A Practical Guide to Phishing, pt. 1


<I actually started this some years ago, but it seems to still be of use>

“Just say no” is such a bad teaching method

This is not for my compatriots in IT or the computer biz. Y’all already know this, or should. This is instead for y’all to pass along to folks who just want to know how to not get screwed by their email. Also, this is long. Unfortunately, details matter, and this is teaching how to analyze, not click bait overview, it’s going to be long. So get comfy, and take notes. This part will deal with an attempt that is fairly easy to spot, as basic training for the more sophisticated versions.


What I am going to attempt in this series is to deconstruct some phishing attempts in a way that helps you avoid problems. I’m not going to do this via fear, or scare tactics or overuse of italics and capital letters. Instead, I’m going to do something my industry is regularly bad at when it comes to talking to people outside of the industry: I’m going to assume everyone reading this is smart, capable, but with a specialty in a different area, and good at things I probably suck at. So, just as y’all would teach me something you’re experts at, I’m going to go over how to properly analyze phishing emails in a way that will hopefully help you, via logicreason, and the application of skeptical thought.

Round one: Easy

So here’s one of a type you’ll see a lot, and it’s one that makes sense in a corporate environment, the “You have exceeded your mailbox space” email. The theory behind it is simple, and one that makes it fairly effective: we all know we have limited email space, and we may have even gotten “quota exceeded” messages before, so we’re all primed for this one:

This is a screenshot from my email client of choice, Outlook 2016 for OS X. But it’s going to look similar regardless of client, and for our purposes, the client differences aren’t important. Now, some background info: I currently work for the Florida State University…

Obligatory disclaimer: this is not to be thought of as anything other than me, and my personal opinion, wanting to give folks a resource. None of this is official FSU anything in any way, shape or form. I’m only using them because it’s a real-world place, and that makes the lesson more concrete than “company.com” 

…so any and all emails coming to me from someone at FSU will always end with fsu.edu, so, someone@fsu.edu or similarThat’s an important thing to remember. If you work for say, Apple, then (I’d guess) your email ends with some variant of apple.com. This will change with your company, but just looking at your own email address will provide you with this info.

So let’s take a deeper look at the email, its subject, and who its from. First the subject: Helpdesk. Okay, right there, that’s a flag. I’ve been in the IT business a long time, the number of emails I’ve sent to non-IT people with just the word “Helpdesk” in the subject, when the reason is that a person is over-quota on email may in fact be zero. I’m hardly in the minority here. In general, legitimate IT emails, even automatically generated ones will have a subject that gives you a real hint as to what the email is about. It’s important to us, we hate having to explain an email we just sent. Okay, so strike one: bad subject.

Secondly, who sent me that email? Well, according to the name, Camille Erin Chung. There’s nothing unusual about that in and of itself, but that’s not an actual email address. So now let us hover over the sender until we can see the actual email address:

Camille did not knowingly send this email.

Okay, BIG red flag here. Just like emails to me should have “@fsu.edu” or similar in the to address, emails from my someone working at FSU should have the fsu.edu bit in their email address too, right? But this doesn’t. Looking at it, it actually seems to be from a place in Canada, (the ca part. All countries have a country code. Things started in the USA, so we don’t end everything with .us, but yeah, country codes are a thing even on the internet.) A bit of digging, by which I mean “typing uwo.ca into a web browser” shows me pretty quick that this is actually an email address supposedly from Western University of Canada.

While it is always possible that FSU or any university might outsource their helpdesk, it is highly, highly unlikely that they’d do so to another university in Canada. Your company may have outsourced its email to say Google or Microsoft or some other company, but you should have an example of a legitimate email from your helpdesk folks available. Compare it to these kinds of emails, and if the last part after the @-bit doesn’t perfectly match, then the chances of it being a phishing email are climbing vertically. Strike two: bad sending email address.

Another thing to be aware of: the “from” address in an email is trival to fake. Literally, trivial. I’m hardly a scripting genius, but I could, with ease, crank out all kinds of emails from everyone you know, and they’d all have the correct from address and be completely fake. The validity of information is only as good as its reliability, and the from: address in an email is barely reliable. Also, generating a list of email addresses to send emails to is even more trivial. Really. Email addresses are as concrete as writing love letters in the sand at the waterline.

Next up, the to: address. This should be me, right? I mean, it was sent to me, it should have my email address. Yet, we see: blank. Look at the first screencap. Blank. Which means my email address was in the bcc: (blind carbon copy, the field you use when you want to send an email to someone or a lot of someones, but not have the person in the to: field know you did it, or reveal a lot of email addresses) field. 

Why would that happen? Barring lots of people having email quota issues, (and as it turns out, email servers are adept at automatically sending quota warning emails to people, one at a time, with their name in the to: field) there’s no reason for this, and really, even if it was a lot of people, still no reason for this. Another sniff test failed, another strike. Strike three: bad recipient/to: address.

So finally, the message itself:

This is an Email Service Alert from Helpdesk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICK HERE to Activate

Okay, so people can be snotty and snobby about grammar, but it is vanishingly rare that a legitimate email about an email quota will be this badly written. That’s strike four: bad grammar.

Next, and this is kind of subtle until you think about it: “…you will be unable to receive and send emails.” Now, in a real over-quota situation, that’s correct. If you have hit your quota, you will in fact have problems sending and receiving emails.

So let us apply logic and skeptical thought. Ask yourself: “have I been sending and receiving emails today in a normal fashion?” If the answer is “yes”, bang, strike four: can still send and receive email even over quota. If the answer is “no”, has your email program been flashing you warnings outside of “Helpdesk” emails? They all will. Every common email program will fuss at you if you go over quota. I’m pretty sure even Pine and Elm will, and if I’m wrong, I’m sure within the first ten responses someone will correct me.

If you’re really over quota, your email program will become really strident about it. Annoying even. You’ll know, oh lord, you’ll know. So strike five: email program is not warning you about being over quota

Now, let’s look at the URL behind “CLICK HERE”:

Nice try, but no

Okay, so while that’s a nice touch, the “fsueduhelpdesk” part, seriously, no one does that in a URL. You might get “fsuhelpdesk”, but even then, the “.weebly.com/” part blows it out of the water. The only way it could be more wrong would be fsudoteduhelpdesk. So now, we have two strikes (we’re up to strike seven at this point)in just one URL. What is weebly.com? A website that lets you easily build your own website. Kind of like Tumblr or any other similar service you’ve heard of. 

The site itself is a form, complete with the FSU logo, (easily pulled off the real FSU website.) Logo/graphic abuse is endemic on the internet. It conveys no status other than “I can copy/paste an image”. The best part, (for me) is the name of the page: KINDLY FILL FORM CORRECTLY

It’s like a bit from “The Critic”. Strike eight: website form is really unprofessional. Also, strike nine, a website that is supposedly for FSU is on a domain/host that has nothing to do with “fsu.edu”

Note, I did actually contact Weebly about this. They have a very nice contact form specifically for reporting this kind of nonsense, and good on them for doing so. (Also, they’re FAST. Less than 5 minutes after I’d submitted the contact form, they emailed me back to tell me they’d shut down the site, and damned if that’s not exactly what they did. Good Job Weebly!)


Okay, so that’s nine strikes in one email that’s less than a paragraph. Even allowing for two of them (over quota behavior and the email program warning you about being over quota) not being absolutely reliable, that’s still 7–9 reasons to not trust this email, and it’s not even a full paragraph in length. It’s a phishing attempt, delete it.

VERY IMPORTANT WARNING

I also want to provide a warning about two things I did in this post, namely researching uwo.ca and weebly.com: I am a professional, do not do this if you are not me or in my line of work. 

Seriously, this is like the warnings about snake handling and driving a car at 200MPH. I know what I’m doing, and I also kind of knew about uwo.ca and weebly.com ahead of time. I know how to verify a domain is not loaded with gobs of malware that will further try to hose you when you go to that site, and I know how to avoid it if it is. (Or repair from it if I make a mistake.) 

There is literally no need for you to click on links in an email to evaluate it as I did. Nothing I did required that, I was just being thorough because I like to be thorough. If you get more than 1–2 strikes like we saw in an email, don’t click on anything in it, because that could be part of the scam. 

But again, if you look at how I went over it, if you evaluate the entire email, you see there’s no need to click on anything. Just by hovering your email over the link, (or pressing and holding in iOS. I’ll assume Android works the same way, or very similarly), you can see what the link is in a safe manner. If it doesn’t match what you think it should, even if the email looks “official”, delete it. If it’s a work email, call your helpdesk and ask them to be sure. (if you want to hear a helpdesk person almost weep with joy tell them “Oh heck no, Ididn’t click on squat. I just hovered over the links, and they looked totally janky, so I called you to be sure.” They’ll love you. LOVE. YOU.) 

If it’s from a bank or a store, call the store/bank (NOT with the number in the email. Go to their website and get their support number there) and call their customer support number. 

But there’s no need to be afraid or freaked out or whatever. You are all smart people. You can all do the things in this post and deal with phishing attempts in a logical, rational fashion, and you will find that the logical, rational approach is far more effective in the long run than blind fear.

The next post in this series will deal with a more sophisticated email that looks really good. (Spoiler: the techniques are very similar to what we did in this article.)