How to detect phishing emails

This may come naturally to some of you but to others it can be very difficult to tell whether an email is legitimate or not. This is the reason that banks and other companies continuous say that you should never click on links (in emails) that would hint that you reset your password (or doing anything with your sensitive data) with this said company. You should always navigate to the official web page and then proceed to do whatever it is you need to from there.

Of course this doesn’t stop someone from hacking the actual site, but that’s a discussion on it’s own.

About 2 years ago ago I got this email from “Facebook” in my inbox (or rather my spam box). Now, I’m sure some of you have received emails like this in the past too (and some of you without a Facebook account I’m sure; I had recently deleted my Facebook account but here lay a message claiming I had unread messages on my account), but I thought it would be an interesting exercise to decompose the email and inspect everything in order to point out certain things that you should always be on the look out for when you receive an email and you are suspicious about it.

Let’s take a look at the following image:

facebook-phising

As you can see the email says that it is from FacebookAdminstration, but look at the email address between <>, that is where it actually came from. Always make sure that you inspect this first. Usually it will not come from the Facebook (or which ever company they claim to be from) domain. It is very possible that this can be spoofed (using a simple SMTP server, but use this as your first point of entry. If this does not match up to what you think it should be, then the email is definitely not legitimate.

One of the more obvious signs of a phishing email is the nonesense which appears in the subject line. This one read: “Contraction Your 2 unread messages will be deleted in a few days swerve”.

  1. This subject line does not make any sense
  2. The casing in the sentence is wrong

If you use gmail as your email client (as I do) you can see the original email as text. To do so:

  1. Click on the little arrow next to the reply button.
  2. Select “Show Original”.

Right at the bottom of this post I have included the full content of the original content that I received (I have omitted my email address). The following section is a breakdown of the important things to look out for.

In the original content you will see this:

DO NOT CLICK ON THE LINK.

The above href contains a URL to a unfamiliar site. It is definitely not a Facebook site. This link (as you can see from the original email below) appears in every single clickable part of the html from the email and should not be trusted.

Another thing that you can look out for is the delivery chain of the email. This will be found in the header of the email as shown below:

The way which you read this header is a little bit counterintuitive, as you have to read it from the bottom-up. I have replaced my original email address with “me” in the above header.

As you can see the email is directed to “me” and this is where the email would start it’s travel. Similar to how you would write a normal letter. You need to provide the location at which it needs to be delivered. The beauty of email is that it will record each domain that touches it. Imagine the receiver of your plain old fashioned letter could know who exactly touched the letter on the way to them. If all the people that touched the letter were legitimate, the receiver of your letter could guarantee that it could be trusted

With email, this is always the case.

If we move further up the header to line 14, we can see that the email came from: “FacebookAdministration <egal.hm@bongfaschist.de>”. This matches what was discussed earlier. At this point, this is the original sender as they would like to be viewed from the SMTP server. It is possible however, that this could appear to be legitimate. We need to further inspect the email

Let’s take a look at the next two lines of the header above that:

One of the most important things to note here is the SPF. SPF is Sender Policy Framework. Basically it is an email validation system that ensures that the sender of the email is authorised on the domain that they claim to be from. As you see from the above, the SPF failed. That means that the person that sent this email on “bongfaschist.de”, is not a valid user on that domain. Hence we cannot trust this person.

Here is a legitimate email header from MyBroadband:

Let’s take a look at the received part of the header:

Here we see the original exit point of the mail. This email was sent from “www-data by mybb-mail01.jnb1.chs.hetzner.co.za”. This my seem a little bit scary. It’s not mybroadband.co.za. However, a quick google search will tell you that this address is simply the reverse DNS of the hosting site mybroadbandmail. You can see this at this link here:¬†http://whatmyip.co/info/whois/197.242.89.180/k/471857840/website/mybroadbandmail.co.za

Furthermore, if we inspect the SPF part of the header:

Here we can see that this client is authorized on that domain. This means that the sender is not claiming to be another entity


Lastly, below is the original content of my Facebook email that I received. I have included in the post for reference and completeness.

 

Leave a Reply

Your email address will not be published. Required fields are marked *