Phishing at Work

When the time permits it is interesting to dig a little deeper into phishing emails that occasionally show up in our inboxes. Some of the lures are constructed better than others. The more familiar we become with the content and approaches related to phishing, the better we will be able to quickly identify them. While spam and other email filtering solutions may keep many items from bothering you at all, it is still good to follow the principal of “think before you click”. Many times it is even better to “think before you open”, as you can often just delete emails with sources and subject lines that are obviously not worth your attention. The downside is that we are all moving faster and faster these days and it is sometimes very easy to open and click, if our initial impression is that the email is legit. To further complicate life, many organizations both at work and in our personal life are using third party services with email sources and web links that are not always so easy to validate.

Recently I came across a phishing email claiming to be from an online payment service. At a really quick glance it might seem authentic but it quickly becomes apparent that it is not legit. Here are some of the steps that I took in investigating this particular attempt. Note: Some of these steps should be used with appropriate care and with approvals as needed from your respective organizations.

• Identify the source email domains within the email, which are sometimes not obvious in certain email applications (yes, email source info could be spoofed)
• Identify URL links that are included in the email.  If short URLs are utilized, try one of the web services that expand the short URL to the one you would actually visit if you had clicked on it
• For looking up URLs, domains, hostnames and IP addresses, I tend to start with the IBM X–Force Exchange (@IBMSecurity @ibmxforce) portal. Here is a recent Security Intelligence article on the IBM X-Force Exchange (XFE) service.
• Since I believe it is always good to have more than one perspective on something when it comes to information security, I also check a couple other URL categorization services, such as those from @BlueCoat (Blue Coat WebPulse Site Review ) or @PaloAltoNtwks ( Palo Alto Networks URL Filtering – Test Site ).
• [Caution] On an isolated virtual machine I use an anonymization service to browse to the suspicious URL and interact with the content. In this case I found that they did not take as much time polishing the content of their fake help portal as they did on the initial phishing email.
• Once I’m comfortable that it is a confirmed phishing site, I can take a few minutes and submit a URL category change request, in the event that any of the URL services did not yet have this site flagged.
• In this particular case, it was interesting to note that a couple days later the service provider that was associated in some way with the phishing web site, had blocked access and posted a notification to that effect.

There are other actions that could be taken depending on the particular situation you are faced with. For example, if you were in a work situation you might be reporting the attempt to your security organization and, or distributing details to your community for awareness. If you felt the problem was significant enough, you might move to have temporary blocks placed on IP addresses, domains or specific URLs. Although care should be exercised with this approach so as not to cause collateral damage to valid, desired traffic.

Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any particular company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important.