Security

Technology can't stop phishing perhaps common sense can

Despite the warning, phishing attacks are still the favored attack vector of bad guys. It's time to forget technology and rely on good old common sense.

Phishing attacks tap into human eccentricities that bad guys have exploited for thousands of years, which makes them extremely difficult to counter. Case in point; for this article I asked a few friends if it’s alright to click on active links in an email. They all said no. But, I know for a fact that an email with a video link about cats that is circulating among that same group.

Therein lies the problem. Bad guys understand this. Bad guys also know which psychological buttons to push, to improve the odds of getting a victim to click on a malicious link.

A good example of pushing buttons is how phishers are leveraging the FUD created by the Target data breach, sending out thousands of phishing emails offering financial protection. Target is aware of the deception, mentioning the following on their FAQ webpage:

“Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an email or text, do not click the links in it. Please go directly to the sites you need to access.”

The fact that phishers are using the Target data breach to their advantage illustrates a fault even I’m guilty of--stressing out about a situation and making a hasty decision I usually end up regretting. The solution is to step back, take a deep breath, and realize that the amazing offer or panic-inducing security alert is likely a phishing email.

Phishers exploiting attachments

Like most con artists, phishers must keep their deceptions fresh. As people learn to avoid active links in unsolicited emails, a phishers are switching to a new lure--email attachments. In a Naked Security post, Paul Duklin urges people to be leery of attachments:

“We urge you to be cautious of email attachments (Duklin's emphasis), especially if you weren't expecting them. That's to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.”

Duklin is concerned because warnings about phishing emails often refer to links embedded in the email body, not attachments.

Technology will always be a step behind

A question people have been asking me lately, “Besides stepping back and taking a deep breath, what else can we do?” That is a great question, and I’m afraid my usual answer seems hollow now. I, like many others who write about information security, have preached, “do this and don’t do that.” But, to be honest, it all boils down to being aware.

I say that is because there is precious little that antimalware and IT professionals can do with technology to protect us. Sure, once they get wind of a new phishing attack, they get the word out, and update their software to recognize the latest deception. But what about those unlucky enough to receive a targeted phishing email before the word gets out?

That question is the very reason experts I have talked are becoming convinced that the only proactive deterrent is user awareness. Trust your instincts, if it seems bad, it most likely is. Additional advice, “More often than not, there are ways to check if the email is for real or not. And if there isn’t a phone number or alternative way to authenticate the sender, delete the email.”

About

Information is my field...Writing is my passion...Coupling the two is my mission.

36 comments
Richard Stam
Richard Stam

Is it not possible to locate the source of the emails?  Yes, I know the tricks that are used to obfuscate their point of origin but if the emails are forwarded to a central location then the data could be analyzed.  A database similar to the NSA program but submitted emails only.  Making a statement that the bad guys are always going to get away with sending out toxic emails sounds more like giving up.  That will never solve the problem.

A daunting task perhaps, but the sheer number of emails they send out, must be traceable somewhere. 


joseph.filla
joseph.filla

Funny Mike


I get an email from Techrepublic. With a link to an article from a security dude. Who says clicking on links in email is bad. Oh yeah. But that's how techrepublic knows I got the email. And if I click on lot's of links for security articles, I'll get targeted ads for security stuff. Are you equivocating? Maybe security guys should not allow their articles to be linked off emails. Put the body of the article in the email.


Joe

JimTheEngineer
JimTheEngineer

Thank you for an interesting article.

I never click on a link to a mystery web site without checking the actual link very carefully, but I do receive attached and embedded files with emails. These files safely (I think) end up in a subdirectory of my email program, and, for the attached files, I must click on the file to have it displayed. Some of them - like EXE files - I assume are toxic, and delete them. Others - like DOC or XLS or similar - could contain toxic code, so I don't open them. Other extensions make for an interesting mystery - sometimes Google will explain them - but I can ignore those, too.

Are there any formats for an attached file that are (relatively) safe from malware? If someone sends me a picture in the JPG format, is it possible that it could contain something that could compromise the picture displaying program? How about PNG? ...GIF?


What other formats are "intrinsically safe" - TXT files? How about a PDF file? 

Is it possible to get an antimalware program to examine a file for malware before one attempts to open it? 

I do have a program called "WnBrowse" that will display a file as text (if that is readable) or as a hex display with text on the side. It lets me look at the contents of the file, but I certainly can't decipher enough of it by eye to make sure that it is safe. Sometimes the embedded text in the file is readable enough to give a clue as to the creator.


 - Jim

Cicuta2011
Cicuta2011

All I did was to read the title of the article to agree 100% with the statement. Since the early 1980s I have sustained that the best security rest with every individual and not with obscure protocols and software security programs which all they do is make things worse.

In 1982, I was appointed computer systems security officer at one of the U.S. Navy locations in California. The measures I took regarding security were simple and effective and ever since I have not seen the same security measures in all the computer centers I have seen at companies I have worked for. Security rest on people...as simple as that!

lkarnis
lkarnis

Hi Michael: Generally good advice. Links and attachments can be very dangerous and should be treated with suspicion both by the user and by the e-mail spam filter. And the key take away - users are terrible at detecting Phishing scams - so you really need to rely on your antispam filter.

(Disclaimer - I work for an antispam company)

A decent spam filter should block executable attachments as a matter of policy (.exe, .com, .scr, etc.). Other files should be scanned for viruses by the spam filter's antivirus engine (to catch malicious PDF documents for example). URLs should be harvested out of the message body (both text and html), message attachments (especially HTML attachments) and subject to checks against known phishing sites. Your spam filter's antivirus tool should also be checking for matches against known phishing attacks. Your spam filter should be smart enough to follow multiple levels of URL redirects so it can determine the ultimate target for any link (spammers can/do use disposable domains) and block the malicious ones.


Our product does all of the above. Today (for example), for my in-basket, it blocked 2 executables, 2 viruses and one e-mail that had URLs listed on Googles Safe Browsing watch list... and today was a light day. Before the holidays, I was routinely seeing 30+ malware blocks a day - just for me.


If any of this interests you, you can download PerfectMail for free and run it forever - for free (www.perfectmail.com)


Regards, larry.karnis (at) perfectmail.com

PatPeterson_Agari
PatPeterson_Agari

Very interesting article. Phishing attacks will always be a method of attack and therefore will never be completely stopped – especially as we see phishers evolve as rapidly as technology itself. However consumers do not need to be victims to these attacks, but it is up to organizations, specifically in financial and ecommerce sectors, to take the appropriate steps to prevent them. 

Agari collects terabytes of email data from sources across the internet to provide global brands and security professionals with a cloud-based SaaS solution that eliminates email threats. 

You're correct in that users must be aware and conscious of what emails they're opening, but hopefully we can restore faith in technologies that are working to stay ahead of phishing attacks. 

wnematollahi
wnematollahi

PEBCAK, or, if one prefers, PEBKAC. As long as people are people, phishing will be successful at least occasionally . Technology can help with good firewalls, as others have posted. I've been in situations where I was unable to access attachments because some lazy IT policy maker decided it was just easier to block e-mails with PDF attachments than purchase a decent firewall.

beck.joycem
beck.joycem

The standard advice was always "Don't click on attachments from people you don't know", but now I say "Don't click on attachments from people you don't know, or unexpected attachments from anybody. Always say, when sending emails, how many attachments there should be, and preferably have your email signature say that there should be no attachments with this email unless explicitly mentioned". But judging by the scams for which some clients have fallen, there are always going to be a few who blindly trust anything they read - even having being stung once, some people will fall for a similar scam again.

tony
tony

Having just spend a significant amount of time at the weekend removing stuff from a customer's critical PC, I read on Monday that Yahoo were serving up malware on Friday - they listed some of the stuff that I removed, and the problem occurred on Friday.


It was a bored receptionist. I have now started advising customers to do a number of things



1) encourage users to use wireless on their smartphones instead of office computers for anything other than strictly work related. You can't stop human behaviour, but this shifts the problem to their device (and most of the smartphones are more resistant to viruses than your office computer).


2) Urge them to consider better firewalls with UTM capability. I have been using the Netgear UTM5 for a small office (with subscriptions). Out of curiosity I took a look at one of the logs and found about 600 URLs blocked in a 10 minute period. Now this is in a home office setup with just myself and my wife (as she teaches health education she does legitimately end up searching for certain topics). It was quite an eye opener, as I had not had a blocked link message so these were all referenced links that browsers were possibly pre-caching, or ads. It is not uncommon to find lots of ads blocked by this mechanism.


So there are technical solutions - at best they can reduce the problem, but for once BYOD (Bring Your Own Device) can be used to your advantage - let your users take the responsibility onto their own devices if they want to visit dubious shopping sites, install toolbars to help them save illegally obtained films etc.

dogknees
dogknees

I get the sense that common sense is not that common.

lehnerus2000
lehnerus2000

I always include a "warning" in the Subject line, if I'm sending an  email with an attachment (I describe it inside the email itself, including its size).


I include the page titles of any links that I send.


I have told my friends that if they receive emails without Subject text, or if they don't follow the points above, to delete the email and contact me.


Are any of these comments actually getting through?

They vanish as soon as I refresh the page!

lehnerus2000
lehnerus2000

I always include a "warning" in the Subject line, if I'm sending an  email with an attachment (I describe it inside the email itself, including its size).


I include the page titles of any links that I send.


I have told my friends that if they receive emails without Subject text, or if they don't follow the points above, to delete the email and contact me.

Gisabun
Gisabun

I've seen so many dumb phishing attacks, it makes me laugh. They are looking for your information, but some are so dumb they....

1) send it in a plain text file

2) send a message with typos and punctuation problems

3) send it with old company logos

4) send it with an unprofessional appearance [aside from #1 & #2 above]

5) send it with little effort ["Dear Sir/Madame, your account is locked." instead Dear Mr. Gis Bun...]

6) send it when you are not associated with the company [i.e. I don't have a Bank of America account, why would I get this - it is a longshot]

7) send it with real dumb errors [no one would say $6.5M in an email instead of $6.5 million]

8) send it when it says your Email account is locked - but you are using it right now to get the message!

Michael Kassner
Michael Kassner

@joseph.filla 


I guess that could be called a "Disconnect." Yet, I do not see a solution other than my pointing out that we all need to be careful. The fact that it's from TR and a twice weekly email newsletter should help reduce any angst. 

Michael Kassner
Michael Kassner

@Cicuta2011 


That was quite a job. I can only imagine the pressure that it entailed. Could you go into more detail as to what you put in place? 

Michael Kassner
Michael Kassner

@PatPeterson_Agari 


Thank you for your comments. I see any approach as being reactive, the closest thing to proactive I have seen was the service developed by Malcovery. 

Michael Kassner
Michael Kassner

@wnematollahi 


You need to help me. I see where blocking PDFs may be a good idea. The bad guys love using that format as it is easy to self-activate hidden malware. What I need help with is how a firewall would help, other than blocking the PDF format as well. 

Michael Kassner
Michael Kassner

@beck.joycem  


Excellent advice. The problem is that it's more than a few, otherwise the bad guys wouldn't be using it.

Michael Kassner
Michael Kassner

@tony 


When you say allow BYOD wireless do you mean Wi-Fi or cellular service?


Thank you for referring to the Netgear device. I have been looking into that recently. Did you leave the setting at default? 

Michael Kassner
Michael Kassner

@dogknees 


I made the same remark to my sociologist friend, and she said it all depends on how one defines common. 

williamjacobs
williamjacobs

@Gisabun 

An interesting story I heard or read about phishing is that the lack of attention to detail is deliberate.

The spammer is interested in getting oblivious people to click the link figuring that someone smart enough to detect a phishing attack is likely smart enough to know how to remove the infection quickly.


Someone who doesn't catch on to a sloppy come-on may have no clue how o get rid of a malware infection and thus they have a useful node in their botnet for appreciably longer than they would with someone who is half paying attention.


Michael Kassner
Michael Kassner

@Gisabun 


Very true. But, the problem is that phishing works and works well. People are losing billions of dollars.

wizard57m-cnet
wizard57m-cnet moderator

@Gisabun

Not only those, but emails supposedly from some bank or shopping site, yet the reply address and actual sending address is from typically Yahoo!  Funny, I didn't know Bank of America used a Yahoo free email account to conduct business!

Yes, I'm one of those that always examines the full headers of suspicious emails, hehe! 

JimTheEngineer
JimTheEngineer

@Michael Kassner@JimTheEngineer 

It dawned on me that the FORMAT isn't the problem (or solution) to malware - it would be the PROGRAM that opens the format. Well, d'oh.

I wonder if it would be possible to create a verification process - maybe an organization - that would be able to certify that a program was not able to be subverted to install malware.


Yeah, right... I can imagine how attractive - and risk free - that task would be...


Oh, well - back to being vigilant.


 - Jim 


lkarnis
lkarnis

Hi Michael. Standard firewalls block content by source/destination IP address, port number, transport protocol, etc. If you want to block content, you either need a content aware firewall or some sort of gateway application level security appliance. A gateway spam filter is such an example. The application being filtered is SMTP and the filter rules state (amongst other things), block messages with PDF attachments. This is useful (if you really hate PDF documents) but does nothing for MS Office documents, .zip files, other types of archive files (.rar, .tgz, etc.). If that is a concern for you, you need a gateway content filter that can handle these challenges.

Michael Kassner
Michael Kassner

@williamjacobs 


That is true, I wrote about that very thing a last year--especially as you say when ransomware is involved. 

nruffin3
nruffin3

@wizard57m-cnet @Gisabun  I formerly worked with FEMA and I get email from the FBI with yahoo addresses asking for updates. Dumb..dumber and dumbest. I don't think "Honey-Boo-Boo" would fall for such.

Michael Kassner
Michael Kassner


I would not bet on that if I were you. Many people do not pay attention to that or have the header marginalized. 

kstenbch
kstenbch

@Michael Kassner@wizard57m-cnet@GisabunI mark them as spam on Gmail and then I take the additional step to report it as suspicious. People do stupid things. I recently had a friend who plays WoW. He thinks their servers are impenetrable. He removed his antivirus software. When I asked him why, he said it was slowing him down and he didn't need it. he said he had no problems with his computer I used MBAM free and ran a quick scan free, which he didn't want to take the time to do. it took 10 minutes. It found over 100 pieces of malware. it got rid of them in less than a minute. I ran it again, it took less than 5 minutes. He immediately let me reinstall Avast free. Dogknees is correct, common sense is not very common....

Editor's Picks