Yesterday, I received what just may be the lamest phishing attempt ever. I’m not sure whether the originators of this particular attempt were just plain lazy, or whether they were too dumb to properly disguise what they were trying to do. Regardless, this is a good object lesson in the kinds of things to look for to spot bogus email messages. Here’s the message (click to view larger screen cap):
Let’s just walk through all the things that are wrong with this:
- It has my own email address in the “From” field. If I had sent myself a message about this, I’d remember – wouldn’t I?
- Grammatical error #1: “has just be released”
- Grammatical error #2: “Dear use of the manage-ops.com mailing service”
- You really expect me to believe that my own corporate support team is going to ask me to go to some Web site in Europe and run an executable file? Really? And you didn’t even bother to disguise the link?
- The whole message is self-contradictory – if the security settings of my mailbox have been changed, and I need to apply new security settings, how is it that I was able to get to my mailbox to see this email message?
This message could have been made a lot more believable by doing just a few simple things – and it’s worth noting what they are, because a lot of other phishing messages that are turning up in your users’ mailboxes are doing these things already.
First, they could have used an email address other than mine as the “From” address. Lots of companies have fairly predictable email aliases, such as “support@,” “webmaster@,” etc., that would be more likely to be associated with a support team.
Second, they could have been a little more careful about grammatical errors. It’s worth noting, however, that because a lot of phishing expeditions originate outside of the U.S. (the “ruhlmann.eu” domain happens to be registered to someone in France), and are put together by people whose first language is not English, it is not unusual to see grammatical or spelling errors, and this is, in fact, one of the best ways of spotting phony messages.
Third, they could have used a graphic that they lifted from my own corporate Web site. It’s not hard, all they have to do is create a dynamic link. The following HTML code:
<img alt=”Wells Fargo Logo” src=”https://a248.e.akamai.net/f/248/1856/90m/www.wellsfargo.com/img/hp/logo_62sq.gif” />
Will yield this (unless Wells Fargo has moved the location of the logo file):
All I had to do was go to the Wells Fargo home page, right-click on their logo, choose “Copy image location,” which gives me the exact URL of the image file, and paste it into the HTML code of my page. I didn’t copy the logo graphic – I’m pulling it dynamically from their site. This is a very common practice in phishing emails that pretend to be from your bank, or from PayPal, or from eBay.
And, of course, I could link that graphic to any site I wanted, and if you weren’t paying attention, you might not notice that the site I’m linking it to is not really a Wells Fargo site. I might even further disguise the link by creating something like “banking.wellsfargo.com.myphishingsite.eu/pathtomalware/malware.exe,” hoping, of course, that you’ll see “wellsfargo.com” and not look any closer, and not spot the fact that the actual link is not to a Wells Fargo Web site at all.
This is also a very common practice. And if the originators of the email above weren’t so dumb and/or lazy, that’s how they would have disguised the link. Or, if they didn’t want to bother with a graphic, they could have at least disguised the text. Remember, you can have any words you want link to any URL you want. The HTML code is easy. Just do something like:
<a href=”http://myphishingsite.com/malware.exe”>Come look at the fluffy bunnies!</a>
And you’ll get text that says “Come look at the fluffy bunnies!” but that is actually linked to the malware executable.
Fortunately, many email readers, including Outlook, will pop up the actual HTML destination if you hover your mouse over the link, so that’s a good habit to get into before you click on any link in an email message.
Bottom line: this particular phishing message was fairly easy to spot. There are a lot of other messages that your users will receive that are much more cleverly disguised. But if you know what to look for, you can usually spot them. Your best defense will be to help your users learn what to look for. A good start might be to share this post with them.