How to spot a “phishy” email

(Originally posted on my old Infrasupport website on March 25, 2013.  I back dated the posting date here to match the original.  I also encourage you to invest a few minutes with my phishing mini-seminar.  It might save you the embarrassment many of our United States political leaders suffered during the 2016 election season.)

This Wikipedia article provides as good a definition as any for phishing:

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

The challenge is, how do you tell a phishing email that claims to come from your friend, your bank, or other trusted source, from a real email from your friend, bank, or other trusted source?  Using an example phishing email that hit my inbox yesterday, this blog post will provide some helpful and easy to use tips to spot phishing emails that get past your spam filter.

Yesterday’s email claimed to come from a friend, with subject, “Confidential document”.  I happen to know my friend is away from work, so the subject already raises an alarm.  Here is a screenshot with a picture of the offending mail message.   I blacked out the sender name and other identifying information in the text of the email.

Take a look at the little popup near the “click here” link.

And that leads to the first clue on whether that email is what it claims to be.  Most phishing emails come with embedded links you can click on – but where do those links really take you?  Here is how to find out.  Position your mouse cursor over the top of those links – don’t click anything, just position your mouse cursor there.  A little popup should appear with the URL of the website where this link really points.

In my example, the link points to a suspicious website named Altervista, even though the text of the email suggests the link should point somewhere inside Google.  But look closely – Altervista?  One of the original Internet search engines, before Google, was named Altavista (no “r” in the middle).

This is another favorite phishing trick.  Register domain names that look similar to legitimate or familiar domain names and use fake websites to fool people into giving up sensitive information.  See a few sentences below for a quick discussion about domain names.

I don’t need to dig any deeper.  With less than 5 seconds of analysis, I can confidently conclude this email is no more legitimate than a confederate $3 bill.

But we can do better.  I owe it to my friend and this blog entry to chase this one down a little more.

Digging Deeper

On the Internet, everyone who is anyone has a domain name.  Think of a domain name as kind of a trademark name on the Internet, managed by various registrars.  For now, there are a few top level domain names, such as .com, .org, .edu., .net, and others.   Thousands more are on the way and nobody knows how popular they will be.  But, at least for now, the real action is in the second level domain names.  Names such as google.com, whitehouse.gov, infrasupport.com, and millions of others comprise today’s Internet.  Most organizations today operate a website, typically named www.  They may also operate an email server, typically named “mail”.  Some offer additional services with different names.  Google, for example, offers another popular website named maps.google.com.

Here is where things become interesting.  In one of the more famous cases of name hijacking, a creative porn operator registered the name “whitehouse.com”.  The idea was, the United States Federal Government operates a website named www.whitehouse.gov.  This website has all the attributes we would expect from the Executive Branch of the United States Federal Government.  But www.whitehouse.com was a porn site – and not even the United States Federal Government had power to stop it, even though its name was similar to the website of the real White House.

Back to our suspicious email.  Domain registrars offer tools to find the current holder of any given domain name.   Some owners pay extra money for privacy, others identify themselves, although not always accurately.  So who is behind altervista.org?

The easiest way to find out – go here and do a whois lookup.  Type “altervista.org” in the search box, and here is the result.  Apparently, this domain name belongs to somebody in Italy.  The name was first registered in 2000 and expires in 2015.  The odds are pretty good the current domain name holders will renew it before it expires.

What can we do about this?  Realistically, not much.   Other than a few high profile cases in the headlines, law enforcement is generally not willing to work these cases because they are labor intensive.  But now, knowing the domain name is registered in Italy, we find yet another nail in this phishing email’s credibility coffin.  Stay far away from the website in that link.

Will the real sender please stand up?

Next, where did this email really come from?  In one of the most regrettable engineering design oversights of the Internet, the SMTP email protocol has no real security and anyone can impersonate anyone else in an email message.   This is a particularly nasty problem because, to date, nobody has come up with anything foolproof to address the problem.  This means, if I want to compose an email and claim I am, say, the vice-president of your bank, I can make the body of the email look like it really came from that sender.  I can even grab a copy of your bank’s letterhead and make the email look like it’s on bank stationary.  If I do a good job of editing, then when you receive the offending email, you will not have any inkling it’s a forgery.

Unless you look at the header.

Here is a picture of the header for the phishing email I received, with my friend’s name blacked out.  Email headers provide valuable diagnostic clues, including routing information and where  the message really originated.  We can compare this with where it claims to come from.  Most phishing emails claiming to come from your bank or credit card company in fact usually originate in China, Russia, or other country.

How do you look at the header?  Every version of every email program is different.  In Outlook 2010 and 2013, click File…Properties.  In Outlook 2007, click the little checkbox in the “Options” menu ribbon graphic.  In Outlook 2003 and earlier, click View…Options.

Notice my sender claims to come from gmail.com.  Gmail is Google’s free email service and my friend does, in fact, have a Gmail account.  Looking at the header, the evidence strongly suggests this message really came from my friend’s mailbox.

But my friend did not send it.  Somebody compromised my friend’s email account and is now trying to pursue my friend’s contacts, including me.  No doubt, that altervista website will try to extract personal information such as credit card numbers or passwords and use them illegally.  One day, I might use a throwaway computer to see what that website does, but not today.

I warned my friend and hopefully by now, that email account and any other accounts my friend operates have new passwords.