Although it might not seem like it, humans are fairly predictable when it comes to certain behaviors. Black hat hackers know this and use it to their advantage using a technique called social engineering, which involves manipulating a person into doing something or revealing some hidden information the victim would normally not do or divulge.

Attackers use social engineering techniques to gain access to your system or data by tricking you. In this chapter, we’ll discuss some social engineering techniques that attackers use to gain access to intel, including phishing, URL hijacking, and even hoaxes. By the end of this chapter, you’ll have a good idea of how to spot fake messages and counterfeit websites, helping you to avoid any adversaries trying to steal your personal information.

What Is Phishing?

Phishing is one of the most common types of social engineering attacks. It’s an attempt to trick a victim into revealing critical information, usually via email. Most likely, you’ve seen emails that start with an offer to send you a million dollars or promise a cool prize if you just click this link. You might have laughed at the terrible use of grammar or the hilarious premise as you pressed the DELETE key. These are examples of common phishing attempts.

Black hat hackers will try to appear as legitimate individuals or organizations and offer some sort of reward or present a crisis only you can solve. For example, they might pretend to be from your bank and tell you that “You need to respond with your account details before your account is locked out.” By adding urgency and intimidation, they’re hoping you’ll be scared enough to do what they want without second-guessing their tactic.

These attempts usually look for details such as personally identifiable information (PII), credit card numbers, or passwords for important online accounts like your bank or email account. Sometimes they ask for this information directly in the email. Often, they’ll ask you to click a link to a website that mimics a real website but is actually a malicious site that will steal and record any information you enter into it, such as your password and username. This is a slight variation of phishing known as pharming. We’ll talk more about this in “How Black Hats Trick You with URLs.”

An Obvious Phish

Sometimes phishing emails are easy to spot and are automatically filtered by your email’s spam settings. Let’s look at an example of a typical phishing email you might find in your spam folder on any given day:

Dear Human Greg,

Itz come to our attentionz that you credit card is not update in our database. We has new system that require you to put your infomationz in again. You see, Don spilled a big cup of coffee on the last systemz. I tellz Don, NO YOUZ CANT HAZ COFFEE IN SYSTEM PLACE but he sayz I HAZ COFFEE WHEREVERS. Please, I can haz credit card number? K THX BAI

Sincerely,

Janice, a realz human. (NOT CAT)

This email obviously wasn’t sent by an actual person named Janice. It has numerous grammatical errors and includes unprofessional language. It also doesn’t mention what service they represent, let alone why they would send you an email directly to update your information rather than having you log into a personal account (which is the typical practice). Additionally, many details are included that would be unnecessary for an account update email. Often, phishing emails will include a narrative intended to get you to trust or empathize with the sender, such as a story about being deported from their country or having recently lost a loved one. The details are provided to confuse or trick you.

Not All Phishing Is Obvious

Not all phishing emails are easy to identify. Let’s say you received this email from [email protected].

Dear valued customer,

Your account at <insert your email address> was recently flagged for suspicious activity. Because of this activity, we’ve temporarily suspended your account and will be permanently deleting it in ten days if you do not verify your information.

To verify your account, please click the link: <malicious link here>. This is an automated message. Please send all replies to [email protected].

Sincerely,

Customer Service

This phishing attempt is much trickier to spot. The phisher made sure to write a short, coherent message. It gets to the point—your account is suspended and might be deleted—and uses the social engineering principle of urgency to get you to click a link that will surely take you to some sort of malicious website or even download malware. Frequently, black hats will steal a real company logo to make their emails look more authentic. The preceding example email might have the Amazon or PayPal logo pasted at the top so you assume the email came from one of those companies.

The only real indication that this is a phishing attempt is the email address, [email protected]. Often, when a phishing attempt is received, it will come from an address that is close to but not quite what the actual company might use. Usually, it contains added words or misspellings, such as [email protected]. If you’re unsure about an email, you can always compare the address to other emails you’ve received from that company to see whether the domains are the same (the domain is the text that comes after the @ symbol).

Using Details for a More Convincing Phish

Sometimes an attacker will target a specific person or organization to gain access to particular data they’re trying to steal, so they’ll use a technique known as spear phishing. Spear phishing uses real information about a person to create an email that looks so authentic it might fool even the best white hat hackers. Let’s look at an example:

Good morning Karen!

This is Steve from the IT Helpdesk. How’s everything in HR today? We are supposed to run updates later tonight on your system but I need to make a few changes from your account before I can do that. Can you send me your account login? I’m really swamped down here and don’t have time to walk three floors to your office so I was hoping to remote in real quick. Thanks!

Steve

ABC Company

123 Street

Anywhere, USA

The black hat really did their research for this one. They not only found someone to target who works in HR, Karen, but also found an IT Helpdesk person to impersonate, Steve. By adding little details, like the fact that HR is three floors away from IT, the attacker is able to create trust and familiarity with Karen, which are two more powerful social engineering principles.

Vishing and Other Non-Email Phishing

Email isn’t the only way adversaries try to target victims. Phishing can come through any media that allows for communication between people. Instances of phishing attempts have been found in chat apps like Discord, on social media platforms like Instagram and Twitter, and even in games like League of Legends or Fortnite.

They can also use your phone. A phishing attempt using a phone call is known as vishing and can be especially dangerous because the person can react to you in real time. If you sound skeptical or uninterested, the black hat can change their tactics to try to entice you to give them what they want. Frequently, vishing attempts will also impersonate sources of authority, such as the police or the IRS. Imitating authority is a social engineering principle. People have a tendency to immediately trust known authority figures, like a doctor, so it’s often advantageous for the attacker to assume such as role.

How to Protect Yourself Against Phishing

It might be easy for you to spot phishing emails now that you know what to look for, but not everyone understands how to spot these attacks. Think about an older relative or loved one, like a grandparent, who might not know the telltale signs of black hat phishing. It’s important to help them recognize when an adversary is attacking them, by keeping these common characteristics of phishing emails in mind:

• Phishing emails usually have some sense of urgency or authority involved. If the email says you need to do something immediately or there will be trouble, there’s a good chance it’s a phish.
• Be sure to check for misspellings, incorrect company logos, or weird email addresses.
• If you’ve never used a service, it’s highly unlikely they’ll email you out of the blue. You’re not going to get money from a bank at which you don’t have an account.
• Tech support will never call you first.
• Always go to the website rather than clicking a link in an email unless you’re absolutely sure you know where the email came from.

Teaching your friends and family to consider these details when using email can help them stay safe. You can also create custom rules in their spam filters that will help guard them from common types of phishing. For example, if you know they only use Facebook, you might create a rule that sends any emails from other social media platforms to the spam folder. This will help reduce the amount of phishing emails they have to deal with, making it easier to catch the ones that get through.

How Black Hats Trick You with URLs

Many phishing emails don’t just ask you straightforwardly for your information; instead, they’ll tell you to click a URL that directs you to a malicious web page where a black hat hacker can harvest your passwords or even install malware on your computer. When you, the victim, click the link, you’ll think you’re being directed to a perfectly safe web page, so you’re likely to enter your important information without a second thought.

A URL, or uniform resource locator, is an address used to find a website, such as https://www.google.com/ or https://www.instagram.com/. When you enter that address into your browser, your computer reads it and sends out a Domain Name System (DNS) query, which looks for the IP address associated with that URL. It’s similar to your school finding your home address by looking up your name in the school database. Essentially, this is what the DNS does for your web browser: it uses the name (URL) of the website to look up its address (IP address) so the browser can deliver the right web page to you. The DNS is held on a server, either on your local network or in many cases run by your (ISP).

Typosquatting

We use URLs so much that most people don’t even pay attention to the web address anymore. That’s exactly what attackers are hoping for. Black hats can create their own URLs and use those instead of legitimate URLs to get you to go to malicious web pages. This is known as pharming.

Adversaries accomplish pharming by modifying the content in a URL or on a website. When a black hat misspells a URL, it’s known as typosquatting. For example, they might register petmart.com instead of petsmart.com. The DNS then looks up the misspelled URL instead of the real one and sends you to the unsafe website. Today, typosquatting is a rare occurrence because many companies register every possible misspelling of their website name to ensure they all go to the same authentic website.

Complex URLs and Redirects

Black hats also create complex URLs that are hard to read. They do this by creating a long path after the initial URL. A path is where a file is found on a website. For example, sparklekitten.net/kittenpics would be the path that accesses the kitten pics section of the sparklekitten.net website. Attackers can use this to their advantage by creating long paths that make it difficult to see where the URL is actually going. For instance, you might get an email with a link that looks like this: www.accounts.com/user/payments/… with the three dots indicating that the rest of the URL was cut off. Although this might look like a valid website, there could be a more dangerous portion at the end of the path, such as payments/files/virus.exe.

Black hats might also use redirects to hide where their URL goes. A redirect is a piece of code that, when activated, sends you to another website instead of the original one you clicked. You might see an ad on a web page that shows a cool new browser game called Cat Attack! The ad will look authentic, but as soon as you click the ad banner, instead of going to a cool web game, a script embedded in that web page activates and redirects you to sparklekitten.net/dumbhooman.

Redirects are a favorite of adversaries because they’re difficult to detect before a person activates them. It’s also possible to place scripts and even redirects in real, legitimate websites if that valid website isn’t secure (more on redirects in “Web Application Attacks” in Chapter 7).

Modifying DNS Records

Another way that attackers like to pharm is by tampering with DNS records. A DNS server uses records to organize and manage all of the websites and their IP addresses. These records are maintained across all the DNS servers on the internet, so if your DNS server doesn’t have a record, it sends out a request to another DNS server until it finds what you’re looking for.

If the black hat hacker can modify the DNS record, they can tell your web browser to go wherever they want. They do this by breaking into the DNS server and modifying the record there, causing anyone who queries that server to get the malicious record. Fortunately, altering DNS servers is difficult because they’re challenging to break into.

Another pharming technique is to add information to your computer’s local host file. All computers have a local host file on their system. Any DNS record added to the file will be used instead of sending out a query to a DNS server to find one. If an attacker gets access to that file, they can create their own records. As with modifying DNS records on the server, accessing the local host file is difficult to do.

A much easier way for adversaries to attack your system is to change where your DNS queries go. Instead of them going to the correct DNS server, the black hat can make them go to their malicious DNS server. This is either done locally on your computer or, more often, on a router that your data passes through. Because your system accepts the first record it receives, the attacker can redirect all your internet traffic using their deceptive DNS records. If this happens, not only will links be directed to an unsafe site, but even if you enter www.facebook.com, you will still be sent to a dangerous site. The creation of a fake DNS server or record is hard to detect and is currently a hot topic among cybersecurity researchers.

Hoaxes

A hoax is a made-up story created to spread false information about a particular subject; for example, on the internet, it could be a fake celebrity story or a new miracle health cure. Hoaxes are initiated for a number of different reasons. Sometimes they’re crafted simply as a joke, such as a ruse about new features on the latest iPhone model that don’t actually exist.

Hoaxes are also created to damage or spread misleading information about a particular target. For example, a black hat hacker might be angry that a certain cat food company is no longer making their cat’s favorite crunchy flavor. Using false reports of health code violations, that adversary might invent a hoax that the company’s food is poisonous, thus making people hesitant to buy it.

Most hoaxes are spread through social media. A post or article containing the hoax can quickly spread via Facebook or Twitter posts. Sometimes such deceptions use real information to make them seem more legitimate, which is the reason it can be challenging to expose a hoax and disseminate the right information. Without knowing what is true, it’s hard to refute the hoax, especially if it comes from someone you trust.

Deceptiveness can be a powerful weapon. With social media, it’s easy for hackers to quickly publicize misinformation about a subject. This can have a huge impact, leading to distrust, anger, and confusion as people find it harder to know what is true. As a large-scale example of such dishonesty, we can look at the 2016 United States presidential election. Several false stories and hoaxes were generated about both candidates, which led to lots of misinformation being spread among the public. Any hoax has the potential to cause harm to people, so we need to always be prepared to recognize one when it appears in our social media feeds.

Why Black Hats Love Phishing

Why do black hat hackers love to use phishing techniques, including URL hijacking and hoaxes, to attack people? Keep in mind that attackers are lazy. Phishing is enticing because it’s cheap, easy, and fast.

Phishing attacks are inexpensive to run because all you need is an email server to send messages. Plenty of places will let you rent an email server for very little cost. Even better, instead of paying for their own email server, adversaries might take control of someone else’s. This way, not only do they get new email addresses to target from the contact lists on the server, but they can also use that system to send email, making it harder to trace the origin of the phishing messages. Even if only one person in a thousand responds, they’re still likely to make a profit.

It’s also incredibly easy to set up a phishing email campaign. All the attacker needs to do is craft a generic phishing email and schedule it to send at a certain time. Because phishing isn’t time-sensitive, they can just wait until someone clicks the link while they move on to other projects. (Techniques like spear phishing add more complexity to the initial email because it requires custom details about the victim.)

Email is a fast medium; once the email schedule is made, hundreds of thousands of phishing emails can be easily sent in a day. This gives attackers the maximum chance of finding a gullible target in a relatively short time. Once someone clicks or replies, the attacker should have everything they need to exploit their victim.

The biggest reason that black hat hackers love phishing is that it works. It’s very difficult to defend against phishing because no hardware or software can fully prevent an attack. Even spam filters miss messages. The likelihood that a spam filter will detect spear phishing is also slim. The only consistent defense against phishing is the person who’s being attacked.

Think Twice to Avoid Phishing

Although it might seem as though you always need to be looking over your shoulder for phishing attempts, the best way to stay alert is to question whether an email or phone call makes sense. Doing so will help you recognize an attack.

By stopping to think about what an email is asking or a person on the phone is telling you to do, you can easily identify inconsistencies or gaps in their story. Here are a few critical details to keep in mind when you’re questioning a potential assault:

• No company, no matter what, will ever ask you for your password. It might ask you to reset your password but will never ask you for it directly.
• No one ever legitimately contacts you out of the blue, especially to give you something.
• If you’re told you have to take action right now, step back and think about whether you should do it at all.
• Legal matters, especially criminal, are rarely if ever handled over the phone or through email. Also, you should never pay a fine (for example, a tax fee or criminal fine) without first checking, in person if possible, that it’s an official charge.

Take an Alternate Route

Even if you take precautions, it can be tough to recognize when someone is trying to scam you, especially if they’re deploying spear phishing tactics. But keep in mind that you always have the option to use another route to check whether something is on the up and up. For example, let’s say someone claiming to be from your bank calls and says there’s a problem with your account. Instead of dealing with it right then, tell them you’re busy and will call back later to fix it. Black hat hackers hate when this happens because they know you won’t call them back but will instead call the real bank.

You can use this tactic for any phishing method. Instead of clicking a link sent to you in an email, you can go to the website by searching Google or typing in its URL directly. In fact, you should never click a link in an email unless you’re absolutely sure where the email came from. You can also use well-known DNS servers to make sure you’re accessing the real site. Changing your browser to use DNS server 8.8.8.8 (Google’s DNS) or 1.1.1.1 (Cloudflare’s secure DNS) is a good way to avoid DNS hijacking.

Listen to Your Spidey Sense

Don’t ever forget that you are the best line of defense against phishing attempts. If you see something suspicious, listen to your inner voice and do some research to determine whether it’s legitimate. It’s also up to you to alert other people about it. Checking whether a source is trustworthy takes extra time, but it helps to prevent false claims from running rampant across the internet.

Exercise: Analyzing a Phishing Email

Part of being skilled at cybersecurity isn’t just recognizing a threat, it’s also understanding how that threat might hurt you or your organization. This is especially true when it comes to phishing emails. Recognizing certain phishing emails can be challenging. But even if you do recognize and delete one, knowing you’ve found a phish doesn’t provide you with insight about the tricks adversaries use. Instead, when you receive an extremely well-crafted phishing email, you can use your knowledge to detect and analyze it.

In this exercise, you’ll learn how to analyze a phishing email to identify where it came from, whether it’s malicious, and what type of attack the black hat was attempting. By the end, you’ll know some of the tricks that attackers use to create convincing phishing emails and how to use free online tools to determine whether or not an email is dangerous.

This exercise uses the Gmail platform for its examples. But the information gathered in each step is the same regardless of what type of email application you’re using.

Phishing Email Indicators

First, you’ll need a phishing email to analyze. Figure 3-1 shows a screenshot of one I received that attempted to impersonate an Apple iCloud login warning. You can usually find a phishing email in your spam folder. Just don’t download anything or click any links.

This email purports to be from Apple and claims my account was suspended because of a suspicious login from a Linux operating system. To fix this problem, it says I just need to log in to my account by clicking the link.

This is an incredibly authentic-looking phishing email that closely mimics actual Apple emails. For comparison, Figure 3-2 shows a screenshot of a real Apple iCloud login notice.

It looks pretty much the same, right? So, how did I know that Figure 3-1 was a phish? Let’s look at it again with a few annotations (Figure 3-3).

Here is an explanation of these revealing indicators:

1. The email’s sender is iCloud Notice, which is suspicious, because you’d probably expect it to just show Apple. Also, it’s in quotation marks, which indicates that it’s a friendly name. Email applications use friendly names as shorthand for email addresses. For example, if your friend Jane has the email address [email protected], the application might replace it with the name Jane to help you recognize the sender. Later in this exercise you’ll see how black hats use this feature all the time to attempt to trick people.
2. The “To” field doesn’t include my email address. This indicates that the email was sent using BCC, which hides who the email was sent to. Adversaries use this trick to send phishing emails to multiple victims without tipping them off.
3. The body doesn’t contain my account name anywhere. If this alert is supposedly addressed to me, shouldn’t my account name be listed? Also, there are numerous grammatical errors throughout the email, including in the last sentence. And the email tries to scare me by claiming my account will be disabled.
4. The link provided is the same as in the legitimate Apple notice, but in this email, it’s active (clickable). More importantly, when I hover over the link it shows that the URL is something other than what is written, so it’s not actually a link to Apple’s website.
5. At the bottom of the email are three “links” for Apple ID, Support, and the Privacy Policy. This is probably the hardest indicator to notice. However, when I hover over them, my mouse doesn’t give me the telltale hand icon indicating they’re clickable links. The reason is that they aren’t links at all, but just an image to mimic the signature from the legitimate email.

As you can see, even if the email is very well crafted, there are still several hints that make it apparent it’s a phish. But identifying an email as a phish is only the first step of good analysis. The next part is to learn as much as we can about the email by analyzing the header and URL.

Why is analyzing phishing emails important? Let’s say you’re working in IT for Sparkle Kitten Inc., and a user calls in saying they received an email but are unsure whether it’s legitimate. You might look at the email, realize it’s spam, and tell the user to delete it. That’s not a bad plan, but what if other users received the same email? What if one of them clicked the link? By taking time to analyze who sent the email and what the URL does when clicked, you’ll have valuable information to pass on to your email administrator or security person should this become a problem.

Header Analysis

You’ll need to analyze the header first, so you can detect where the email came from and determine any other useful information about it. The email header provides details about the email’s origins (as in the stops it took to get to your inbox), who sent it, and other specific information that is included for email servers to read and use.

The process for finding the full email header differs depending on the email application you’re using. In Gmail, click the three dots in the top-right corner of the email to access the menu, as shown in Figure 3-4.

In this menu, click Show original, as highlighted in Figure 3-4. Doing so will open the email in a new window and provide the full headers in a box below the original To and From fields, as shown in Figure 3-5.

This plethora of raw data can be hard to read and understand, especially given the number of fields it contains. How do you make sense of such complicated text? You use a tool designed to read the data, of course! The first tool you’ll use in your analysis is MX Toolbox. You’ll find it free online at https://mxtoolbox.com/. MX Toolbox offers a variety of tools to use in email analysis. For now, we’ll use the Analyze Headers tool. You’ll see it as one of the options on the website’s home page (Figure 3-6).

To use the Analyze Headers tool, just copy and paste the full header into the blank window. The tool analyzes the header and separates all the data into easy-to-read fields, as shown in Figure 3-7.

Before we look at the header fields, we need to examine the findings that appear below the x-dmarc-info heading. These are related to two types of authentication that emails use: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) records, which, together, are known as Domain Message Authentication Reporting (DMARC). Email applications essentially use SPF and DKIM records to verify that the email had permission to be sent from that domain and IP address. For example, if Google sends you an email, it comes from a Google email server with a specific IP address. The address corresponds to a DKIM and SPF record. Your email server checks the DKIM record for Google when it receives the email. If a black hat tries to impersonate Google when sending an email, your server will find that the IP address the attacker is using isn’t the same as the one registered to Google. Therefore, the DKIM record will display as failed in the header, as shown in Figure 3-8.

Although failed SPF or DKIM records are great indicators of phishing emails, they’re not proof. The email server needs to have both DMARC records set up correctly for the signature system to work, and many don’t. It’s also possible to impersonate an IP to pass a DMARC check, so the fact that an email passes the check doesn’t mean it’s an authentic email.

Now let’s look at the header fields. In Figure 3-9, notice that the address in the Return-path field at the top is [email protected], which isn’t even close to one Apple would use. This address indicates that we’re looking at a phishing email. Also, it’s best to note the address so an email administrator can look it up later to see whether other users received the email.

Moving down the list of headers, notice the headers that begin with X. The X headers hold information that the email server reads to decide how to send the email. For example, the X-Apple-Action header reads MOVE_TO_FOLDER/INBOX. This means that when the email comes into my Gmail account, it’s automatically sent to my inbox instead of to junk or spam. Below these headers, you see information about DMARC. As you can see, there is no DMARC policy, which is why the email failed its DMARC check.

Table 3-1 lists some other headers to look for and the information you can gather from them.

URL Analysis

After looking at the headers, you need to verify whether the URL is malicious. To do this, you’ll use another online tool called VirusTotal, which is available at https://www.virustotal.com/gui/home/url/. Figure 3-10 shows its home page.

VirusTotal allows you to scan URL links for malicious behavior by using a multitude of antivirus engines, which we’ll discuss in more detail in Chapter 4. It runs the link through each engine and aggregates the information on a page that’s easy to understand and share. If even one engine flags it as malicious, you should assume the link is malicious. Figure 3-11 shows the results of running the link in Figure 3-2 through VirusTotal.

Even though only one engine returned positive malicious results, it’s enough to know that this link is bad.

Like any good security expert, you have a burning curiosity to know what happens when you click the link. However, you also know that clicking the link could potentially infect your computer. So what do you do?

You use another tool called Joe Sandbox (https://www.joesandbox.com/). This is a free tool that lets you run attachments or open URLs in a sandbox environment. Sandboxes are simulated computers meant to act like real, physical machines, but you can isolate them from the rest of your computer system and destroy them easily. This makes them perfect for testing malicious entities like malware, because you can study the malware infection without worrying that it will spread or damage critical system components.

To begin using Joe Sandbox, create an account. Then copy and paste a link into the sandbox, as shown in Figure 3-12.

It takes a few minutes for the report to generate, but once it does, you’ll be provided with a wealth of information about the link and what runs when you click it. The two most interesting features are the Behavior Graph and Screenshots section.

The Behavior Graph (Figure 3-13) shows all the processes that happen when someone clicks the link, such as anything that opens or any web pages that are accessed. In this example, the link opens a few different web pages and then redirects to additional ones. You can tell that none of these are actual Apple domains, which is further proof that this email didn’t come from a valid Apple source.

The Screenshots section (Figure 3-14) shows screenshots of what opened or ran when the sandbox executed the link.

This section also has an animation option, so you can watch what happens in real time. The particular link I submitted couldn’t be found, which, although unfortunate for our research purposes, isn’t surprising. Phishing links typically remain active for only a limited period of time before they’re either discovered or removed by the phisher to avoid detection. Still, because the email asked you to verify your account, you now know that this was likely a credential hijacking attack. In this type of attack, an adversary attempts to steal credentials, either by having the victim enter them in a fake site or by using browser vulnerabilities to capture them.

With a little research and a few free tools, you can learn a lot about phishing emails. You’ve now analyzed this email and determined that it’s a phish, the source of the attack, and what type of attack was attempted. You can now better protect yourself by adding rules to your email program that instruct the server to send any message from this malicious sender directly to your junk box or to pass this information to the appropriate administrators to use in their defense efforts.

Conclusion

When it comes to phishing, it’s critical to remember that it only takes one click for an attacker to gain access to your computer or potentially steal your personal information. Phishing can come from many different directions because basically an attacker can use any form of social engineering communication. Be on the alert every time you use email or receive a phone call. With practice, you’ll learn how to recognize phishing attempts more easily. Whether the attack uses pharming, vishing, spear phishing, or any other type of social engineering, take time to think through what is being asked of you. Doing so can be the difference between a successful and unsuccessful phishing attack.