Skip to main content

Fake e-mail scanner

 

Fake e-mail scanner

A detailed look at a phishing site masquerading as an e-mail scanner and its attempts to snag victims.

In recent years, news about e-mail-based infections of corporate networks has been fairly regular (and generally connected with ransomware). So, it’s no surprise that scammers periodically use the topic to try to extract credentials for corporate mail accounts by persuading company employees to run a scan of their mailbox.

The ploy is aimed at people who know about the potential threat of malware in e-mail but have insufficient understanding of how to deal with it. Infosec personnel would do well to explain the tricks to employees and use such examples to illustrate what employees should look for to avoid falling victim to cybercriminals.

Phishing e-mail

This scam message employs the time-honored trick of victim intimidation. You can see it right in the header, which reads “Virus Alert” followed by three exclamation points. However trifling punctuation may seem, it’s the first thing that should tip off the recipient that something may be wrong. Unnecessary punctuation in a work e-mail is a sign of drama or unprofessionalism. Either way, it’s inappropriate in a notification supposedly intended to convey information about a threat.

Phishing letter

The number one question the recipient should ask is: Who sent the message? The e-mail states that failure to act will result in the recipient’s account being blocked. It might be logical to assume that it was sent either by the IT service that supports the corporate mail server, or by employees of the mail service provider.

But it’s important to understand that no provider or internal service would require user action to scan the contents of the mailbox. Scanning takes place automatically on the mail server. Besides, “virus activity” rarely occurs inside an account. Even if someone did send a virus, the recipient would have to download and run it. Infection happens on the computer, not in the mail account.

Coming back to that first question, a look at the sender raises two immediate red flags. First, the e-mail was sent from a Hotmail account, whereas a legitimate notification would display the domain of the company or provider. Second, the message is said to come from the “Email Security Team.” If the recipient’s company uses a third-party mail service provider, its name is bound to appear in the signature. And if the mail server is in the corporate infrastructure, the notification will come from in-house IT or the infosec service — and the chances of an entire team being responsible solely for e-mail security are minimal.

Next is the link. Most modern e-mail clients show the URL hidden behind the hyperlink. If the recipient is urged to click through to an e-mail scanner hosted on a domain that belongs to neither your company nor the mail provider, it is almost certainly phishing.

Phishing site

The site looks like some kind of online e-mail scanner. For the appearance of authenticity, it displays the logos of a host of antivirus vendors. The header even boasts the name of the recipient’s company, which is meant to remove any doubt about whose tool it is. The site first simulates a scan, then interrupts it with the ungrammatical message “Confirm your account below to complete Email scan & delete infected all files.” The account password is required for that, of course.

Phishing scanner interface

To ascertain the nature of the site, start by examining the contents of the browser address bar. First, as mentioned above, it’s not on the right domain. Second, the URL most likely contains the recipient’s e-mail address. That in itself is fine — the user ID could have been passed through the URL. But in case of any doubt about the site’s legitimacy, replace the address with arbitrary characters (but keep the @ symbol to maintain the appearance of an e-mail address).

Sites of this type use the address passed by the link in the phishing e-mail to fill in the blanks in the page template. For the sake of experiment, we used the nonexistent address victim@yourcompany.org, and the site duly substituted “yourcompany” into the name of the scanner, and the entire address into the name of the account, whereupon it appeared to start scanning nonexistent attachments in nonexistent e-mails. Repeating the experiment with a different address, we saw that the names of the attachments in each “scan” were the same.

The fake scanner site is simulating a scan

Another inconsistency is that the scanner supposedly scans the contents of the mailbox without authentication. Then why does it need the password?

How to protect your employees from phishing

We have analyzed in detail the signs of phishing in both the e-mail and the fake scanner website. Simply showing this post to employees will give them a rough idea of what to look for. But that is just the tip of the proverbial iceberg. Some fake e-mails are more sophisticated and harder to sniff out.

Therefore, we recommend continuous awareness training for employees about the latest cyberthreats — for example, using our Kaspersky Automated Security Awareness Platform.

In addition, use security solutions able to detect phishing e-mails on the mail server and block redirections to phishing sites on workstations. Kaspersky Security for Business does both. On top of that, we offer a solution that enhances the built-in protection mechanisms of Microsoft Office 365.

Comments

Post a Comment

Popular posts from this blog

How to secure PayPal

How to secure PayPal By- Aarti Jatan Your online finances need proper protection. Learn how to secure your PayPal account. With hundreds of millions of users around the world, PayPal has long been an international leader in the electronic payments industry. But as we know, money never fails to attract fraud, especially now, with as much of life as possible taking place online. Here is what you need to do to stay safe when sending or receiving money through PayPal. How secure is PayPal? As a matter of fact, PayPal is quite a reliable platform that maintains a high level of security — and keeps improving it. Thus, the company has an official program deploying white hat hackers to unearth vulnerabilities (the so-called bug bounty), under which it has already paid out almost $4 million since 2018. The program also covers several other services owned by PayPal, such as Venmo. PayPal also treats its users’ data responsibly: It did have one reliably reported leak, in 2017, but the leak invol...
Post a Comment
Read more

A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON

  A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON The official Python image for Docker is quite popular, and in fact I recommend one of its variations as a base image . But many people don’t quite understand what it does, which can lead to confusion and brokenness. In this post I will therefore go over how it’s constructed, why it’s useful, how to use it correctly, as well as its limitations. In particular, I’ll be reading through the python:3.8-slim-buster variant, as of August 19, 2020 , and explaining it as I go along. Reading the Dockerfile The base image We start with the base image: FROM debian:buster-slim That is, the base image is Debian GNU/Linux 10, the current stable release of the Debian distribution, also known as Buster because Debian names all their releases after characters from Toy Story. In case you’re wondering, Buster is Andy’s pet dog . So to begin with, this is a Linux distribution that guarantees stability over time, while providing bug fixes. The slim...
Post a Comment
Read more

Five regular checks for SMBs

Five regular checks for SMBs By- Aarti Jatan Five things that, if neglected, can cost SMBs dearly. It is not always economically viable for small and medium-size businesses to maintain a dedicated IT security team, so it often happens that one person is in charge of monitoring the entire infrastructure. Sometimes he or she is not even a permanent, full-time employee. Sure, a good administrator can do a lot, but even a pro might miss something, particularly if issues are mounting and time is short. So, it’s worth establishing a few habits. Here are our Top 5 regular checks. Renew the corporate site security certificate Any website that requests or processes user data must have an SSL certificate. It protects information entered by visitors from being intercepted, and almost all modern browsers  warn  users that sites without an SSL certificate are insecure. That can scare off potential customers. Your website most likely has an SSL certificate, but its validity period is limite...
Post a Comment
Read more