Sophos Cloud Optix
I recently received two emails, sent to two different addresses and both from different senders.
The first email was allegedly from Apple and was sent to my work account.
The second email was allegedly from the Bank of Montreal (BMO) and was sent to my personal account.
Both were unsolicited and were asking me to click on links contained in the body of the email.
At this point, most readers are probably getting a distinct whiff of phish.
Let me tell you why, for one email, that wasn’t the case and how we need to re-think some of our advice.
It doesn’t take an ichthyologist
By now, we are all aware of the damage that a phishing campaign can have on an organization.
And for a very long time, we’ve been telling everyone who ever goes near an email client to:
- beware of unsolicited email;
- never click on links;
- and never open attachments.
Sage advice it would seem – but is it still correct?
As IT professionals we are constantly fighting a battle on at least three fronts.
The first is the cyber crooks who doggedly attack us on a daily basis.
The second is our users who may unwittingly manage to undermine the security systems we’ve put in place to protect them and their data.
And the third is company management who don’t necessarily understand the magnitude of the threat of phishing and its impact on the business, and who therefore don’t provide the budget needed to combat it.
I’ll start by addressing the first two.
By some accounts, spam has been on the decline. However, we still see an enormous number of spam emails every year, and spam still accounts for the largest percentage of all email sent.
As long as we continue to use email, spammers will continue to send spam.
So let’s have a closer look at the two emails in question.
I’ll start with the one from the Bank of Montreal:
At first glance the header looks OK. It was sent from secure@bmo.com which seems plausible enough, but a closer look at the source tells a different story.
What we see here is that the reply-to email address has been set to secure@bmo.com which is what gets displayed in the email client.
This particular receiving mail server also does a Sender Policy Framework (SPF) check.
In short, SPF validates whether the message is being sent from a host that is authorized to send mail for that domain. In this particular instance we get the following SPF message:
domain of transitioning secure@bmo.com does not designate 5.9.149.249 as permitted sender
So it would appear that our SPF check failed and that the IP – 5.9.149.249 – which happens to be a web hosting company registered in Germany, is not an approved sender.
What about the body?
Here’s where most casual observers might ascertain that this message was not legitimate.
I’ve picked out a few pieces that contribute to our level of suspicion:
Hello,
The email is not addressed to anyone. Usually, even with bulk emails, your name or a more specific title is used here.
If you are the rightful holder of the account you must verify your BMO account!
This is the call to action. Most phishing campaigns include one. It’s meant to add a sense of urgency to the message and compel you to do something.
If you receive this email and you are not the rightful holder of the account please be informed that BMO works with the International Police and any illegal acts will be punished according with the law!
The threat. Another common tool to make sure you make you think that a) this is legitimate; b) the sender has the law on their side; and c) they will use said law enforcement affiliations, should you be up to something dodgy.
They’re the crook, not us.
https://www1.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain?refererident=verify
Simply hovering over the link shows that your browser would actually be going to: http://dues[.]lojavirtualdoacrilico[.]com[.]br.
Odd that a server in Germany is sending emails on behalf of a Canadian bank with web servers in Brazil. Blame it on globalization, I guess.
If you choose to ignore our request, your account will remain disabled until you verify your information.
Another threat. This time they’re effectively telling you that you will not have access to your bank account should you not act on the above. For anyone who relies on online banking exclusively, this should do the trick.
Finally, if we look at BMO’s website, we find this statement:
BMO will never request personal or financial information through unsolicited emails. For further assistance, contact our Customer Service Centre by calling the phone numbers on the back of your credit/debit card or published on bmo.com or harrisbank.com.
The dead giveaway, of course, is that I’m not a customer of BMO.
Conclusion: Phish.
To give credit where credit is due, for an email allegedly coming from a Canadian institution, they did spell ‘centre’ correctly.
At any rate, that was a pretty easy one. Let’s look at the one from Apple now.
It does take a critical eye
The email:
In my email client, the sender address appears as Apple "News@InsideApple.Apple.com". This was the first red flag. Besides not expecting this email, something about the sub-domain.domain.tld format didn’t feel right.
As with the previous email, let’s look at the body for some clues.
Dear iTunes account owner,
A little better than the last time. At least now it’s more specific to the subject at hand.
Apple is committed to providing parents and kids with a great experience on the App Store.
“We’re here to help”. With this and the following few sentences, they’re trying to establish a rapport and trust with the reader. They want you to know they have you and your children’s best interests in mind.
Our records show that you made some in-app purchases, and if any of these were unauthorized purchases by a minor, you might be eligible for a refund from Apple.
Now we’re talkin’! There’s a potential for a cash ‘reward’ if we comply with the requests.
Please follow the steps below to submit a refund request:
This is the section where they start introducing links. This email has four of them so there’s no shortage of trouble to be gotten into.
All refund requests must be submitted no later than April 15, 2015.
A deadline! Again, nothing screams “act now!” like a deadline.
In true Apple style, the email’s look and feel is clean and crisp. The only image being the Apple logo above the text and some legalese and supporting links at the bottom.
So was this a phish?
A closer look at the source reveals the following:
As we can see, this particular sender has included a DomainKeys Identified Mail (DKIM) signature.
DKIM digitally signs emails for a given domain and establishes authenticity.
A quick search with your favourite search engine also reveals that the email address News@InsideApple.Apple.com is legitimate. Although you do have to wade through quite a bit of opposite opinion.
Nobody said security was easy!
The links all lead to where they promise and, more importantly, those are all Apple servers.
It appears that this particular email was sent in response to the class action lawsuit levied against Apple for in-app purchases made by minors.
Conclusion: Legit.
For good measure, I also checked with SophosLabs and they agreed that the message was legitimate.
Our weakest link?
We often hear sysadmins bemoaning the fact that users are the bane of secure computing and we would all be better without them.
Where I think we go wrong is that we’ve put too much pressure on the users to always get it right.
Users are not only here to stay but they are also – contrary to what some sysadmins may think – on the front line of the fight against cyber crooks.
It’s easy to get fooled.
I’ll admit that when I first saw the email from Apple land in my inbox – not my spam folder since it was correctly identified by Sophos Email Gateway as legitimate – I quickly scanned it and clicked on the first link.
Half a second later I realized what I had done and quickly shut down the browser tab before the page had a chance to load fully. And I’m a so-called ‘security expert’.
That’s when I took the time to look at the email in greater depth and came up with the idea for this post.
Users don’t have to be the weakest link. With the right education, empowerment and motivation, they can be the proverbial canary in a coal mine.
They can become a most valuable asset.
What now?
We know that cyber crooks will continue to bombard us with endless threats, including spam. Luckily there are technologies available to help minimize that problem.
We also have users that are hyper-aware of the dangers lurking in their inbox, but outbreaks and breaches still happen.
Let’s look at the usual advice – is it still relevant?
“Beware of unsolicited emails”
Always worth keeping in mind but, as we’ve seen, not every unsolicited email is dodgy.
Email is convenient, cheap and ubiquitous. There’s no reason we shouldn’t be using it in the method demonstrated by Apple.
So, teach your users to beware of unsolicited mail but also teach them to recognize the overt signs of a scam email – i.e. poor spelling and grammar, suspicious senders, uncommon requests, terrible formatting, bogus links, among others.
Apple and other sites also send me an email each time someone tries to reset my password. You want to know if this happens and if I were to receive a raft of them all at once from different services, I might conclude that something wasn’t quite right with my online accounts.
Unsolicited emails such as these are not unwelcome.
We should still be careful but let judgement based on knowledge guide us.
“Never click on links”
Still a great piece of advice. But what about the Apple email seen above?
There’s also the valid use of email to remotely deploy things like mobile device management profiles or endpoint protection agents.
Typically when I receive an email asking me to click on a link, I open a browser tab and go to the site myself.
Another great tip from Naked Security’s Chester Wisniewski is to bookmark those sites that are particularly vulnerable to phishing attacks (e.g. banking sites).
Hover over the link, if it matches the text on the screen, go to your browser and access the site independently of the email.
If the link is too long because it contains some base-64 encoded string as a unique identifier, a little bit of careful research will let you know if it’s safe or not.
Even so, most of the time you can simply log into the site in question and resolve the issue that prompted the email.
“Never open attachments”
This is also good advice but is sometimes tough to follow.
Obviously this is again where judgement comes in. If you’re at work and it was sent internally by someone you know, it’s most likely safe. But it’s still a good idea to scan email internally.
If you’re at home, things get a little murkier. People you know will send you all kinds of attachments and it can be difficult to discern the genuine from the malicious.
For example, I have a few relatives who can’t help but send e-cards for any and all occasions. This is where a bit of human heuristics comes in handy.
There’s also the proliferation of electronic statements, many of which include the statement as an attachment, if not a link. While going green is a great and noble idea, it contrasts with our advice.
So what are we to do?
In the corporate world this problem can largely be solved by making sure your email security gateway does not allow malicious or suspicious attachments into the organization.
Much like the Sophos Email Gateway, it should strip executables by default.
You can also rely on your web gateway to back you up should you make a poor decision.
Home users can also take advantage of such technologies. Most popular webmail services go to great lengths to ensure that spam (including dodgy link detection) and malicious attachments are not delivered to your inbox.
If you want to take matters into your own hands, you could also run your own gateway protection such as the free Sophos UTM Home Edition.
A competent AV solution with proactive defence and a host-based firewall will round out your protection.
In the security community we often decry the use of email for anything but direct, text-based communication. The fact is that the world is a much richer place and so is email communication today.
We should still be able to enjoy all of the features that modern electronic mail can bring us without an ever-present and crippling fear of TEOTWAWKI.
If you didn’t order the airline ticket, aren’t expecting a shipment, didn’t sign up for e-statements or aren’t a member of that social media site, it’s probably a scam.
Finally, IT people, make certain your users know that it’s OK to come to you when they suspect something’s wrong or when they know they messed up.
Better you find out about a problem now rather than after your customer database ends up on Pastebin.
Armed with some technology options and a user education program, go get that budget from your CIO!
Image of phishing email courtesy of Shutterstock.
Excellent article, I am going to share it with our faculty and staff. Thank you!
I cannot agree with your conclusion that we need to rethink the usual advice. Since the crooks are often one step ahead of any security solutions, unsolicited emails and attachments should always be looked at as likely problems rather than possible desirable content. This is especially true when you consider the fact that many users can be educated in what signs to look for and still fall victim to phishing and malware due to their refusal to take the possible outcome of such a failure seriously.
as you say, grammar counts – the first of your examples has three howlers in one sentence which should kill it dead without bothering to trawl for server addresses etc.
Interesting article, but not so convinced about the advice.
I would strongly recommend that people check the links go to where they say by simply hovering the cursor over the link – that will show the actual URL it would connect to (unless someone has found a way to spoof that as well!)
The spelling of ‘centre’ is only correct if the source uses UK English, but as this purported to be from Canada it is an incorrect spelling – Canadians use the same spelling as in the USA, namely ‘center’ as is usual with US English. So you still need to read every word carefully and consider the grammar used as well. Also be wary of usage of words that are not in common usage in the origin country (UK mostly does not use ‘gotten’ and only Scots use ‘outwith’ are just two examples).
The Apple message is also suspect as it was unsolicited so should be regarded as phishing/spam and treated with extreme caution until it can be proven to be legitimate and safe. The onus is on the sender to verify it is valid and meant for the specific recipient.
So interesting food for thought, but the old advice still stands for me, be wary, be very wary!
The article clearly covers your first point … “Hover over the link, if it matches the text on the screen, go to your browser and access the site independently of the email.”
You obviously are not from Canada .. (…”as this purported to be from Canada it is an incorrect spelling – Canadians use the same spelling as in the USA, namely ‘center’ as is usual with US English.”). WRONG. Do a little traveling in Canada and you’ll quickly notice that British English is still in use out here in the ‘colonies’.
In British English we write “travelling” with two “l”s.
But you are right about “centre”. The French Canadians would veto any attempt to spell it the American way!
Canadians do not spell the same as Americans – puleeze!!! Centre is spelled “centre” above the forty-nine parallel and we have always used “Canadian English”, which is very similar to UK English. Yes, we are a separate country from the Americans!
This is probably overkill, but the other two posters are correct about Canadian spelling. I grew up in the US but have been resident up here for over 40 years, and use sort of a hybrid system … when posting to groups or boards/forums which have primarily US members I’ll use the American spelling for clarity, but if addressing a person or organization I know to be Canadian I’ll use the Canadian spelling.
I’ll stick to not opening the email thank you. I forward anything suspicious to the fraud dept of the company and ask if it’s legit. If I get a fraud alert from my one credit cards I login to my account and read the message there. Then I’ll phone to confirm information. I would estimate that the vast majority of home internet users aren’t computer savvy and would not understand what you are talking about in this article.
In this case, I’d actually suggest that Apple could have done a better job in crafting their email. In this case, validating the message headers and “Call to action” links was enough to show it was legitimate, but when I first saw this message, I spent a significant amount of time both verifying the message itself, and checking to see if anyone had been sending a modified version with the links going to somewhere else.
If legitimate companies with their own email solution send out messages that look at first glance like a phish, most users have two choices: don’t deal with the email, or reduce their security by failing to follow the standard advice. This means that Apple is in effect training people to be more susceptible to phishing attacks with their email.
Something that would help significantly is if email client developers took a cue from web browser developers and provided an easily viewable indication of the location of the first untrusted relay in the message header, along with an indicator for presence and validity of DKIM and Domainkey signatures.
Web browser authors could also help by not immediately loading links coming from outside the application, but instead displaying the link and country of origin, the application that sent it to the browser, and letting the user click through if this was the desired location. Some browsers at least have a plugin that, if it detects a redirect chain, presents this information and shows you the eventual destination.
Webmail authors could help by doing a combination of the above.
The bottom line is, if users are provided with easy to understand information, they usually make the right decision. If that information is hidden underneath layers of technical data, they usually give up and do what appears to benefit them the most in the short term.
Both the crafters of email messages and crafters of software should keep this in mind when designing their product.
I think that the “feel” of phish is somewhat intentional. They are offering to refund money, so if people are discouraged by the phish-like characteristics, all the better for Apple.
Another! Red! Flag! Is! Exclamation! Points!
I was about to say the same thing!
Your message is spam then 😀
Good article – but fugeddabout the link clicking – Quinn Norton put it best in her “Everything is Broken”, err, I guess it’s slowly turning into a manifesto — “But if you refuse to open attachments you aren’t going to be able to keep an office job in the modern world. There’s your choice: constantly risk clicking on dangerous malware, or live under an overpass, leaving notes on the lawn of your former house telling your children you love them and miss them.” #everythingisbroken
Email headers are hard for typical users to deal with. What’s needed is some app to examine them and give alerts.
If the email contains a button (NOT a link) then what should users do?
button is a link. Treat them the same
(three years late)
…except you can’t hover and compare the link text of a button with the actual target of the link. True once you’re digging into headers the dirty laundry has been aired, but it’s difficult to discern between some phishing links and legitimate* mail campaign tracking services.
* read: annoying but honest, as in a paid communications liaison for the ostensibly-sending entity.
The “never click on links” advice would be a lot more effective if people like Apple would just stop putting them in bulk mails like this.
It would be no problem for them to send an email describing the issue, and end it with “to take action, go to our site and log in to your account (you know how to do that right?), where we’ve left a message with more details”. Even in cases where people might not have an account, they could say “go to our homepage and click the link marked ‘important incident thing’ (or whatever)”.
We tend to put too much blame on end users and let marketers etc feel they can do what they like without affecting the way the world thinks. They need to shoulder their share of the effort too.
The UK’s tax office (HMRC) sends out genuine emails (they confirmed to me they were genuine when I queried them) that have every characteristic of a scam. The links are mostly to a US web site, which appears to be a traffic monitor before redirecting back to the gov.uk site.
And the Natwest Bank, after years ago telling us they would never email us, sends out emails that have every last hallmark of a scam.
I have given both of these organisations regular feedback on this, and even given them ideas which they could use to build trust with their customers.
Alas, this falls on deaf ears and so I have to treat the majority of genuine emails as scams because I haven’t got the time to check through the train in their headers to check their provenance.
I just received a similar HMRC email and sent it to HMRC phishing and Sophos.
Sophos gave an initial indication it is probably phishing as it starts “Hello Employer”.
I was assuming it was phishing as all the links were to govdelivery.com which appears to be a US site.
Until I hear otherwise from HMRC I will assume it IS NOT genuine.
What was it asking you to do?
If it was marketing material that in your opinion sails too close to misusing the HMRC “brand,” then it’s worth reporting to HMRC so they are aware.
If it had anything to do with “login and change your password,” then it’s definitely not HMRC 🙂
This problem is compounded by legitimate emails using 3rd party sites for their links. My first check is to hover over the link and see where it really goes, if it is anything but the company it goes in the trash. However I have had several discussions with vendors who use link aggregators in their emails – how am I supposed to know legit from spam when the legit ones point to bizarre addresses full of random characters.