Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical principles to help us determine if an email is legit.
According to the Canadian Cyber Safe Site
it is estimated that 156 million phishing emails are sent every day, 16 million make it through filters, 8 million are opened, and 800,000 links are clicked. Phising.org
also reports that as of 2011 over 100 billion spam emails are sent each day and over half of Internet users get at least one phishing email per day. With such staggering number of emails flooding the systems, high attack sophistication, and the availability of hacking tools is not surprising that many people fall prey to such email attacks.
Whether you consider yourself a technical expert or an average user I am sure you have asked yourself the same question: “is this email legit?” when looking at your inbox. As a technical service provider my end users contact me on a regular basis about this matter, especially after a virus outbreak has taken place in the company or a high profile cyber security case has been in the news. Understandably, users are usually on high alert after such events have occurred because no one would like to be one who clicks on an email that ends up compromising the company information or lets malicious software into the company.
To address this issue whether an email is legit or not I decided to go over basic steps users can take to determine the authenticity of an email message. As always we’ll start with basics concept definitions and then move the techniques to determine if an email is legit while looking at some examples.
Let’s go over important basic concepts:
- Email Spam: The general consensus is that email spam is simply unsolicited email messages with the intention of promotion something. The messages may be benign in a form of legit advertisement from companies promoting their product and services or it can be malignant in the form of email phishing or scam, the point is that the messages were unsolicited with the intent of selling or promoting something. Email Spam has become such a problem The FTC enacted the CAN-SPAM Act whereby businesses must comply with a set of rules and regulations in their electronic communication, failure to comply can result in financial fines for such companies.
- Email phishing: We can say phishing is the art of impersonating a reliable and legitimate source to have the other party provide information they wouldn’t disclose to any untrusted entity otherwise. Applying the concept to the digital world we can say the email phishing is the impersonation or a legitimate email source to entice the end user to provide private information. The impersonation is carried out by cyber-criminals all over the world and their potential victims are basically anybody who can fall in their trap. A more targeted attack known as “spear phishing” is when the attacker crafts the attack vector for a very specific target. This type of attack is common in corporate and political cyber espionage and many times goes unnoticed due to the high level of sophistication.
- Email Scams: Similar to email phishing but it covers a broader spectrum. Wikipedia refers to email scams as “unsolicited email that claims the prospect of a bargain or something for nothing”. Popular emails scam have been circulating the web for years. Among them we can find the Nigerian Scam, Lottery scam, Get rich fast, etc. Another interesting point is that scammers usually follow high profile events such as natural disasters to execute their attacks and exploit the good will of people and willingness to assist those in need by pretending to be victims or helping organizations.
- Private Information: As self-explanatory as it is I want to touch on this concept. Most cyber-criminals are looking for private information they can use for identity theft purposes but in their worst day they also welcome clues that will lead them to private information. This is especially true in spear phishing attacks where they put together a digital profile collecting public records, piece by piece, until they can recreate a digital fingerprint or the person.
- Social Engineering: A simple definition is that it’s the art use using trickery with the purpose of manipulation. It relies on exploiting human behaviors and interactions to make the potential victim “lower their guard”.
Now that we have covered the basic concepts is important to understand the different basic components that make up an email address:
The basic anatomy of an email message:
In its basic form an email message is composed of Sender
and Message Body
fields. For the most part, those are the fields most users consider before deciding opening or discarding an email message .
A social engineering example:
One of the most effective ways for cyber-criminals to launch their attacks is by using social engineering techniques. Most attacks are not really based on rocket science or highly sophisticated technical processes but rather exploiting the human link to gain access to the technical configuration where the sender can carry out further attacks.
A proven effective way for them to have the recipient open a message is by manipulating the Sender’s field
because there’s a much better chance for an email message to be opened when it comes from a reliable source than from an unknown source. This field is what you enter for first name and last name when creating an email account.
Let’s go over the components of an email address to further illustrate the point. For this I’ll use my own personal email as an example: firstname.lastname@example.org:
- Jdiaz: represents the sender’s unique name within the domain.
- Jdtechsolutions: registered domain name, unique in within the top level domain.
- .net is the top level domain.
When I created the email address for the jdtechsolutions.net domain I just had to select the email name (jdiaz) and my display name (Jorge Diaz).
Why is this information important? Well, phishing attacks attempt to impersonate the sender’s identity -- in other words the email or at the very least the display name. The registered domain
is not an easy target for cyber criminals to hack, or at least it doesn’t prove to be time and cost effective but with simple tools they can easily mimic the registered domain.
In our example, compromising jdtechsolutions’ email servers may be difficult and time consuming but an easier way may be for cyber-criminals to register a domain that resembles my original domain. For example they can register jdtechsolutoins.net
Let’s take a closer look at it:
Unless you pay close attention it would be difficult to spot the deceptive site. That is exactly what has happened to many large companies, especially banking and financial institutions like Bank of America where attackers create fake websites, spoofed email address, and Twitter handles with the original corporate marketing logos to lure people to follow their hyperlinks. In cases like these hackers did not have the need to take over the company’s website but tricked users into following their links and provide their banking information
Another interesting point that is exploited using social engineering is the fact that email clients are “user friendly”; by default email clients show the sender’s display name on the main view pane, meaning that when an email message arrives the From
field will show the information about the sender, but not really the sever or source it originated from.
Continuing using my account as an example, when I send an email it shows as coming from Jorge Diaz and the email is email@example.com.
The default view on most email clients, especially MS Outlook, is to show the display name of the sender, so cyber criminals can in turn send email from Jorge Diaz with the counterfeit domain (jdtechsoluoins
.net) to my contacts and associates and most likely the email messages will be open without investigation or suspicion.
This type of attack of forging a website is short in nature, so it doesn’t take long for someone to realize they’re connected to a fake website and alert authorities. That’s not say it’s not effective as the cyber criminals may have accomplished their mission before the site is taken down.
Social engineering plays a big factor in email attacks
. In cases like this, how can you tell if the message is legit?
Let’s go over another example and break it down even further. The following shows an email I received from what seems to be known source -- Nilsa Vielma -- but a closer look at the message reveals it’s not a legitimate email.
Again, Microsoft outlook’s default view is to show the senders name, date, and subject. It does not display the sender’s real email address but rather the Display name
. In the following example I identify the sender’s name as a trusted source and may be tempted to follow the link but further investigation reveals something else.
When I opened the message to do further investigation I noticed that the email address
does not really reflect the one from sender I know, thus raising a red flag
Not only does the email not reflect the name of the person I know but also the domain name is from what seems to be a suspicious source
. To briefly touch on this topic it’s completely normal for an email to be different from the display name. The t-online
domain is the subdomain of .de
top level domain, it is the top level domain assigned to Germany. Using a little bit of logic I can determine that it is not a legitimate email because the legitimate source has a Hotmail account.
It is a best practice for businesses to block emails originating from a top level domain if they have no relationship to the country or origin. For instance, companies in the US may choose to block emails from .rs, .de, .ch, .ng, etc. if they don’t have any relationship with businesses under those domain. To see a list of top level domain check IANA’s database here
The previous example is what I consider an easy catch. After all it just takes a few seconds a trained eye to spot a spam email. There are, however, more crafty email spams that require more than simply a trained eyed to identify them.
Let’s look at the following example:
The next email shows an unlikely email from the president of the United States. He personally wrote to me to let me know that my company has been awarded the IT Support contract for the White House. Obviously that didn’t happen but the email looks legitimage indeed.
Let’s take a closer look by opening the email and checking the domain it was originated from:
To the naked eye it may seem as if the email really originated from the whitehouse.gov, after all it shows the mail as firstname.lastname@example.org, but did it?
Obviously it didn’t but how can one tell? After all it’s very easy for me to rule it out as a spam because of the nature of the email but what about if you receive an email from what seems to be a coworker, your boss, or business client? Well in this case you have to dig deeper; the same way packets don’t lie in a network analysis, an email header does not lie when analyzing an email.
An email header doesn’t lie:
A more technically advanced method of looking at the source of an email address is by analyzing the email header. The email header contains all technical information about the email message including sender’s email, email servers, IP address, time, etc. that can be used to track the email source. Analyzing an email headers was a daunting task a few years ago but nowadays there are many free online tools available that make the life of IT administrators easier. In the following examples I’ll be using Microsoft’s Message Analyzer
, part of Microsoft Connectivity Analyzer tool set.
Let’s start by getting the email header (also known as Internet header) from your email client, in my case Outlook 2013. I open up the message, go to File and select Properties. The email header is listed as Internet headers.
As stated earlier the Internet header will provide and “X” ray view of the email message. The basic header output does not provide user friendly information so we’re going to copy the header and paste it on the Microsoft Message Analyzer.
Once the message is analyzed you’ll notice a few interesting points that will help you verify authenticity. First of all notice on the Summary
section that the message id is:
Also the Originator IP is 18.104.22.168 and the sender domain is orbit.eternalimpact.info, not really whitehouse.gov. The IP address is extremely important because it can be tracked to the server sending the message.
In this example Microsoft Email Header Analyzer did not classified the message as a Spam.
Each analyzer uses different criteria to determine when something can be classified as a spam; that is why it’s a good idea to run the same test against other analyzers. We’ll continue using MX Lookup, found in the mxtoolbox.com website. It reveals a completely different story and flags the sender as a spammer. It is very common for some senders to be listed on some black lists and omitted in others.
Is this example Mxtoolbox.com identifies the 22.214.171.124 IP as black listed IP address
When compared to major IP address blacklists the sender’s IP address comes up on Barracuda’s list.
So the as excited as I would’ve been had the message been legitimate, the email headers revealed it’s simply a scam. As I mentioned earlier, email header does not lie.
Though we will not able to completely stop phishing attacks or email scams from arriving at our inbox we can take the necessary measures to ensure we don’t fall victims of the attacks. There are other type of attacks that stem from compromising one’s computer; in those cases the attacker can send a message from a reliable source email address that will never be flagged as a spam by any analyzer but the content of the message may include malicious code. It simply proves that we should implement a holistic information security culture to make sure we cover all different layers of communication.
A combination of technical implementations and user awareness can greatly mitigate the likelihood of successful attacks.
Always remember to cover the basics:
- Does the message makes any sense to you?
- Check the email address, especially the domain it came from.
- Analyze the email header to ensure legitimacy.
- Have an up-to date antivirus software with email engine enabled.
- Block untrusted top level domains.
- Implement browser protection to scan for hidden malicious hyperlink in messages.
- Turn on your host firewall.
- For businesses: Implement email filter solutions.
Lastly, if still doubtful contact your IT support.
Thank you for reading my article, if you found it useful don’t forget to click on the Good Article button at the bottom of page. Your comments are greatly appreciated, have a wonderful day!