By SnowleopardJ


Please note that the entire experiment discussed here is conducted within a secure and isolated environment. Remember to interact cautiously with suspicious emails on your personal computer.


📧 Why is this an issue?

Probably one of the most annoying things in our lives is waking up to receive phishing/spam emails. Before I start writing about this, I’ve been thinking about what’s the one thing that’s affecting many of our lives but we ignore it or didn’t realize the impact it could have. Surely there are plenty fits the description, but email as one of the most common messaging tools that we use every day comes to my mind. People use email for almost everything. And I’ve experienced email bombs with a peak of 1,000+ emails/hr, delivery phishing, password phishing, etc. For most people, there might not be email attacks on such a scale. But if you have an email, it’s hard not to receive any spam messages. They might be ads from grocery stores, password reset requests from one of your social media accounts, or one of those emails claiming you’ve won a prize you never entered.

Often, such emails contain advertising information. If you view the email or click on the links in them, at most you will have seen an advertisement, and your browsing history will be collected by the company. But what if this is an email from Instagram asking you to change your password? You click on the “Reset Password” button and land on the official Instagram password reset interface. Then, you enter your account name, the old password, the new password, and submit!

…Wait, is this really the official website of Instagram?

🕵️ Inspect an email

Identify

Identifying a spam email is often simple and straightforward. All you need to know is if the email you received is expected or not. If that’s not the case, and the sender is someone or some platform you trust, then it’s also not hard to identify. Most of those spam mails will be ads, registrations, subscriptions, etc.

Most of the times, such messages are designed for marketing. Therefore they contain tracking information, which records your browsing history (such as location based on IP/GPS, your browser model and version, the content you browsed and time visitied, etc.). These are all personal information. Even they may not appear to have any substantial impact on you at the moment, you’ll become “naked” without realizing over time.

Here’s an example of a spam email:

Example of a spam email

Example of a spam email

Imagine having thousands of spam emails like this in your inbox within hours; that’s an email bomb attack. Similar to a DDoS attack, but directed at a mailbox.

Here’s another instance, this time a phishing email disguised as parcel information:

Example of a phishing email (body)

Example of a phishing email (body)

The first thing to check is the header. Here, the message claims to be from UPS, but the sender, [email protected], says otherwise. leila is the username for the sender, under the domain fixxx.example.com. Legitimate messages from UPS should have sender addresses ending with the official UPS domain, "ups.com". Thus, the full sender addresses should be something like "[email protected]".

Example of a phishing email (header)

Example of a phishing email (header)

In many cases, we can determine whether it’s a spam message simply by checking the sender in the header section. Often, scammers don’t typically spend time and resources on forging senders. But, what if it’s a targeted attack, and the sender uses email spoofing to make it more authentic? Which means that even if the sender is not "ups.com", the messages still appear in your inbox as "[email protected]". In that case, we need to analyze the email body:

Sections of the example phishing email (body)

Sections of the example phishing email (body)

For this example, the message body can be divided into four parts (from top to bottom):

  • Blue: View option
  • Purple: Message
  • Magenta: A URL link
  • Brown: Notes and copyright info

The purple and brown sections here are just to make the email look more authentic. What we need to pay attention to when it comes to phishing emails are URLs, attachments, and anything else that might access personal information. There are no attachments in this example, but there are links in the blue and magenta sections.

Let’s take a look at the link in the magenta section: "www.ups.com". It appears to come from the UPS official, so it must be legitimate. But is it? Is it really what it appears? There are typically 2 ways to inspect a URL link in applications like this: through browser preview and via HTML inspection. Inspecting a link with the browser is convenient; simply hover your mouse over the link (but DO NOT click it), and you will see the link appear in your browser. It’s browser-dependent, but for most browsers, the real link will be displayed at the bottom left or right of your browser window. Returning to our example, it turns out that the real link is different from what it appears to be, but how is that possible?

URL Link preview in Browser

URL Link preview in Browser

Let’s dive into the HTML code of this email. If you’re familiar with front-end engineering or HTML code, you might notice the issue right away. But don’t worry if you are not. Remember those times when you were walking on the street and suddenly saw a mirror? You stopped and looked at it. No matter how you looked at it, it’s still a mirror. But if you go around it and observe it from behind, you would find that it was indeed a mirror, but also a piece of glass. From different angles, one can appear as different things. The same goes for the link here. In the email, you only see one side of it (the text), while the other side (the real link) is hidden. If you want to discover it, in addition to the browser inspection method mentioned above, you can also perform a more in-depth inspection of the HTML code. Below is the code for the magenta section. The most important parts are the two highlighted links, one red and one blue. Translating this code into something everyone can understand, it’s saying: assign the hyperlink "https://u3xxx.net/xxx" to the text "https://www.ups.com/xxx". Thus, the "ups.com" link that we see in the body of that email is just a piece of text, while the actual link is hidden. As for the link in the blue section, it directs the user to the same hidden link, while the text part says “web browser”.

URL link inspected in HTML

URL link inspected in HTML

The hidden link then leads to a form submission on a fake website that appears to be exactly the same as the official UPS website, where you are prompted to enter your first name, last name, phone number, address, and other personal information.

Isolate threats before opening an email

It’s recommended to open potentially harmful emails in a sandbox environment or virtual machine. This isolates the email from our main system, so even if it contains malware, it won’t affect our computer. Tools like VirtualBox or VMware allow us to create virtual machines.

A more complex but secure solution would be using a secure operating system like TailsOS or a dedicated DMZ system to add an extra layer of protection. Systems like these are designed to prioritize security and privacy and can minimize the risk of malware infection.

However, both of these two methods won’t stop the leak of information if you submit your info via a fake website.

Isolate threats after opening an email

This can happen sometimes. You accidentally click on a phishing email that looks really credible and hand over your personal information to the attacker. What should you do then?

This largely depends on the type of attack, each of which has different ways to counter it. For example, if you’ve clicked on a link and submitted your Instagram password to an attacker, the first step should be to log in to your instagram account via the official Instagram website and change your password. Simultaneously, closely monitor the email address associated with your Instagram account for any password reset links or warnings requested by the attacker and send from the Instagram official. Additionally, if you use the same password across multiple platforms, it’s crucial to also change that password on all other platforms.

I’m legit. Try Me!


· Subscribe / 订阅: moaz.io/index.xml

· Donate / 捐赠: moaz.io/donate

· Post your writing / 发布你的写作: Guest Essays