Analyze an Email Attack What is an email attack?
An email message can contain an innocent looking link that actually takes you to a malicious Web site or downloads malware on your computer. Malware is a generic term for viruses, trojans, spyware, and adware. Examination of a typical email attack:
Please see the analysis below the illustration. 1. A false subject line claims "You just received an E‐Greeting."
E‐greetings are fun so the attackers hope to trick more people.
There are legitimate e‐greetings, but this is not one of them. 2. A fake return address gives the message authenticity.
all‐yours.net is a real on‐line e‐greeting company, but they did not send this message. By examining the hidden message header, you could determine the real sender. 3. The first embedded URL looks right. Note the word looks. It's not a real URL; it's hiding another. 4. The circled mouse pointer shows the first step in analyzing the URL. Point to it in MS Outlook and pause. 5. Step 4 revealed the real URL in a yellow box. Note: the real URL in the yellow box is very different from the one in the message.
Also, the real URL ends with a filename, postalcard.jpg.exe, so clicking it will download a program.
6. The other suspicious feature is that the file has two extensions, .jpg and .exe. This is a technique used by malware to hide the real file type. By default, Windows XP hides the file extension. Your
college‐owned computer should have visible extensions because we make them show before delivery. However,
the .exe extension is probably hidden on your home computer.
The email wants to download postalcard.jpg.exe, but with file extension hidden it will show as postalcard.jpg. Since .jpg indicates a picture, you would naturally assume it's harmless. However, the real extension, which may not show, is .exe indicating a program. If you download this and double‐click to see the picture, you'll actually launch a program and infect your computer. Again, .exe means the file is a program and not a picture. What can you do?
Do not fall for these attacks. Delete them and forget them. Use common sense: The recipient of this particular message was suspicious because it didn't say which friend or relative sent the card. In other words, the message did not say "Kyle Chenlee has sent you an e‐greeting." The message was too generic and not personalized. If the return address looks legitimate but there is no reason to expect email from that domain or you do not want email from that domain, add it to your black list in the spam firewall.
Domain: If an address is greeting@all‐yours.net, the domain is after the @ symbol, i.e. all‐yours.net is the domain. Black list: If you add an address to your black list, you will never receive messages from any sender at that domain or spoofing that domain. The messages will not reach your inbox and or even the spam quarantine. The messages will be rejected and you will never know about them; you will not be bothered by them. Do not black list every domain from which you receive spam or phishing attempts. In other words, if you black list aol.com or gmail.com, there is the possibility that relatives, friends, and students on those domains will not be able to write you.
On the other hand, if you do not do business with Chase or PayPal, why not blacklist their domain? You will never
again see a fraudulent message pretending to be from them.
Do not waste time blacklisting addresses from every spam message. Spammers change addresses regularly. Trying
to blacklist most spam will be an exercise in futility. This situation is different. chase.com, chasebank.com, and paypal.com are legitimate addresses that will never change, AND I do not expect to do business with them so I can block all mail from them or pretending to be from them. However, I do not blacklist [email protected] because the
spammer will likely change addresses tomorrow, and I don't want to block all mail from AOL. Blacklisting is helpful, but use it judiciously. Related Information
Would this attack have harmed my Apple Macintosh?
Programs ending in .exe were written for Microsoft Windows and will not run on the Mac OS. Therefore, the download in the above example would not have harmed a Mac. That's not to say that there is no Macintosh malware. Mac users should still be cautious.
If you use Microsoft Windows on your Intel Mac, then Windows could have been infected by running the malware. Maintained by Brien G. Muller
IT Help Desk, Skidmore College, Saratoga Springs, NY
Rev. 2008.08.27