Report About Phishing Attack (email spoofing) by Mehrdad Yazdizadeh

(22 views)

PHISHING

by MEHRDAD YAZDIZADEH- SECURITY CONSULTANT

9/21/2016

Phishing is the attempt to obtain sensitive information, such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Many websites have now created secondary tools for applications, like maps for games, but they should be clearly marked as to who wrote them, and users should not use the same passwords anywhere on the internet.

Phishing is a continual threat, and the risk is even larger in social media, such as Facebook, Twitter, and Google+. Hackers could create a clone of a website and tell you to enter personal information, which is then emailed to them. Hackers commonly take advantage of these sites to attack people using them at their workplace, homes, or in public, in order to take personal and security information that can affect the user or company (if in a workplace environment). Phishing takes advantage of the trust that the user may have, since the user may not be able to tell that the site being visited, or program being used, is not real; therefore, when this occurs, the hacker has the chance to gain the personal information of the targeted user, such as passwords, usernames, security codes, and credit card numbers, among other things.

Recently, some of our users reported that they couldn't access their iCloud accounts.

I'd checked several things, such as tracing their network and computers, but didn't find anything suspicious!

Suddenly, one of our clients mentioned that he received a message from Apple several days ago that claimed his iCloud account was locked and forced them to click on a link that existed in the email!

1

 

I asked them to show that email to me, and at first sight, it seems legit! (as you see in picture)

But after reviewing the trace header of the email, I discovered several things:

  1. the email didn't come from Apple!


  2. the link that exists in the email doesn't belong to the official iCloud web site and redirects to somewhere else!

    Sender: [email protected]
    URL: http://www.cityjoinery.com/iCloud


The URL and email were reported to Apple and the user had to convince Apple this account belong to him. Does the data still exist on the Apple server? Was the data copied somewhere else? 

As you can see, it is very simple for someone to access your personal data on iCloud and control everything that belongs to you! Be careful when you receive new email.

Double check everything, such as sender, and do not click on the links that exist in them!

This is an old trick called "phishing" but nowadays, many people will still be victims of this kind of attack!

Here is another email that was reported by our clients, trying to encourage a user to click on the link; but what is that link?

➢ URL: http://manageid.yahoo.com.265.hounderbounder.com/id/

2a

TECHNICAL DETAIL

When an SMTP email is sent, the initial connection provides two pieces of address information:

  • MAIL FROM: generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.


  • RCPT TO: specifies which email address the email is delivered to, is not normally visible to the end user but may be present in the headers as part of the "Received:" header.


Together these are sometimes referred to as the "envelope" addressing, by analogy with a traditional paper envelope, and unless the receiving mail server signals that it has problems with either of these items, the sending system sends the "DATA" command, and typically sends several header items, including:

  • From: Joe Q Doe <[email protected]> - the address visible to the recipient; but again, by default no checks are done that the sending system is authorized to send on behalf of that address.


  • Reply-to: Jane Roe <[email protected]> - similarly not checked


and sometimes:

The result is that the email recipient sees the email as having come from the address in the From: header; they may sometimes be able to find the MAIL FROM address, and if they reply to the email, it will go to either the address presented in the From: or Reply-to: header - but none of these addresses are typically reliable, so automated bounce messages may generate backscatter.

SOLUTION

  • Train people


  • Use Anti-phishing software


  • Browsers alerting users to fraudulent websites (like Firefox, Chrome, ...)


  • Eliminating phishing mail:


Specialized spam filters can reduce the number of phishing emails that reach their addressees' inboxes, or provide post-delivery remediation, analyzing and removing spear phishing attacks upon delivery through email provider-level integration. These approaches rely on machine learning and natural language processing approaches to classify phishing emails. Email address authentication is another new approach.

✓ Report to Anti-phishing teams:

Eeporting phishing to both volunteer and industry groups, such as cyscon or

PhishTank.

✓ Legal responses:

In the United States, those who created fake web sites and sent bogus emails in order to defraud consumers are subject to fines of up to US$250,000 and prison terms of up to five years.

  • Identify legitimate websites:


    • Which site (exact URL)?


    • Use SSL?


    • Who is the authority?


  • If you suspect any email message, you can analyze the header of that email for sure in online email header analyzer like


https://www.whatismyip.com/email-header-analyzer/

In case you don't know what the email header is and how to find it, please check this link: https://mxtoolbox.com/Public/Content/EmailHeaders/

October 10, 2016

Author

Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023