No matter how great the spam filter a business employs, the occasional malicious email will still make it through to end users. A decent analogy might be that of a battle of tug-o-war between good and bad actors. The bad actors develop a new kind of spam intended to fool the spam filters, while the good actors work to build adaptive systems or otherwise tweak the filter to keep the bad actors at bay. In this article we will discuss a textbook example of the type of malicious e-mail that can occasionally make it through a filter. Take a look at the image below as it displays a number of red flags users should be aware of:
(Click on the image to enlarge)
- The e-mail purports to be from someone in Norway (.no)? This begs the question, “it is reasonable to expect e-mails from Norway at our business?”
- When one “mouses over” the included link, the URL displayed behind the link appears to be an Iranian (.ir) domain name. Always be sure to “mouse over” links in e-mails to see the URL that is displayed before committing to clicking on the link.
- Use of the word “Kindly” begs the question, “When is the last time a business associate in your universe of contacts began an email with this word?” Odd use of the language is always a red-flag.
Next let’s take a look at the signature included in the mail (see image below):
(Click on the image to enlarge)
- First we see that “Matthew” has included two salutations: both “Thanks” and “Kind Regards”. While by no means a giveaway unto itself, it is yet another red flag to add to the growing list of others.
- The e-mail body and signature are using two different font colors. Again while not a giveaway, it may be an indication that this e-mail was put together by a programmer using code; as compared to an organically and personally derived e-mail.
- Why is Matthew’s name in all caps while the rest of the e-mail seemingly respects rules for capitalization? Is this normally seen within e-mail signatures? Another indication that the e-mail might be computer generated and populated by a database engine instead of organically derived.
- Would we expect (at our business) unsolicited e-mail attachments from a person with an overseas phone number? In this case the number appears to be from Karauli (NW Central India).
We can see that after a bit of analysis it become clear (multiple red flags) that this example e-mail is fraudulent, and the link undoubtedly contains malicious code that could harm our systems. A rule of thumb I often share with users is this: “If one must squint at an e-mail in wonder while determining if it is valid; this is your first clue that the e-mail is fraudulent (and any links or attachments within it must not be executed.)” Stated more succinctly, “If you are wondering if an e-mail is valid…it’s probably not.”
Be on the lookout for these and other “emails” that may contain malicious payloads. Should you have any doubts or wish to seek additional confirmation, feel free to send the e-mails to AVAREN for verification. When in doubt – delete, call the person to verify, or forward to AVAREN. The consequences of executing payloads in malicious mails can cost a business days or weeks of productivity, and many thousands of dollars in lost revenues and repair bills.