Forensics Weekly Summary for Week of May 13, 2016

By Jason Torikawa-Domingo on May 13, 2016

Recently members of theUniversity of Hawaii system have received various phishing attacks attempting to obtain information. Phishing is considered a social-engineering attack that attempts to obtain various forms of information such as usernames and passwords credit card info and other personal information. Phishing can happen in the form of emails, text messages, as well as phone calls.

What to look for:

If you suspect that you may have received a phishing message, you can look for the following key points:

  • Grammar and Spelling- The message should be properly structured and free from spelling mistakes.
  • Links- If there is/are links to click on that would send you to a certain website.
  • Notes/Threats- You are asked to do something(download an application, fill out a form, call a certain number) and if you do not comply there are consequences (cancellations, blocked or restricted access). There would be calls to action (i.e urgent, open immediately etc.)
  • Sender- The The message comes from an unrecognizable phone number or email address that is out of state or country.

Evaluate a Phishing Email:

First you would need to display your Email Header. To find how to get your Email header for your email see: Obtain Email Headers

On your Email header you will see the following with date and time stamps:

  • Delivered-To ; Your email
  • Received by: ; The hops of server(s) that received it all the way to the source
  • Then standard headings: Subject, From, To, Content, and the Body/Message

This will show a trace of the message from the sender and see the route it was sent all the way to the receiver.

Sample:

Delivered-To: myemail@abc123.com
Received: by x.x.x.x with SMTP id lvand2463oec;
Tue, 10 May 2016 08:30:51 -0800 (HST)
Received: by x.x.x.x. with SMTP id 13310514510442016.5.10.08.30.51;
Tue, 10 May 2016 08:30:51 -0800 (HST)
Return-Path: <ThisEmail@SendMail.com>
Received: from some.other.server.com (x.x.x.x)
by othersite.com with SMTP id fbbfibwqf.2016.5.10.08.30.50;
Tue, 10 May 2016 08:30:50 -0800 (HST)
Received-SPF: neutral (google.com:x.x.x.x  is neither permitted nor denied by best guess record for domain of ThisEmail@sendmail.com) client-ip=x.x.x.x;
Authentication-Results: mx.google.com; spf=neutral (google.com: x.x.x.x is neither permitted nor denied by best guess record for domain of ThisEmail@sendmail.com) smtp.mail=jfaulkner@externalemail.com
Received: from mail.sendmail.com ([XXX.XXX.XXX.XXX]) (using TLSv1) by exprod7ob119.postini.com ([x.x.x.x]) with SMTP
ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 10 May 2016 08:30:50 HST
Received: from MYSERVER.myserver.local ([fe80::a005:a335:8c71:cdb3]) by
MYSERVER.myserver.local ([fe80::a005:a335:8c71:cdb3%11]) with mapi; Tue, 10 May
2016 11:30:48 -0500

For emails with links, if you can find out if its legitimate or fake by doing one of two things:

  1. Hover the mouse over the link it will show a small pop up window will show the link allowing you to verify the address. You do not have to click on it, rather put the mouse cursor over the link for a second or two.
  2. If your email provider allows, you can show the original format*. The entire content will be in text including hyperlinks and any media files that were attached.

*Showing an Email header may also show entire message in Original Format.

Sample:

Subject: (URGENT!!! Do Not Ignore) You have one new message from XYZ Company

From: “XYZ MEMBER SERVICE” <notfake@XYZcomp.com>

To: undisclosed-recipients:; Content-Type: multipart/alternative; boundary=001a1148b58870ee3305320f1959

Bcc: youremail@mail.com

–001a1148b58870ee3305320f1959

Content-Type: text/plain; charset=UTF-8

[image: CompanyLogo] *You have one new message from XYZ*

“View message”

<http://www.SpoofedSite.com/uedf/XYZ/Web%20Login%20Service.htm>

 

Conclusion:

Should you receive an email that seems suspicious:

  • Check the Email Header to verify the sender.
  • Verify the links, but do not click on it.
  • After Verifying report it to Management or Email Service Provider

You may also:

Source(s):

Microsoft  Recognizing Phishing

FTC on Phishing

Note:

The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu