Teach A Man to Phish
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
Teach a man to phish…
I don’t go fishing myself. When I was much younger I used to fish. One time while we were camping, I went fishing for bluegill. One of the ones I caught swallowed the hook. If you have ever gone fishing and had a fish swallow the hook, you know what that is like. It can be very challenging and doing this on a living creature turned out to be more than I cared to go through again. So no more fishing for me.
While I don’t fish, I know a little about it. One thing for sure is that your bait needs to suit the fish. Worms on a hook won’t be terribly useful on trout in a running stream. A chunk of squid on a large hook won’t work for bluegill. The other thing you need is patience. If you expect to go out and just haul fish in left and right, you are likely in for a disappointing time. I know there are some specific times when catching a lot of fish is possible, but unless you are a commercial fisherman, it generally takes patience to come home with a good catch.
Phishing isn’t much different. The bad guys are patient, they have a wide variety of bait and they have learned how to adapt to the phish they are after. Let’s look at the bait.
This is an email I got back in 2015.
So, unless you have never seen a phishing email before, there are several things here to raise red flags.
- ‘undisclosed recipients in the header. That is a dead giveaway that they don’t want you to know that 1,000 other people are getting the same email.
- Attention Valued Customer – If this is so important, why don’t you know my name?
- “Now honestly you are advice to take care” – For someone with such an English name (Dennis William) your English is rather poor.
This would (should) no longer get anyone to click on a link or follow the instructions. Most people are aware of these red flags and act appropriately. If you or your employees don’t know how to analyze an email, get some training before you sign away the farm.
How have things progressed in the last 7 years? Here is one example.
How many red flags are immediately obvious? There is only one and that is the ‘Verify Immediately’ link. Hovering over it would reveal that you won’t be going to anything belonging to Microsoft.
These days the bad guys are much more likely to use good grammar, have all the appropriate logos, and address you by name.
If that isn’t bad enough, they are also starting to take advantage of the fact that there are parameters that can be embedded in the URL that will take you somewhere you don’t’ want to go even though the URL looks ok. Take this example.
https://t.e.vailresorts.com/r/id=hda0e43a,3501a2a,3501f68&VRI v73=Y3dlbGNoQgzvdXJoyW5kcy5jb20=&cmpid=EML SNOWALRT OTHR 000 NW 00 00000 00000 00000 20 200110 v01&p1==www[.]snow[.]com%40s-ay[.]xyz
While vailresorts.com is valid, the parameter at the end is involved in redirecting you to a bad site. If you clicked on this link in an email, you probably would not see the last part due to the length of the URL. If you used the fake login page you landed on, you would give up your credentials. Phishing emails are getting more and more realistic so all users need to exercise greater caution.
Using the same bait for the same type of fish over time works because fish instinctively go for certain things they recognize as food. Users exercise their judgment when responding to emails. The judgment can be improved with security awareness training. Just reinforcing the simple idea of hovering over a link can help. These days, users also need to be encouraged to think about emails they receive. Are they the right person to get this email? Why is the sender in such a rush? Will I violate company procedures if I do what is requested? Is what is being requested the way we do business with this sender? Is the sender asking me to do something unusual? (Buy $1,000 Apple gift cards)
Reflexive clicking on a link is the same kind of reaction that gets fish into a boat. The end results can be similar, quite undesirable for the fish and the phish. To learn more about protecting your network and your team, give Ashton Solutions a call at 216 397-4080.