The editorial team at CSO were targeted by a phishing campaign recently. If it had been successful, the person(s) behind it would have tricked us into installing the Zeus Trojan, which is financial malware. Lucky for us, however, our user awareness training took hold, and we used some basic logic in order to spot the scam. Here’s an overview of the phishing message itself, and the thought process used to determine that it was a scam.
Does this look suspicious?
When this email arrived, the CSO editorial staff questioned it immediately (Read the full story here). First, none of us had heard of Fiserv before, and Pat Evans was the name of an unknown person. The message itself is addressed to the main editorial team, but it’s also addressed to addresses that none of us had ever seen before.
The email’s subject, simply telling us that there is some sort of scanned file being forwarded, is another red flag. Who would be scanning files and sending them to us? Why would anyone do that and not tell us to expect said scans? Finally, the email has a ZIP attachment, which is a known potentially malicious file type, along with DOC, XLS, EXE, and PDF.
Examine the body of the message
In this email, the opening of the message is overly formal. Also, look at the message’s body. The body of an email message is the second area of focus when judging the overall legitimacy of an email.
In the body, is it asking for information or details that you’d normally hesitate to share? If the answer is a yes, take a step back.
Notice the name in the FROM: field is different form the name presented in the message’s body. Why is that? Another red flag for the CSO team.
Headers can provide clues
Once the email was debunked and dismissed as a scam, there was little need to look further. Still, when determining the authenticity of an email, the headers are a great source of information.
In Outlook 2010, the headers are part of the options area of the ribbon, which you see marked in the image. In other clients, you can usually right click on the email and select the options menu, and find the headers there.
More telltale signs of phishing
The first line highlighted is the sender’s IP address and ISP information. In this case, we can see that a Comcast user in Indiana (in.comcast.net) is the origin of the message. But Fiserv is a company in Wisconsin, so an Indiana ISP wouldn’t be something they’d use.
The xxx.xxx.xxx.xxx in this line represents the IP address that sent the email. CSO has redacted the IP address, as it’s assigned to a compromised computer acting as a bot.
The second line is where the email was delivered from. In most cases, this will be your ISPs SMTP server, in our case; it is one of the anti-Spam servers.
Old tricks, new phishing scams
Here we see the top line where the Comcast IP address claimed to be email@example.com when communicating with the ISP’s email servers. AEXP.com is American Express, and this domain has been spoofed by criminals many times in the last year, including several noted phishing attacks.
The X-Mailer flag shows what email client was used to send the email. Sometimes this line is useful, because spammers favor certain tools. However, you cannot rely on this entirely because it can be spoofed. In this case, the software identified as sending the email (The Bat!) was released in 2004.
These lines can be used to confirm suspicions that an email was spoofed, and that the sender isn’t who they claim to be.