Is it Phish? How to Detect!

Let's start with "What is Phishing?"

Phishing is one of the most common types of social engineering attacks. It's an attempt technique used by malicious actors to trick the user into divulging sensitive information by disguising a trap as a trusted entity in electronic communication.

Now that we know what phishing is, what do we look for? Usually, to catch a bad email, we need to be vigilant online and use our common sense!

Follow these 3 steps to investigate an email for suspicious behavior:

 1. Look for the Sender Name and Domain: Hover over the sender name and email address to check for any spoofing.

2. Look for a sense of urgency in the subject line and body; look for grammatical errors.

3. Look for any embedded files or spoofed links in the email.

 The image below is the screenshot of an email which I recently received; it’s a credential phishing email.

As you can see in the screenshot above, the email is coming from "Window Live 2018," but after careful observation, we can see that the email address is actually a Hotmail address, "kamlabar1." This should ring an alarm in our heads that this isn’t legit. Why on earth would a Windows update email have such an email address?

Secondly, the email body shows a sense of urgency to update the information. In the content of the email, text such as “Do not ignore!” and “Note” and a large font size are used to give the impression that the matter needs immediate attention.

Lastly, it has an embedded link. If you hover over “UPGRADE NOW,” it will show you a link. Tip of the day: NEVER CLICK ON THE LINK IN THE EMAIL. If you are uncertain of the source from which the email is coming, then always check the links or attachment it contains on open source tools for suspicious behavior.

To avoid falling prey to a phishing attack and determine for yourself if the email is malicious or not, use a few open-source tools. Below are three open source resources that can help you in examining an email for phishing/spam behavior:

1. http://wheregoes.com: Use this website to check for redirects, in which links in the emails are being redirected.

2. https://www.virustotal.com/#/home/url: This is a scan engine; you can use this to check the behavior of links or attachments in an email.

3. https://urlquery.net: This website helps to view the screenshot of the first page of any website without even actually visiting it. It provides you with a pretty good idea of what you will be visiting before you click on the link to the website.

When I right clicked and copied the link from the above screenshot and checked it on VirusTotal, it showed that 4 out of 67 scan engines detected this link as a phishing link. Ahh!! Caught a phish ;)

Before clicking the link, I checked it on urlquery to see where the page would take me if I clicked it. From the screenshot below, you can clearly see that it asked for credentials. Also, it was not an Outlook URL, so it certainly would not have been a good idea to click on this one. This was a phishing email to fetch Outlook credentials.

Wrap Up

I’ve just highlighted three of the most common and versatile open source tools for analyzing emails for suspicious behavior. There are tons of open source tools available out there and hundreds of ways to check for the behavior, type, and malicious nature of links or attachments.

The key point to keep oneself safe is to be vigilant and think before you click.

I hope you enjoyed this and found it easy to follow along. If you have other methods, post them in the comments here!