CyberLabs #7 – Analyzing Suspicious Messages – Ultimate Guide To Protect Against Phishing Attacks

The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part, to the reality that these days, a significant portion of our business transactions occur online, like shopping through the Internet.

Consequently, this leads to a situation where a substantial amount of our personal data and details about our private lives or payment information such as credit card details are stored on various online platforms. While navigating the darknet, we might stumble upon numerous places where photos of our identification cards or other documents found in our mailboxes are up for sale or even being distributed for free.

 

 

It’s not surprising that cybercriminals, adopting the identities of trustworthy potential business partners, for instance, inundate us with messages attempting to deceive us into revealing our online accounts access information or infecting our computers and phones with malware.

While larger corporations are able to invest in more advanced security systems or teams like SOC (Security Operations Center) responsible for monitoring and analyzing an organization’s security, smaller businesses or startups can’t bear such expenses.

Partly due to this reason, this article was composed—to provide an introduction to the fundamentals and techniques that enable anyone to conduct a basic analysis of messages and attachments to identify potential malicious intent. This knowledge can shield more than one organization from unauthorized breaches of their systems.

Note: Accidentally running malicious files during analysis can lead to grave consequences. Nonetheless, the forthcoming advice is designed to mitigate the risk of infection as much as possible.

Understanding Phishing Attacks

In one of the primary articles within the CyberLabs series, I delved into the specifics of phishing attacks—a deceitful tactic involving the impersonation of trusted institutions, authorities, or individuals (like a bank, courier company, or public figure) to manipulate victims into performing actions that benefit the attacker, such as divulging login credentials.

CyberLabs #1 – Phishing being one of the most popular cyber threats

The phishing email itself, using social engineering or hacking people’s minds, may try to arouse fear in us, for example, and all in order to make us download and run malicious attachment which is hidden, e.g. under the form of an “invoice”.

 

 

Several forms of phishing attacks exist (I encourage you to refer back to the aforementioned phishing article), such as smishing or phishing via SMS, and vishing, where the perpetrator contacts the victim by phone, attempting to extract data like passwords, phone numbers, or general login information.

On the subject of vishing, it’s worth noting that recent weeks have seen numerous articles about ChatGPT or general AI, which have demonstrated the capability to mimic any conversational partner based on a voice sample (thus, envision a scenario where someone mimics our boss’s phone number and even sounds exactly like them).

Upon reflection, it becomes clear that with the assistance of artificial intelligence, the cyber-attacks directed at us could enter an even more hazardous realm, making the evasion of phishing attempts a more intricate task.

AI In The Service Of The Cybercriminal

Undoubtedly, many of us view OpenAI’s ChatGPT as a groundbreaking solution capable of revolutionizing various markets. ChatGPT itself comes with inherent “safeguards” preventing the AI from generating responses that involve immoral or unethical actions, such as seeking personal or financial information.

How can AI assist cyber criminals?

Speaking of ChatGPT, it’s important to note that, similar to any system, this one also possesses certain “vulnerabilities.” It isn’t entirely devoid of weaknesses that could potentially be exploited by cybercriminals. These vulnerabilities provide openings through which we can craft text messages in a manner that prompts the artificial intelligence to respond to various questions or requests, even those of a less ethical nature (these vulnerabilities are continuously being addressed, but often as one loophole is closed, new methods emerge to sidestep the aforementioned restrictions).

Consequently, we’re able to task ChatGPT with tasks like retrieving passwords for legitimate email accounts from hashes. Moreover, we can request it to generate ransomware code (admittedly, the quality of the generated code might not be top-notch, but the mere possibility of generating such code should spark contemplation regarding its potential evolution in the upcoming years). It’s even plausible to use ChatGPT to compose phishing messages designed to extract personal, sensitive information from victims.

In contrast to many mass-sent phishing messages fraught with language errors and peculiar sentence structures that inherently arouse suspicion, these text-based communications exhibit a fluency that doesn’t immediately raise red flags.

Below, you can observe an example of such a message:

 

 

Certainly, the text message itself doesn’t encompass everything required to prepare for phishing scams. Nonetheless, currently, we often rely on the text and its sentence structure to gauge whether a message is dubious or not.

I’ve got some positive news for you! You’re on the verge of acquiring fresh techniques that can shield you from a multitude of phishing attacks.

Understanding Message Headers

Message headers, also known as email headers, constitute a segment of messages brimming with details about the email’s origins. This includes the genuine sender’s address, the recipient’s address, and security information like SPF/DKIM/DMARC specifications. Furthermore, you’ll come across fields like “Return-Path” / “Reply-To,” or “X-Spam Status,” which prove valuable in discerning whether an email is questionable and if it truly originates from the expected sender.

However, before we delve into the analysis of these headers, it’s crucial to know their location. This can vary quite a bit depending on the email client being used. Typically, the process involves opening the particular message, selecting “More,” and then opting for the “Show source / Show original” feature.

An exemplar set of headers might resemble the following:

 

 

Absolutely, you don’t need to undertake the following steps for every single email. Nevertheless, you can adhere to the provided instructions if you happen to receive an email that strikes you as suspicious for any reason. For instance, this might include an email containing an unfamiliar password reset link that you weren’t anticipating or one that makes an appeal for your credit card information.

Understanding How to Analyze Email Headers

Once you’re aware of where to locate message headers, you can embark on deciphering them. Acquiring knowledge about the significance of each header will certainly prove beneficial. Therefore, I’ve prepared a concise guide to these headers:

• From – the header indicates the name and email address of the sender of the message. Checking the From field, we may come across information indicating that the sender’s address is not the correct address of the person from whom we supposedly got the message.
• To – an indicator of the email’s intended recipient.
• Subject – this field showcases the title of the email. Often, these titles employ words aimed at stirring emotions, such as “Urgent Payment Required.”
• Date – a timestamp illustrating when the email was dispatched.
• Return-Path – also known as Reply-To. If you reply to the email, your response will be directed to the address within this field. In instances of phishing email, it’s possible for the From and Return-Path fields to diverge considerably. This tactic is observed in suspicious emails where the attacker desires responses to be directed to their own inbox.
• Message-ID – this field comprises a unique combination of characters and numbers that serve to distinguish each email. No two emails possess the same Message-ID.
• MIME-Version – Multipurpose Internet Mail Extensions (MIME) is a standard that allows any data, such as images, videos and other attachments, to be sent via mail.
• Received – The Received header indicates the servers from which the message was received or possibly what servers the message went through before it reached the recipient. The servers are listed inversely to the chronology from which they were sent, i.e. at the top is the last server through which the message passed, while the last is the server from which the message was sent. Based on this header, we can determine if the message was indeed sent from the servers used by the real sender. An example of a header indicating a server often used to impersonate various emails is: Received: by emkei.cz
• X-Spam-Flag – signifies whether the email has been categorized as spam.
• X-Spam-Level – reflects the score allocated by the spam assessment.
• X-Spam Status – This header, once again, informs us whether the email has been marked as spam. Additionally, it provides insight into the factors contributing to this classification.
• X-Mailer -This header enables us to verify the tool used to dispatch the email. Sometimes, a brief online search might reveal that a particular message was dispatched using a recognized phishing program, for instance.
• DKIM-Signature – is incorporated into each email message, providing information about the sender, the message, and the location of the requisite public key for validation.

The headers y’all see up yonder are just a piece of the headers we might come across when we are sifting through a message. It’s good to bear in mind, too, that some mailboxes have their own headers what aren’t gonna show up in other places.

Peepin’ at them headers in their “raw” shape can be a mite overpowerin’ for some folks, so it’s handy to know ’bout tools that can help y’all analyze their headers. A few tools like:

• Google Admin Toolbox – Messageheader
• MX Toolbox – Email Header Analyzer

For the tools I mentioned, all y’all gotta do is copy all the headers from that message, and the tool’s gonna give y’all back a report what’s easy on the eyes.

 

 

As we could read in the earlier part of the article, the Received header indicates to us the server from which the message was sent. Using this knowledge with the Cisco Thalos tool, we can check the reputation of the server from which the questionable emails were sent.

All we must do is place the IP address or domain address of the server responsible for sending the message onto the specified webpage. Through the response, we will gain insights into the server’s reputation, including whether it has been flagged as suspicious or has a history of sending spam, for instance. Furthermore, we will acquire details regarding the volume of messages dispatched and information related to the domain itself.

Link Analysis Can Help You Avoid Phishing Scams

Simply scrutinizing the email header might not suffice to ascertain the legitimacy of the text message we’ve received. There’s a possibility that cybercriminals have taken precautions and are utilizing a meticulously crafted infrastructure that doesn’t appear on any blacklists and isn’t marked as malicious.

The content of the message itself can instill confidence in us, as it may be skillfully composed with impeccable grammar and sentence structure. If the wrongdoer dedicates themselves to the task, the message can closely mimic the original, creating a convincing illusion. Typically, such messages contain either an attached file (we’ll delve into malicious files later) or a link. This link may either redirect us to a page requesting our credentials or lead us to an external phishing website offering downloads that might harbor malicious software.

Hence, our next step in thwarting phishing attempts involves verifying the trustworthiness of these links. Criminals frequently refine their tactics, so it’s essential to be aware of their methods.

A widely employed phishing technique by criminals involves leveraging reputable websites to host malicious files. It’s the links leading to these phishing or malware-infested sites that can thwart a successful attack. Suspicion may arise if the URL comprises a string of random alphanumeric characters.

 

 

Hence, it’s crucial to note that cybercriminals frequently exploit well-known domains that we all recognize, such as Google Drive, Dropbox, Slack-Files, Discord, and various others, to either embed malware or establish phishing sites. You can access the comprehensive list of domains utilized for such purposes on this website.

Clicking on links leading to counterfeit websites or downloading malicious files can result in severe repercussions. Therefore, I strongly discourage anyone who is uncertain about their actions from engaging in such activities. Nevertheless, based on the link we possess (which we can easily copy), we can perform some rudimentary text message analysis. Below, you’ll find a few tools that can prove valuable for this purpose:

• Virustotal – this is likely one of the most widely used, completely free tools for scrutinizing the potential maliciousness of a URL, file, or even the address of a specific domain. To employ this tool, simply copy the link you wish to access, then visit the Virustotal website. Select the URL tab and paste the address you want to inspect for malicious content. As a result, you will receive feedback based on the analysis of numerous antivirus engines. It’s worth noting that when analyzing files with this tool, the files may become accessible to various researchers.
• WhereGoes – on occasion, a link within a link may be shortened or obfuscated, making it challenging to discern its ultimate destination. In such cases, the WhereGoes tool comes to our aid. It often reveals the final URL to which we would be directed. However, it’s important to be aware that criminals sometimes use URL shorteners to mask their intentions, and this tool may not always unveil their true destination.
• CheckPhish – this website serves as a resource to determine whether a given URL leads to a phishing site. Additionally, it provides the ability to view what the redirected page looks like, ensuring that it’s safe for us to explore.

 

 

Certainly, there are indeed numerous similar sites available, but for fundamental analysis, these tools should certainly suffice. In the upcoming section of the article, I will provide a brief introduction to file analysis tools, which can also be employed in conjunction with link analysis.

File analysis

There are instances where we won’t come across any links in an email. Instead, all we’ll find is an attachment, such as a purported invoice. Even if the message appears legitimate and the entire attack seems well-crafted, we should exercise caution before downloading and opening such attachments. It’s essential to maintain a sense of skepticism and remain vigilant.

Over the years, the nature of malicious files and phishing attacks has evolved. We may have heard of attacks that utilize Office files containing malicious macros. However, Microsoft eventually took steps to disable macros by default. As a result, criminals shifted their tactics to sending files associated with OneNote. These files may adopt various disguises, such as appearing to be invoices, and may contain buttons that, once clicked, trigger malicious actions.

One might also come across attempts to send files with a double extension, such as “invoice.pdf.exe,” where the fake “.pdf” extension is just a part of the file name. Another common method involves sending file archives, like .zip or .iso, often with password protection, concealing malicious content within. It’s worth noting that there are myriad techniques criminals employ to hide malware and distribute it through phishing emails.

In this segment of the article, I’d like to introduce additional software programs that can help us determine whether a file is malicious. However, it’s crucial to emphasize that our first line of defense should always be our antivirus software, which should be capable of handling most “mass” attacks. So, remember to keep your antivirus software active and regularly updated..

If the antivirus itself fails to detect anything, we can also employ the following online tools:

• AnyRun – this web-based sandbox offers a secure environment for analyzing malware. It allows us to execute malware safely. After analyzing the file, we can examine the URLs the file attempts to communicate with. Additionally, we can gain insights into the running processes.
• JoeSandbox – similar to the previous software, JoeSandbox is also a sandbox environment where we can safely analyze files or URLs. Interestingly, it extends its functionality to analyzing Android files as well. Following the scan, we receive a detailed and comprehensive report. At the outset, this report informs us whether the file or address is malicious, suspicious, or completely safe.

 

 

In addition to the aforementioned tools, it’s worth emphasizing the importance of Virustotal, as mentioned earlier.

As we conclude this section, it’s crucial to recognize that the activities outlined here are fundamental and should not be considered a replacement for the advanced analysis performed by specialized security teams. Nonetheless, I trust that the methods of analysis presented here will contribute, even if in a modest manner, to enhancing your overall security.

Is There a Place to Report Suspicious Messages?

Certainly, you can report any messages that appear suspicious or lead to malicious websites. If you’re a Gmail user, you can do this directly from your inbox. When you open a suspicious message, simply click on “more options” and then choose either “Report Spam” or “Report phishing attempt.”

However, if you use a different ISP, don’t worry; there are still options available to you for reporting such attempts. Several websites and organizations allow you to report suspicious messages and phishing attempts. Some of these include:

• CERT Polska NASK – team is dedicated to responding to computer security incidents. Through the “Report an Incident” page, you can access dedicated forms to report various issues, including a malicious domain, a suspicious email or SMS message, malware, or vulnerabilities in web applications. The CERT website also offers a list of suspicious domains that you can import into ad-blocking plugins, such as AdBlock. Additionally, you can find a wealth of publications and reports on cybersecurity on their website.
• Google Safe Browsing – this project is responsible for warning users when they attempt to access a suspicious page in Google’s search engine or download malicious software. You can use this address to report phishing malicious website or websites with embedded malicious files.

 

 

Reporting such incidents can indeed be a significant contribution to cybersecurity. It’s crucial to understand that hackers can target anyone, not just large companies. Cybercriminals may have an interest in obtaining your personal and financial information, and failing to take proper security measures can lead to unpleasant situations.

Therefore, it’s essential to prioritize your online security and take steps to protect yourself from potential threats. Your vigilance and proactive actions can go a long way in safeguarding your digital presence and contributing to a safer online environment for everyone.

A General Rule How to Prevent Phishing Attacks

• Use Identity Confirmation: with the rising use of artificial intelligence in vishing attacks, consider implementing a unique “password” or identity verification method to distinguish genuine conversations from phishing attack. Always verify sensitive actions like financial transfers through a separate communication channel.
• Stay Calm: phishing attacks often employ social engineering tactics to manipulate victims. Maintaining a calm and cautious demeanor can help you resist the pressure to enter personal information or download malware.
• Check Sender E-mail Addresses: most phishing scams can be identified by examining the sender’s email address. Look for any discrepancies or typos in the address. If the address seems correct but the message appears suspicious, recall the lessons learned in this article.
• Inspect Hyperlinks: hover your mouse cursor over any hyperlinks in the message to view the destination URL. If you immediately spot something suspicious, such as a missing letter in the address, report the message as a phishing attack and delete it. For shortened links, use tools like WhereGoes to reveal the true destination.
• Exercise Caution with Files: Approach files linked in messages with caution, especially if they have extensions like .iso or .exe, which are often associated with malware. Employ various tools for secure automatic analysis of both files and links.
• For automatic analysis of files as well as links, many tools will do it in a safe way for us.
• Involve IT or Security Teams: if your organization has an IT or Security Operations Center (SOC) team, let them handle the analysis of suspicious messages, links, and files. They have the expertise and resources to handle such situations.
• Implement Email Security Measures: if your organization sends emails, consider implementing email security protocols like SPF, DKIM, DMARC, and BIMI to enhance message security and help users distinguish between valid and malicious messages.
• Exercise Caution in File Analysis: when analyzing files, always exercise caution. Running a malicious file inadvertently can result in severe consequences. Use dedicated tools and follow best practices for safe analysis.

By following these tips and maintaining a vigilant mindset, you can significantly reduce your vulnerability to phishing attacks and contribute to a safer online environment.

 

Stay Secure 👾