Feb. 22, 2019

Anatomy of a Phish

Robert Rotert

Working in the help desk trenches we get a lot of questions about suspicious looking emails. It’s challenging to pick out phishing emails from the day to day messages, and scammers or forever honing and polishing their craft. If you’re like me and learn by example then you’re in luck! Below are actual phishing messages caught in the wild by our clients and marked up by me with the tricks of the trade to spot these scams.

Before we dive in, it’s important to remember that we’re all going to get tricked by these messages at some point. If you ever enter your password in to a site only to discover it was an attack to steal your password, the best response is to call the help desk immediately! No you’re not in trouble, these problems are easy to fix early on before your account starts blasting spam to all of your contacts.


Example 1.png
  1. The From Address is from an unfamiliar domain name. In this case, uconn.edu, the University of Connecticut.
  2. The message is tagged as external. If the message were actually from an internal source this tag would not be there.
  3. There is a sense of urgency to get you to click. Zero days left, oh no!
  4. Hovering over the link and examining reveals it goes to a strange entrusted web address, abots.app.



example 2.png
  1. The name is trying to impersonate someone in the organization, but the actual email address is outside the organization
  2. The External email tag confirms this message do not come for a co-worker.
  3. The link is to a googleusercontent.com. This is a fake address trying to impersonate a legitimate google service.
  4. The message has a simple signature that doesn't fit with the company signature policy.



Example 3.png
  1. The from address is trying to look confusing so you won't read it but if you look closely, it's from nuwestmilling.com. Not Microsoft
  2. The message is tagged as external, use caution when clicking links.
  3. Spammers will try to insert company logos to make the message seem more official.
  4. Examination of the link shows it's clearly not from Microsoft.


example4.png
  1. Impersonating the owner, but the from address is from an external domain.
  2. The external email tag confirms this.
  3. Scammers will put a sense of urgency in to their message to get you to respond quickly without thinking.


Example 5

A tactic that is becoming more common is hacking accounts and using people that you know to send phishing emails. This message was sent from a client I had worked with, but it still has many of the same clues that it's a phishing email.

  1. The message itself doesn't look like a one drive sharing message.
  2. If you view the link to the open document it doesn't go to a Microsoft site.
  3. The message has a sense of urgency to try and get you to click.