Gone Phishing! What if you click it?

When will we stop clicking on the link or opening the zip file attachment that comes via a spam mail? What if you click on an attachment by accident, what should you do?

By Ed Higgins
First, if you accidentally click on a potentially malicious attachment, don’t stall reporting it because you are embarrassed.  That is the worse thing you can do.  Report it to your IT or Security team, so they can address the likely single occurrence, rather than addressing perhaps thousands of infected systems because you failed to report it.

Should we click attachments? This is tougher challenge to address because we all are inclined to trade off good security practices for convenience. Generally, we all would like to think we know better than to “take the bait”, but sometimes an email looks so convincing to the eye and we’re pressed for time, that we forget to validate the sender or the content we’re being asked to click. We get caught up in trying to do things so quickly that we just click it, etc. Once you click the link, if your system is vulnerable to whatever is contained in the link or attached file, it will be too late. Malware operates at the speed of electrons moving within a wire. Your finger beating on the ESC key isn’t going to beat the electron – never has, never will.

Some Examples to Consider:

Below is an example of a potential email that a bad actor might send you an email that says:

—– begin email —-

Hi Ed,

Please correct your bank account information. Below is a link to your bank account.

Ed’s Bank Account

Thank you,

Your bank

—– end email —–

The link associated within the above text (meaning the destination is not immediately visible to you) might direct you to http://badplace.stealyouridenty.ch

The link directs you to a compromised system somewhere in the Internet, (probably a compromised web server) that contains malicious code (malware) which immediately executes a program when you land on the web page and infects your PC with whatever bad thing the bad actor wants to do. The possibilities regarding the purpose of the malware are endless, as are the means to detect them.

To expand upon the techniques that bad actors use, the email content would display text as if it were the actual link but it’s not. For example the following link:

The email text: http://legitimate.bank.com/login (while it look legit)

The embedded link associated with the text: http://badplace.stealyouridenty.ch

Tip: Get in the habit of always inspecting the link before you actually click it. I do this all the time and it doesn’t waste much time. Move your mouse over the legitimate looking link. Hover over the link, and your browser will reveal the actual link. You can easily evaluate the link to observe anomalies as well as purposely misspelled words such as PayPa1.com versus PayPal.com.  Did you see the difference in the two? Didn’t think so.  (hint: one used a 1 and the other used an L).

This obviously pertains to inspecting emails from your PC, but what about emails and embedded links that you read on your cell phone? It is more difficult to inspect the text/link in your cell phone. I believe cell-phone initiated compromises are replacing the PC varieties. This raises yet another topic created to cell phones, which we’ll discuss in another article.

Here’s another example. Compare the two links below and find the difference if you can.

http://legitimate.bank.com/login

http://legitimate_bank.com/login

Did you see it?

The two links look somewhat similar but each directs you to two completely different destinations. As you have probably found, the period “.” was changed to an underscore “_”, thus changing the target destination entirely from bank.com to legitimate_bank.com. If you missed it, look again. Some bad actors are very accomplished at disguising the differences between the good and bad. You have to pay attention.

A Slightly Different Example:

Bad actors may not use a malware infected link to immediately install a malware on your system. Rather, they may create a faked web form on a compromised web server that looks exactly like your bank’s website, but it is really not your bank.   This goes right back to the need to inspect the text and the embedded link as I described above.  To continue: the form might show a login page, designed to get you to login with your user ID and password. Once you type your username and password, your account has just been compromised because the bad actor now owns your bank account’s access credentials. The motives and techniques used by bad actors in this example are, again, endless.

I believe security vendors should look at the topic of link alteration and provide utilities that automatically detect the text-to-link relationships and analyze the differences, and thus warn the user about the potential fraud. Some vendors are doing such things, but only from the perspective of the source of the email (treating it as if a spam).  Alternatively most security vendors track malware or malicious behavior via a signature file.  The problem with signature based analysis is that all the bad actor needs to do is slightly alter the coded payload or spam message, which will now completed bypass the security control. It would go along way in helping users, if browsers and email tools would do some of the content analysis work, to help users make informed decisions about things we take for granted like simply clicking a link.

Sounds obvious right?  But to repeat, most antivirus and anti-malware tools today don’t do this analysis. They operate on the principle of a signature database of known attack behaviors. Security vendors work hard to update signatures and bad actor profiled behaviors, but they are faced with a constantly evolving challenge to keep up, rather than stay ahead.

In all of the above questions, there are literally millions of iterative methods that bad actors use to evade security software’s ability to detect the malicious content. I believe browsers and security vendors have the ability to beat this.

Where do most breaches originate?

Most thefts of your personal identity, credit card, and personal data do not occur as the result of negligence by your bank or email services provider. It is quite true that several mass breaches have occurred where a business network is attacked and whole databases are stolen, but this unfortunate problem is not the type I am talking about. Rather, I am addressing attacks on individuals in mass or in singled out attacks.  In the case of the email and web examples described above, every compromise of this type can be attributed to you and me (the end-users).

“Security is Everyone’s Responsibility”

This is where you come in. By exercising some caution to inspect links before you click them, by using pass-phrases instead of passwords, and by making sure your IoT gadgets are always kept up to data regarding security updates, and configure your home wireless network with a strong WPA access code, you can greatly protect yourself against these types of attacks described throughout this post.  Of course this comes in addition to having good antivirus and anti-malware tools installed on your PC and kept up to date.

Ok, I clicked the link. Oopsie. What should I do?

If you do happen to accidentally click in a potentially fraudulent attachment, tell your IT or Security team as immediately as you possibly can.  They may or may not be able to disinfect your system, depending on the purpose of the link, but they can take appropriate actions to protect the rest of the network from the spread of virus that you may have introduced by accident.  It is very important that if you do make a mistake, an accident, that you report it so that it can be stopped and prevented in the future.   If you suddenly experience weird behavior on your PC and even remotely think that it could be malware related, then contact your IT or Security team. Treating your PC’s infection is a whole lot easier for them then treating every PC in your company’s network due to it spreading because you didn’t alert them.

If your personal home computer gets infected, the first step would be to disconnect the network and wireless connection. This won’t stop the malware from running on your PC, but it will halt the spread to other systems, and will halt any further theft of information until you can get your PC analyzed by a competent security professional.

For work computers, preferably beforehand, check with your Security team (if you haven’t already been given instructions).  They will have incident response guidance for what you should do if something like this happens to you.  If you don’t have a Security team at your work, then check with IT. If nobody knows what to do, then unplug the computer from your company network.  Whether to unplug or monitor, is a decision for the company to make.  Again, it is a good idea to know these steps in advance of making a mistake.

In future articles, we’ll expand upon some of the additional items I touched upon and we’ll explore more on the subject of  phishing, spear-phishing attacks (which are the types explored here), as well as some more advanced topics.