Phishing Attacks: Still Going And Targeting Us!

This is hardly a new thing – it is about a particular kind of spam trying to persuade you to give up login credentials. This has been labelled as “Phishing“, which some of you may be bored of reading about again. Unfortunately it is still the case that people fall victim to phishing attacks despite the warnings that have been sent out over time. If you search the Sophos Naked Security blog for “phishing” you will get an enormous number of results – at least 15 pages (I lost patience at that point).

Phishing basically works by sending large numbers of emails (thus it is spam) with a message intended to alarm people into either replying with details they should not reveal, or into clicking a link to a web-based form to gather the same kind of details. Usually banking details, or login credentials.

In short, don’t reveal your details via email or to a web form sent to you via an email. Password are your personal information and should never be revealed to others :-

  • Banks do not ask you for your password or other details via email.
  • The University will never ask you for your password.
  • Law-abiding organisations will never ask for it either.
The exception to this is that sometimes organisations may try to trick you into revealing your password to find out whether you follow the security policies. It is a standard part of penetration testing to try this (and they often succeed). The University does not currently carry out this sort of social-engineering penetration testing.

There is usually an attempt to craft the email to look as though it is some kind of official communication, varying from the extremely sophisticated with very little signs that it is not an official email to really rather poor attempts. Common mistakes that are found in the less sophisticated phishing attacks include :-

  1. Sending from an email address with an official sounding name (“The IT Support Department”) which is not used within the organisation – here at the University our “IT Support Department” is called “Information Services”.
  2. Sending from a non-organisation email address.
  3. Addressing the email in excessively formal … almost archaic  phrases. And indeed any use of non-colloquial English.
  4. Lastly, referring to services using generic terms rather than specific local terms – “Webmail” rather than “GroupWise”.
An example of a phishing email follows :-
From: Helpdesk<info@ttu.edu>
To: Recipients <info@ttu.edu>
Subject: Storage Limit Exceeded
Date: Tue, 17 Apr 2012 23:47:09 -0400
Reply-To: info@mail.com
Sender: fanzhiy@Cardiff.ac.uk
Dear members,
You have exceeded the storage limit on your mailbox. You 
will not be able to send or receive new mail until you upgrade
your email quota. Kindly update your account by clicking here, 
https://docs.google.com/spreadsheet/viewform?formkey=dEwLUxMejBNalg0dkNMY0FxcDVlRGc6M
Regards,
Technical Team.

But performing detail text analysis on every email you receive just to see if it is a phishing attack is both a little tedious and completely unnecessary. There is a very simple technique to use :-

  1. Ignore the instructions in the email.
  2. If you have the slightest doubt over whether the instructions are for real, contact the relevant organisation over the phone (or at the very least with a newly composed email). In the case of the University, contact the IS Service Desk on x7777.
This entry was posted in Uncategorised. Bookmark the permalink.