{"id":9913,"date":"2017-10-16T11:10:15","date_gmt":"2017-10-16T19:10:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/16\/news-3686\/"},"modified":"2017-10-16T11:10:15","modified_gmt":"2017-10-16T19:10:15","slug":"news-3686","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/16\/news-3686\/","title":{"rendered":"Phishes, pseudophishes, and bad email"},"content":{"rendered":"

Credit to Author: William Tsing| Date: Mon, 16 Oct 2017 18:00:49 +0000<\/strong><\/p>\n

Everyone knows about phishing. We\u2019ve all heard that the solution to phishing is to educate the user as, after all, it must be the user\u2019s fault for stupidly clicking on the thing. But what about when perverse incentives make clicking the phish seem logical? What about the enterprise pseudophish\u2014when design-by-committee language, lack of attribution, and over broad requests for personal information make something look like a phish?<\/p>\n

Users will frequently be inundated with corporate requests for information; requests they are often required to comply with. When companies that don\u2019t think these things through end up with something that apes the style of a phish, they can be training their users to click on actual phishes that come their way. Let\u2019s check out a recent example pertinent to the Anthem breach settlement a few months back.<\/p>\n

\"\"<\/p>\n

This legitimate email relies fairly heavily on the style and tone favored by phishes for decades. First of all, the email includes a lengthy \u201cClaim ID\u201d string without explaining what that means to the user. Next is the all-caps appeal to authority of a \u201ccourt-approved legal notice.\u201d The sender then includes an urgent call to action bounded with a deadline to induce anxiety. Lastly, they provide links with no indication of content and no direct connection to Anthem that the user is expected to click on.<\/p>\n

Stylistically, the whole thing is a mess of odd margins and shifting formatting for no particular reason.\u00a0 Most concerning is that nowhere in the email does it address who the sender is, how they got your email, or what their connection to Anthem is.<\/p>\n

Are there other ways to verify the legitimacy of the email<\/a>, like examining headers, running the URL provided in a test VM first, or searching on the provided number? Of course. But can we realistically expect the user to do that for every ill-thought out communication?<\/p>\n

User education<\/h3>\n

The presumption of many security professionals is that clicking a malicious link is a lapse in judgment or temporary insanity on the part of the user. But given the above legitimate message that the user is required to read and act upon, is it unreasonable that they would click on a Dridex malspam using the same pitch? Would we as network defenders be shocked to see a phish that looked like this? And finally, given the absurdly high volume of email most end users deal with in an office environment, aren\u2019t we really educating them to go ahead and click?<\/p>\n

Please don’t do this<\/h3>\n

How do you stop phishing your own users? Before you hit send, make sure of the following:<\/p>\n