Monday 20 January 2020

Phishing...and a little bit of analysis...

It was a strange email. Not from a name that I recognised. But it praised a post in my music technology blog http://blog.synthesizerwriter.com , mentioned an obscure link from a two year old blog post, and then used this as the hook to entice me into clicking on a link.

The choice of link was interesting. From a blog where just about ALL of the links are about music, technology or music technology, the choice was one about creative writing (OK, so I do slip the occasional left-field link into blog posts...). Having a link to the original blog post itself was interesting and tempting to click on to save time, but I didn't click on it, and instead I went directly to the actual blog post source. <Sound of lots of clicking...> Having reminded myself that I did indeed include an 'off the beaten track' link at the end of the blog post, I then looked at the increasing suspicious email.

So I checked the actual email address, and yep, the name wasn't the same (close, but not the same), plus it was a gmail address, so it was already starting to score quite highly on my 'possible phishing' suspicion counter. The link it so desperately wanted me to click on wasn't quite as ordinary as it appeared, and, like the name at the end of the email, was in a different font size. At this point the suspicion counter was too high and I deleted the email.

Photo by Ujesh Krishnan on Unsplash

Not that long ago, phishing emails tended to routinely use urgency (only 24 hours left, do this now, urgent...) as one of the main ways that they tried to get you to click on the link payload. This email was different, because it was attempting to appeal to my vanity by praising this blog, in the hope that I would then click on the poisoned link payload. Normally this would probably raise it closer in my mind to what is called 'spear-phishing', which is where the email is targeted to an individual, but it didn't seem to be that specific. So my suspicion is that this was just what passes for ordinary routine phishing nowadays, and is consigned to the same virtual waste bin as all of those emails with names of people I know that say that I must open this link because I will love it, or I must see it, etc., and where again the name and the email address don't match... Or reminders about TV licence renewal, or refunds for Tax, or...

I apologise for stating the obvious, but the occasional reminder about

not clicking on links in emails that are even slightly suspicious

is always good, imho. It could save you from all sorts of bad stuff. Just delete suspicious emails.

Security analysis

There is a school of thought that says that anything that analyses phishing emails, even to remind people to be vigilant, is dangerous because it helps the creators of the emails to improve their emails and make them more dangerous. My counter-argument would be that there is a lot of analysis already available on the Interweb (and elsewhere (French for 'She Swears', btw)), and nothing that I have mentioned is new or notable - plus there is always the chance that someone will read this who hadn't ever thought about the dangers of malicious emails!

More broadly, there is an opinion that says that just about everyone has already had most of their details leaked in one data breach or another anyway, and so phishing gradually becomes counter-productive, since it is trying to find the access details for an increasingly rare resource: people whose details haven't been leaked in a breach. It's a bit like the instruction that you get in corporates not to go into work when you have a cold. When no-one in the office has a cold then this makes sense, but when everyone has a particularly virulent cold (or flu, for example) then it becomes a 'lock-out' instruction and can create major problems. If everyone is out with a cold, then who is there to tell people when it is safe to return? Even if there is someone around who might be able to tell people when it is okay to return, that person might get a cold too! Game theory is interesting like that, and phishing emails seem to be following some of the classic paths of 'how processes work'. 

Trigger words like 'everyone' are useful clues in analysis. One hears about high school pupils where allegedly 'everyone' in their class has a pony. Deeper analysis by cautious and/or cash/credit-challenged parents seems to indicate that 'everyone' has an actual numerical value of slightly greater than 1 person...

Another trigger word is 'unique'. Here the numerical value is strictly 1, and no adjectives are allowed, so 'totally unique' has no meaning, and neither does 'completely unique' or any other combination. (Although 'uniquely unique' does appeal to my sense of the ridiculous!) Unique is inherently, intrinsically 'total', 'complete', and any other adjective that advertisers and copy-writers try to insert before it. Of course, every security solution, every cryptographic algorithm, (etc.), and every method of phishing detection has to be unique as well, otherwise it wouldn't be worth advertising, would it?

Using multiple trigger words in a single sentence is usually not a good idea for examination by a security analyst. 'Everyone is unique' now has a minimum numerical value of 1, which implies that everyone else does not need to take a course on philosophy as soon as possible. (Oh, and 'as soon as possible' is another trigger phrase: does it mean 'now, regardless of other tasks'; or does it mean 'later, when time is available and no more urgent tasks are left to do?)

The end-point of analysis is supposed to be good advice. Does this mean that trigger words should be avoided? (Oh, and recursion in analysis can cause problems too...)


If you find my writing helpful, informative or entertaining, then please consider visiting this link:












NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...