Anatomy of a Phish

I expect a lot of you have received an email or text that claims you have won a prize and you need to click a link to claim it. This is often unexpected and you don’t remember entering a competition to win the said prize. Maybe you have received an email from the Tax Authority (in the UK this is HMRC) saying you have a tax refund and you need to claim it immediately by clicking on a link.

These are all examples of a Social Engineering Attack and in particular a Phishing attack.

A Recent Example

I receive phishing emails on a regular basis as one of my email addresses has been disclosed in a data breach. I only keep it active so that I get these examples and it is seriously quarantined by:

  • Disallowing logins to the main email account hosting it
  • Moving any email received on this email address to a quarantine folder using a mailbox rule
  • Never using it for emails and logging into websites.

A recent email I received is below.

Fake HMRC Email

I have redacted my email address quoted in the email so that I don’t get additional attacks.

Lets break this down:

  • The email using my email address as the ‘From’ account – this will often bypass any spam filters since you will always accept email from yourself
  • It quotes my email address, but not my name which the HMRC would do – they would also quote my UTR reference which this does not
  • There are grammatical errors in the email – HMRC would not make basic grammar and spelling errors
  • The last line expresses urgency to click on their link otherwise I won’t be able to claim my tax refund online – HMRC would not do this.

I put this email into my junk folder so that it would expose all the links :

UNDER NO CIRCUMSTANCES GO TO THE REFERENCED URLS IN THIS EMAIL

The GOV.UK field in the rendered email is a link to [carbot].[ai] which the HMRC would never use.

The button to claim your tax return links to

http://erfdeqwqaa.janetlouisedunn.com

This is a website the HMRC would never use. Also note they are sending you to the website using an unencrypted HTTP URL rather than an encrypted HTTPS URL.

I use a couple of services to determine more information about the URL’s used in these types of email:

The respective screengrabs for the URL’s on the ‘Claim you tax’ button are:

The WhoIs page shows that there is a domain called [janetlouisedunn].[com] and it was registered through GoDaddy.

The Who Is Hosting This page shows that the website is also hosted by GoDaddy and if you look in the picture you can see a rendering of the website which uses all the official logos of HMRC.

HMRC would not use GoDaddy to host their website.

If you were to click on the link you would be taken to a fake website that would likely ask you to enter banking details, maybe even your debit card information, possibly login to HMRC. Once processed they may even give you an official looking receipt. However, you would never receive your tax refund.

What these Cyber Criminals are after is your personal information, and the ability to impersonate you in financial transactions (e.g. loans, credit cards, investments). They may also drop malware onto your device as well as use other techniques to gather information about your PC using the browser fingerprint.

You can also use a service called ‘Virus Total‘ that will scan the URL for potential malware threats. In this case this service didn’t throw up any warnings, but just because it doesn’t show a warning it doesn’t mean it isn’t malicious.

How does this get set up?

Janet Louise Dunn may well have a legitimate website. However using the ‘Who Is Hosting This’ service above I noticed that by going to the primary domain I found the following:

The home page is a default page from GoDaddy, meaning no website has been setup for this domain name. When I went to this website using FireFox with all security turned on I found the following:

Clearly the website is insecure since its SSL certificate is faulty. Clearly this website has been setup to facilitate the Phishing attempt.

However, if this was a legitimate website, it is not hard to set up a sub-domain on your hosting service that redirects to a sub-page on your website – this is the “erfdeqwqaa” part of the URL in the example above.

Let’s assume for the moment that this website is legitimate and that it has been hacked.

It is likely that the owner was attacked using a phishing attempt to get their login details to their hosting service, in this case GoDaddy. I would suspect they hadn’t secured the login with 2-Factor Authentication so it was easy to login using the stolen credentials.

Another attack method would be to get an email address at this domain with a password that was disclosed in a data breach. Using what is called Credential Stuffing the same email address and password would be tried on a number of websites to see if the password had been re-used. A simple search for the hosting service (like the one above) would reveal this was hosted by GoDaddy and that would be a prime target for further phishing attempts like the one above.

How to Protect Yourself

If you have got this far in this blog then you are already aware of one method of attack using a phishing attempt.

First, we explain the details around all this in our guidance pages in ‘Combating Social Engineering 101 – A Pocket Guide‘, so what follows are a few general pointers:

  • If the message looks too good to be true, it probably isn’t
  • If the message has misspellings and grammar errors, then it is likely to be fake
  • If they don’t use the official references (for example your UTR for tax purposes) it is fake
  • If they don’t reference you by name, or some information that is personal to you (e.g. your home address, mobile number, postcode) it is likely fake.

Regularly check your email addresses for disclosure in data breaches. There are various services to do this:

  • Have I Been PWND service will tell you if your email address and password have been disclosed in a data breach – https://haveibeenpwned.com/
  • FireFox Monitor allows you to register a number of email addresses and when one gets reported as breached they will notify you
  • The paid version of The LastPass password manager will notify you of any credentials disclosed in data breaches and either offer to change the password or do it automatically.

There are several services like the above and you just have to find one that you trust. The ones above are all trustworthy.

If your email address is disclosed in a data breach, it is strongly advised that you change the password everywhere this email address has been used to login to websites. A Password manager is a good tool for this. It is also recommended that you retire that email address. Outlook, GMail and Apple all provide the means to create additional email addresses/aliases (Outlook is the best for this). You can then switch to the new email address without creating a new account. You then replace the email address everywhere it is used with the new one – a good password manager will be able to help you with this.

If you are following our guidance on Authentication Best Practice then you won’t have re-used your password on multiple websites. If you have, I suggest you read our guidance on the subject. At the very least protect your valuable logins using 2 factor authentication where ever it is provided.

Browser Based Phishing Protection

Most browsers now allow you to enable Anti-Tracking features that limit the amount of information you leak when you visit websites. It is best to turn this on to the highest setting.

I also suggest you use the following extensions in Chrome, Firefox and the new Chrome based Microsoft Edge browser:

  • HTTPS Everywhere – from the Electronic Frontier Foundation, this forces an HTTPS connection everywhere and reports when one isn’t available
  • U-Block Origin – this is a very good ad-blocker that also mitigates a number of additional cyber threats
  • ClearURLs – this is a simple extension that removes tracking data from the URL’s used when to navigate to a website.

If you don’t trust the browser to implement anti-tracking features, or it doesn’t provide these features, there are a couple of browser extensions that supplement this:

All these extensions may also be available for other desktop browsers. Some browsers also provide some ad-blocking features but U-Block Origin is the best I have found.

Mobile browsers do not typically offer the capability to install these extensions, except for FireFox Mobile which s available for Android and iOS. If you are looking to improve your online privacy then FireFox is the best browser available for both desktop and mobile devices.

If you are running Windows 10, you can switch on Microsoft Defender SmartScreen in the settings app and if you are using the new Chrome Based Microsoft Edge, this can also be switched on in the browser settings. This will send the URL to Microsoft servers which will then attempt to match to known Phishing/Malware sites and block access. Your Internet Security application may also screen URL’s.

I also recommend you look at your security and privacy settings in your browser and limit Browser Cookies and block cross site cookies and third party cookies. Strict privacy settings will in all likelihood do this for you.

Your Internet Security software may also provide services to screen out known Phishing attempts and other malware in your email.

Conclusion

This blog has focused on one form of Social Engineering – Phishing. There are many other variants and I suggest you look in our ‘Social Engineering Guidance Page‘ for more detailed information. We will update this guidance as more threats emerge. However, the principles are the same irrespective of the attack method.

Phishing attacks are getting much more sophisticated and a lot of them now use the branding and language of the service they are faking to trick you into believing they are legitimate. I also suggest you look at our guidance on ‘Domain Typo Squatting‘ and ‘Open Redirects & Malware Installers‘ for more attack methods.

To date for 2020 (June 2020) I have over 70 articles logged in my research folder describing Phishing attempts. If you want to read them, then I suggest you go to our Twitter feed where they will have been posted or retweeted. Some are for high profile services like Amazon, Office 365, G Suite as well as tax refunds and governments payments related to the COVID 19 Pandemic.

I also found this article online that provided ‘14 real-world phishing examples — and how to recognize them‘, which is worth a read.

It should also be noted that just one Phishing attack could cost your organisation millions. It has also been reported that up to 90% of all data breaches were initiated using a Phishing email to get privileged access. The cost could be as a result of a direct scam or Business Email Compromise attack, or reputational since you have to disclose the breach publicly.

Hopefully this article has raised your awareness around this particular social engineering attack method and that you will be even more careful in the future. Monitoring our Twitter feed will also give you early warning of new Phishing attacks as they are discovered.


Headline image provided by Sirikul R from Pexels

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: