Dec 042023
 

Just for fun (I have admittedly a very weird sense of fun), I thought I’d have a look at one of the phishing emails that came into me. I’ll go through this bit by bit, picking out bits that first occurred to me …

Subject: LastPass : Required action needed regarding your account

Eh? Do I even have a LastPass account? I keep my passwords stored somewhere else, but it’s not impossible – I’ve been known to sign up to things just to test them out. Including cloud-based password managers.

But all the same, let’s give it a point on the suspicion scale. Running total: 1.

From: LastPass <yoji-okugawa1975@tg8.so-net.ne.jp>

Well LastPass certainly use a funny looking email domain (the bit to the right of the “@”), but Marketing departments sometimes aren’t aware of how important that email domain really is. On the other hand, “tg8.so-net.net.jp” does look particularly uncorporate, so let us give it a suspicion point.

Running total: 2

On the other hand, it is too easy to fake domains – I could very easily send you an email from the-management@lástpáss.com (and even more subtle equivalents of “a” – “а”, “ạ”, “ą”, “ä”, “à”, “á”, “ą”). And just to demonstrate something that looks identical can actually be quite different :-

In [8]: print(ord('а'))
1072

In [9]: print(ord('a'))
97

Now this isn’t to suggest that you should run your email headers through some Python code, but just that because something looks like lastpass.com doesn’t mean it really is. The next thing that jumped out at me was the body of the email – I may be well trained, but something new and shiny is still distracting :-

Now the first thing that jumps out at me is that red “Confirm my information” box. Screams “click here” doesn’t it? Well don’t click on it! In my email client (something you’re quite likely not using – claws-mail), if I hold the mouse pointed above a link, it’ll tell me where that link goes in the status bar of the client. In this case it shows up as https://tg8.benchurl.com/…. doesn’t look very much like lastpass.com does it? That’s sufficiently suspicious that I’ll award it 3 suspicion points.

Running total: 5

Notice how they don’t add a “Dear ${name}” to the top of the email? Not personally addressing email is ever so convenient to scammers that want to get your details – because they don’t necessarily know your name. That’s a suspicion point all on its own.

Running total: 6

Next note how it tries to rush you … “log in before January 16, 2024”. It’s subtler than many phishing scams, but it’s still trying to rush you. Add another suspicion point.

Running total: 7

There’s further details we could dig into, but that’s more than enough that the Delete button is the only thing this email should attract. That running total? It was just for fun, it’s not intended as a guideline for when to count something as a phishing email.

In the case of doubt, contact the company via other means.

Jan 302015
 

There's a game called "victim blaming" which is where people decide the victim of a crime is somehow partially or wholely respomsible – the old "if she hadn't worn such a short skirt …".

Which is rubbish of course. The perpetrator of a crime is the one responsible for carrying it out whatever the circumstances.

But the shouting down of the "victim blamers" can perhaps drown out messages that allow risk reduction, and allow certain myths to be perpetuated. For example, many women believe that they are more at risk from strangers whereas most rapists are known to the victim.

Take a slightly less contentious crime – a phishing spam that criminals use to empty the bank accounts of the victim. Whilst the criminal here is obvious – the person who used stolen credentials to empty the bank account, the criminal needed the victim to make certain risky decisions.

2015-01-29_1517As you cannot look at the link contained within that, it's worth pointing out that if you paste the URL into a notebook, you will get a brazilian site … and I strongly suspect that Lloyds Bank is not very likely to use a Brazilian site (.br) for hosting their online account service.

And we call such victims "gullible". In the case of phishing, there are some simple procedures to follow :-

  1. Email doesn't necessarily come from whom it claims to be from. I can send you an email that will look as if it comes from Goodluck Johnathon without having anything to do with his email account.
  2. Don't click on links in emails.
  3. If your bank sends an email asking you to do something, shut down the email and open a web browser and use your existing way of getting to your bank's web site. Same applies to shopping sites, your workplace's IT department, etc.
  4. If you are determined to use a link from an email, copy the link into a notebook and read it. Does it make sense? Does the first part mention an organisation that has nothing to do with the organisation it is supposedly from? Don't trust it.

Plus a whole bunch more.

Detailing and quantifying risks isn't victim blaming; it's empowering someone to make educated decisions about their behaviour

Aug 102007
 

The UK news this morning (and last night) had an item on about plans to tackle the problem of phishing with various suggestions (most of which make sense). Similar stories about phishing and how people are being ripped off by fraudsters regularly come up on the news. One thing that rarely gets a mention except in passing with a suggestion to run a ‘protected computer’ is how regular computer users who ignore security are contributing to the problem.

Almost all spammers (and phishers) these days use botnets to spew out their sewage; as someone who runs a mail server for a large organisation I regularly take a look at where spams entered the Internet mail system. In the vast majority of cases it has entered via a location that is obviously a client machine operated by an ‘innocent’ person ignorant of what their computer is being used for.

There are plenty of places to point the finger of blame …

  • The companies who produce operating systems that are so vulnerable to being compromised when connected to the Internet.
  • Those who use viruses and worms to create ‘botnets’ of vulnerable machines to be used for a variety of purposes.
  • The ISPs who irresponsibly fail to block outgoing mail not going through their mail servers. Whilst some (me!) should be able to opt out of such a block because we (I) run our own mailserver it should not be open by default.

Finally, the person who runs a computer irresponsibly is also to blame. Obviously not everyone wants to become a security expert, but there are a few easy steps to make it more difficult for your computer to be broken into. And they should accept that if they get infected they could get slung into a ‘quarantine’ … ISPs can and should be able to detect infected machines being used by spammers and sling them into a ‘quarantine’ network with limited functionality. This ‘quarantine’ is dead simple to setup, as I’ve done it myself.

To reduce it to an analogy, if you were to leave a car parked with the handbrake left off are you totally blameless if someone leans against the car and it rolls down a hill and kills someone ? People tend to regard leaving an infected computer online as being a trivial matter; it is not.