather than after your customer database ends up on Pastebin.
Armed with some technology options and a user education program, go get that budget from your CIO!