This is a behind the scenes account of defensive actions the IT department regularly takes against phishing and malware attacks received in email.
Phishing is a popular name for identity theft and malware is a generic term for viruses, spyware, adware, and extortion ware.
We find out about email attacks in two ways: our users forward examples and/or we in IT receive our own copies of the malevolent messages.
We are very appreciative when users let us know about a new attack. Such messages often go to a subset of the college community and IT may not be aware until we are told.
Stopping Email Replies
Attackers can be pretty sophisticated (or tricky, if you prefer). The “From” line of a message may say it’s from one address, even a trusted one, but if you reply, your information actually goes elsewhere. In other words, a message can say it’s from “support team at Skidmore” but your reply goes to some bad guy in Russia.
We analyze such messages looking for a hidden “reply-to” address. Then we block replies to keep users from sending out their personal, confidential information.
Here is a slice of the hidden header for one attack. In this example, the “From” field suggests that the message came from web.hh @ admin.info. If we block users from replying to that address, it will do no good because replies actually go to the “Reply-To” address. We block both for safety.
We are often able to contact the email provider to request that the bad guy’s account be closed. Windows Live Hotmail has been excellent about closing accounts at our request whereas Gmail, Yahoo! Mail, Earthlink, and others never reply. We also contact other colleges and universities that are hosting compromised accounts. Here’s an example sent from Concordia University which was very responsive to our request to fix their compromised user account. Someone named Tyler had given up his password in an attack on their school and then we were hammered with phishing emails from their server.
Blocking Web Pages
Realizing that reply addresses may be blocked, some email attacks ask you to click a link. This takes you to a web page where your confidential information is requested.
We have the ability to block these links in an attempt to keep users from falling for the scam. However, the attackers can hide the real web address behind a link with a different name. We have various methods to determine the actual web site that needs to be blocked. Here’s an example of exposing the real URL by simply pointing the mouse at the link. In this case the visible and hidden links match.
Our Strategy Sometimes Fails
The first and most obvious issue is that users may reply to these attacks before we can react.
Email replies: Although we can block reply addresses in our mail server and outgoing SPAM firewall, a user could reply from a dorm or from home with a different outgoing server that we do not control.
A second technique we use is to request that the account used to collect personal information be shut down. As stated earlier, some email providers are absolutely unresponsive and we don’t know if they have followed up.
Links to bad web pages: Although we can block a malevolent web page in our Internet firewall, a user could follow the link in the dorms or at home where we have no control.
Brien G. Muller
IT Help Desk Manager