I got e-mail the other day from Turbotax saying someone had filed my taxes for me. Obviously a cause for concern, right? Here’s how I determined the message was fake in about three minutes. You can spot phishing e-mails with Outlook the same way.
Some people will tell you not to even open a message like this, but if you’re a computer professional, at some point someone is going to want you to prove the message was fake. I think this is something every e-mail administrator, desktop support professional, security professional, and frankly, every helpdesk professional ought to be able to do.
So here’s how you can get the proof. And generally speaking, Outlook 2010’s default configuration is paranoid enough that this procedure will be safe to do. If you want an extra layer of protection, make sure you have EMET installed and protecting Outlook.
What is phishing?
Phishing is a scam, sending fake e-mail to you claiming to be something that it isn’t, in order to get you to do something that makes it possible for them to hack you. It could be like the message I got, trying to get me to click on a link that’s going to infect my computer so they can get onto my employer’s network. Before you say you have antivirus software, or that you use a Macintosh, be aware that someone who is skilled enough to spoof an e-mail message is also probably skilled enough to evade your antivirus software or to exploit a weakness in your Macintosh. No computer software is perfect, regardless of what their marketing department may say.
For this reason, it is very important that you not click on any links or open any attachment that may be present in the message.
But as long as you’re intellectually honest with yourself, it’s entirely possible to tell if someone is using a particular e-mail message to try to hack you.
Step 1 to spot phishing e-mails with Outlook: View the message headers
The message headers are a log of where the message originally came from and what systems it passed through in order to get to you. If it was a legitimate e-mail from Turbotax, I would expect one of the servers involved to have a domain name of turbotax.com or intuit.com (Intuit publishes Turbotax).
There’s a lot of talk these days in the news about metadata. This is an example of metadata. For ordinary communication you can safely ignore it, which is why Outlook doesn’t show it to you by default. But I’m about to give you an example of how valuable it can be, when you know what to do with it.
Viewing the Outlook metadata
Open the message, then look in the ribbon for the icon labeled Tags. There’s a little arrow in the lower-right corner. Click that arrow, and a new window pops up with tons of lines in it that start with phrases like Received: and Return-Path:. For a legitimate message, I would expect to see an e-mail address from turbotax.com or intuit.com in a line beginning with Return-Path:, and I would expect the last line beginning with Received: to contain the address of a server at turbotax.com or intuit.com. If I don’t, that’s a red flag.
You will probably see Received: addresses in between the originating one and yours. This is common, and not a cause for alarm.
You can take a look at the other lines in the header as well. Deep-diving into what all of them mean would probably require something book-length, but it’s certainly possible to find other clues in there too. You won’t be able to read all of it. Concentrate on the parts you can.
Analyzing the Outlook metadata
If you have an existing relationship with the company the e-mail claims to be from, find another message from the same source and view the headers on that. Even if it comes from a different person at that company, the message headers should look very similar. If they don’t, that’s a very strong indicator the message isn’t what it claims to be. This is an important step to take if you get a message from your boss instructing you to wire money overseas. Compare the headers with another message from your boss. Anyone can figure out who your boss is, given enough time, then craft an e-mail message that looks like it’s from your boss, but making those headers match is a far, far more difficult thing to do.
Step 2 to spot phishing e-mails with Outlook: View the source
The next step is to take a look at the HTML behind the message. This isn’t as intimidating as it sounds. HTML is a computer language, but you can safely ignore 90-99% of the content when you view the HTML, so this step isn’t nearly as hard as it sounds. It may actually be easier than step 2 was.
To view the source, scroll to the end of the message, find a blank space in it, and right-click on it. One of the options should be View Source. If you don’t get that option, find another blank space and right-click there. Repeat until the option comes up. Now your message opens up in Notepad.
There are two things to look for. Hit CTRL-F to bring up a search window, and type img src, then click Find Next. An img src tag looks something like this:
<img src=”http://images.turbotax.com/banner.jpg” alt=”” />
If that blurb after http points to something that looks like an Internet address that isn’t related to the business, get suspicious.
Look for more image tags by hitting CTRL-F and clicking Find Next.
Next, after you’ve examined all of the image tags, look for links. Hit CTRL-HOME to move to the top of the message, then hit CTRL-F again, and type a href then click Find Next. A reference tag looks something like this:
If you see one of these reference tags in close proximity to an image tag and that reference tag doesn’t point to something that’s plainly related to the sender, treat it at suspicious. Or if the reference tag is near text that suggests one thing but links to something completely different, the message is suspicious. If the text suggests “turbotax” but the link points to a random-looking domain name, it’s suspicious. Random-looking domain names are always suspicious.
How to respond safely
If you’re unsure at this point, you have some options. If this happened at work, contact your helpdesk. They should have a procedure for investigating this kind of thing at this point, and someone on staff ought to be competent enough to investigate these types of messages.
If your helpdesk has been offshored and it’s going to take them a week to respond to something like this–I know, I’ve worked for companies that have–respond to the sender by doing something other than replying to the e-mail.
If it’s your boss, call your boss and say you just got a strange e-mail message and you want to ensure you’re actually supposed to do this strange thing. There’s a pretty good chance your boss won’t know what you’re talking about. What if your boss gets irate about not following orders? Calmly explain that there are companies that have lost hundreds of millions of dollars to scams involving offshore wire transfers, so you’re just trying to protect the company.
If it’s e-mail from a company, do a Google search for the company’s 800 number and call them. Explain that you got a strange e-mail message from them and want to make sure it’s legitimate. Expect your call to get transferred once or twice. But someone will be able to determine fairly quickly if the message was genuine. Companies are used to inquiries like this.
Why do people phish?
Most of the things that criminals used to do in order to hack into a network don’t work anymore. Far and away the easiest way to steal money or data these days is to send e-mail to the right person and get them to do something. They might ask you to open an attachment, click on a link, or wire money to China. This is why I said last year that workstations are the new firewalls, and why companies spend multiple thousands of dollars every year on security awareness training. It’s inadequate, but it works some of the time.
It works because it preys on people’s natural instincts. Everyone wants to do their job or at least not irritate the boss. An everyone wants to protect themselves. Security professionals call this social engineering. The journalist in me wants to call it manipulation. People understand that word, so there’s no need to invent new jargon.
And most companies don’t do a very good job of applying security updates to their computers. So if you can get someone to do something, you can probably get them to help you manipulate a weakness in a computer system. Chain those two things together successfully, and you have a breach.
Hacking campaigns increasingly involve teams, including skilled writers and graphic designers and not just people who are good at breaking into computer systems. That’s why you can’t just assume a message is bad if it’s written in broken English anymore. The fake messages often sound better than the real ones.
Anyone with enough motivation can learn the necessary skills. So that’s why self-defense increasingly has to include some knowledge of computer defense.
The multi-million dollar idea
If you’re a software developer looking for the next idea that will be worth multiple millions of dollars, I’ll give it to you for free. I’ll give the idea away because every security professional wants it but none have managed to develop it themselves yet.
Develop a mail filter that can reliably parse a mail message for scammy characteristics. Mail headers that don’t add up would be a good start. Make it filter those messages so that ordinary computer users don’t ever see these messages in the first place, or at least the dangerous elements of the message get filtered out. It’s a similar problem to spam filtering, perhaps easier in some ways but definitely more difficult in other ways.
It’s easier said than done. But if you develop such a product and it ends up working reliably, lots of companies will buy it quickly. And companies could start requiring other companies to buy it in order to meet their contractual requirements to do business. It’s nearly impossible to be in business today without having some contractual or regulatory requirement to run antivirus software. For this reason, you can also expect the opportunity to sell out to a large, existing software company to come rather quickly.