Phishing And Spam Email

Analysis
 Agenda
• Brief introduction to phishing and spam emails
• Major categories of Phishing
• Phishing Techniques
• Phishing mail indicators
• Email Analysis
• Remediation
• How to avoid being a Phishing Victim?
• Recent Examples
 Spam Email
Email spam, also known as junk email or it is a subset
of electronic spam involving nearly identical messages sent to
numerous recipients by email. Spam emails are generally, but
not always, marketing emails sent to you without consent. The
messages may contain disguised links that appear to be for
familiar websites but in fact lead to phishing web sites or sites
that are hosting malware. Spam email may also include malware
as scripts or other executable file attachments.
This is an attempt to acquire sensitive information such as usernames, passwords,
and credit card details and sometimes, indirectly money, often for malicious reasons,
by masquerading as a trustworthy entity in an electronic communication. They use
spoofed e-mails and fraudulent web sites for the purpose of fooling users into
revealing personal data.
 Major Categories Of Phishing
• Clone Phishing : Phisher creates a cloned email, attacker finds a legitimate email
which was delivered previously, then he sends the same email with links replaced by
malicious ones.
• Spear Phishing: Instead of casting out thousands of emails randomly, spear phishers
target selected groups of people with something in common, for example people from
the same organization
• Phone Phishing: This type of phishing refers to messages that claim to be from a bank
asking users to dial a phone number regarding problems with their bank accounts.
 Types Of Phishing Techniques
• Email / Spam
• Web Based Delivery/Man-in-the-Middle
• Instant Messaging
• Trojan Hosts
• Link Manipulation/ Deceptive Phishing
• Key Loggers
• System Reconfiguration
• Content Injection
• Phone Phishing
• Malware Phishing
Phishing information flow
 Phishing Mail Indicators
• The message contains poor spelling and grammar
• The message asks for personal information
• The message contains a mismatched URL
• URLs contain a misleading domain name
• The offer seems too good to be true
• You didn't initiate the action
• You're asked to send money to cover expenses
• The message makes unrealistic threats
• The message appears to be from a government agency
• Something just doesn't look right
Message Body:
The correct case is “PayPal” (capital P)
Paypal ! -The space before the exclamation mark
Spoofed eBay web page.
 Technical Breakdown
The first thing to take a look at is the HTML source of the attachment form. Verify that actual
link contains the domain name (EX: dropbox.com).

Important Doc3.msg
Verifying the internet headers
 Analysis:

• Initially analyze suspicious URLs using available online tools:

• virustotal
• Brightcloud
• DoWhois
• threatvault
• siteadvisor
• Borderware
• Submit the suspicious files to wildfire and Symantec for analysis.
Palo Alto And Virus Total - Results
 Remediation

• Check the Palo Alto category listing.

• Submit the PA request change if it is not categorized properly.
• Check the email date of origin, to determine if other users are affected.
• Add the URL to Object group: FA-Malicious-Block-share remove from
PA when URL request change in PA is changed to phishing.
• Block Domain in SEP
• Add IP to Malicious IPs and Domains policy
• Add IP to Block list in Source Fire
• Monitor PA Logs for any malicious activity
• In SEP monitor the intrusion report ie NTP for 24 hours for remote host.
• Request Full AV scan and check the client logs.
• SF Template: Suspicious Email Submission.
• faf.infosec@firstam.com  and spam.abuse@firstam.com
 Geography of attacks
Top 10 countries by percentage of users attacked and a graph showing dramatic
increase in volume of malicious emails in Q1 2016

Brazil 21.5%
China 16.7%
United
14.6%
Kingdom
Japan 13.8%
India 13.1%
Australia 12.9%
Bangladesh 12.4%
Canada 12.4%
Ecuador 12.2%
Ireland 12.0%
 Major industries affected are:

• Financial Services
• ISPs
• Online retailers
 What Can Be Done?
Education: Stop, Look, and Call
•  Don’t reply to e-mails asking to confirm account information. Call or
logon to the company’s web site to confirm that the e-mail is legitimate.
•  Don’t e-mail personal information. When submitting information via web
site, make sure the security lock is displayed in the browser.
•  Review credit card and bank account statements for suspicious activity
•  Report suspicious activity
 What Can Be Done?

Technology
• Two-factor Authentication
• Firewalls/Web filtering tools
• Anti-virus Technology
•  Browser Enhancements
• Digital Certificates
 Recent Examples Of Phishing
Increase in phish attack Mimicking 2016 RIO OLYMPIC Adverts!
• IPHONE users in UK have been targeted with yet another phishing scam
designed to steal their ICLOUD accounts.
• Android Malware targeting Banking Customers In Australia.
What’s on your mind?

25