Email Security - Phishing Attempt
IDENTIFYING A PHISHING (SPAM) EMAIL
Hi Guys,Today, I am going to share a simple lesson with you all and I hope it helps one of you out there.
Earlier in the day, I placed an order on Amazon. About 9 hours later (approx 3:22pm Local time), I received the email shown below in my email box with the title:
"Fw: RE : [Action Required] - [ Account Suspended ]*Important - Alert Your account has been suspended, Please update your Payment Information...!! Date : Wed, March 11, 2020 2:22 PM"
Phishing Email in Inbox |
As a regular Joe, I thought, "Whaaat!? My order was not processed?" and was going to click on the link to "Verify". But as an IT Consultant, I asked myself some questions:
1. Who sent this email?
2. Where does this "Verify" link take me to?
3. Is this Action Required notification in my Amazon account profile?
4. Why is there a RE: and FWD: on the subject if it is indeed an email from Amazon?
I will take you through the answers to those questions so you too can learn how to assess the authenticity of an email.
NOTE:
DO NOT ACCESS ANY OF THE URLs OR ADDRESSES MARKED IN RED BELOW
1. Who Sent this Email?
A cursory inspection of the From: field would reveal the sender name of the email but not always the Sender email ID and this is what you want to pay attention to. Mail technology has made it possible for the sender name to be configured as one thing while the sender email id is another thing. For this email, the sender name and ID are shown clearly in the screen shot captured below.Email Sender Name and ID - Notice the difference |
Ideally, the email sender name (the visible part) and ID (the hidden part) should be similar. For most domains, the sender name is CONSISTENT the Sender ID. For instance, our email address at Maxycore IT Consultants is info@maxycore.net and so, any email sent from our corporate desk would ordinarily have a sender id of info@maxycore.net. We have configured our sender name to Maxycore IT Consultants. This configuration is normal and is consistent. Most personal email accounts have the same sender name and ID. In the image above, where we have a sender name of service@amazon.com but a Sender ID of noreply-amazon5082670337@cuzpb5ehxwfseok8ixsp.sheorfogj3j.com.
That email address does not belong to Amazon. It belongs to the domain sheorfogj3j.com. It is obvious that Amazon would never send you an email from a domain name other than amazon.com.
For comparison, see another image of an authentic email from Amazon.com
Authentic Email From Amazon - Sender name and ID are CONSISTENT |
A further step you can take is to inspect the mail header. This is a little bit technical but is simple to accomplish. What this means is you want to read the raw format of the email as it hits your mail hosting server before it is formatted and presented to you in the way that masks the Sender ID. That way you can see where the email originates from and be able to tell whether or not the email is coming from who it says it is coming from.
To do this,
a. View the raw headers by following the steps in this image for Yahoo! email web client. Other email clients (Gmail, Outlook web client, MS Outlook desktop client, etc) may have different User Interfaces but the steps are the same.
How to View Your Email Header in Yahoo! Email Web Client |
b. This should generate a plain text script with lots of encrypted texts like shown below.
Sample Email Header with Personal Email Information Obfuscated |
c. Copy this text content to your clipboard. CTRL+C.
d. Go to MXToolBox on any web browser of your choice. They have a free email header analyzer tool that works just fine. Paste the content in the box labelled "Paste Header" and then click the "Analyse Header" button.
e. The tool runs fast and results are ready in less than 2 seconds. There is a ton of information to work with but to keep things simple, we are going to be looking for the FROM header. So, scroll down to the result table labelled HEADERS FOUND and locate the "From" header. From my header analysis, the following is revealed:
SENDER NAME/ID - =?UTF-8?B?c2VydmljZUBhbWF6b24uY29t?= <noreply-amazon5082670337@cUZpb5ehxWFseoK8IXsp.sheorfogj3j.com>
SENDER DOMAIN - sheorfogj3j.com
SENDER IP ADDRESS - 209.85.210.97
2. Where Does the VERIFY Link Take Me To?
To answer this, we need to inspect the link address of the action button in the email. Most likely than not, it would not lead you to Amazon's website domain (amazon.com) but to some other fishy domain name. Follow these steps to inspect the link address the link address.a. Right-click (or long-press if you are on a mobile device) on the VERIFY button.
b. Select the Copy Address Link or however way your device presents it to you. See the screenshot below.
Copy Link Address of Action button in Suspected Email |
https://app.getresponse.com/click.html?x=a62b&lc=Bm3vA6&mc=JQ&s=g3v1f4&u=wbqKv&y=e&z=Et6c9YR&?idtrack=FCJUCB5R
As you can see, that URL belongs to getresponse.com and not amazon.com.
I was curious and actually launched the above URL on a web browser in Incognito mode. This is what I was met with.
Fake Amazon landing page from Phishing Email attempt |
3. Is This Action Required Notification on my Amazon profile?
To answer this, I simply logged on to my Amazon profile by browsing to https://www.amazon.com and reviewed my account. As I already suspected, there were no outstanding warnings or notifications requiring my attention on my account.4. Why is there a RE: and FWD: on the subject if it is indeed an email from Amazon?
At this point, I was already convinced it was a scam and this last question further proves it. RE: and FWD: tags only appear in an email title if the email has been responded to or forwarded from it's original sender. And no corporate body would ever FWD or RE any email notification for their customers.SUMMARY
The purpose of the email I received is to get me to enter my credit card information in a fake portal designed to look like Amazon. This would automatically give the senders of the email my credit card information which would then be used to commit any number of offense - the least of which would have been to defraud me of whatever funds is available on my card. This is a classic phishing attempt. Phishers are getting more and more ingenious in crafting their traps. It rests on you as the user to be vigilant and make sure you observe basic caution before you click on any link in ANY email you received. Same rule also applies while browsing the Internet. If you cannot verify the authenticity of the website you are visiting, DO NOT CLICK.Share this blog post with your friends and loved ones.