It may seem like phishing comes up every week on this blog, but that’s because the scams are slowly evolving and evading detection. While the scam emails are getting trickier to spot every day, our understanding of the problem has to evolve by the day as front-line defenders of valuable data. Today, we’ll show you a recent spam message to help explain just what’s so dangerous about these spam messages and what level of vigilance it takes to combat the phishing threat.

Anatomy of a Scam



Here is a recent email to the CEO of Crown Computers, Sean Goss. Overall, the email looks somewhat legitimate, even if it’s a little confusing. Since a lot of communication services integrate with one another in a fairly clunky fashion (think of the email-to-sms messages that you’ve seen), this pretty much looks like someone left a voicemail to your email somehow.

One of the trickiest aspects of this message is that you might click it even if you’re sure that you don’t have this service, just because you’re curious as to where it came from. It may look—if you’re not paying the closest attention—as if someone at your organization has just set up a new service for you.

The classic signs of a phishing email are there if you can catch them, though. First, the sender’s name is an email address that’s different from the email address that it was actually sent from. In this case, the attacker has spoofed (impersonated) an email that doesn’t exist, but could look like it came from your own receptionist, at least if they have an email like calldesk@[your domain].

Second, the attachment is an .htm file, which is essentially the same as an .html webpage file. Instead of being an audio file to listen to, it’s a file that can be executed by a browser. What this one does, specifically, is call back to the attacker’s servers with a signature that lets the attacker know that you’re susceptible to their campaign, which they will then intensify. An .htm file might also contain malicious links and files that bypass some security features (like TLS/SSL certifications) by running locally instead of on the internet.

Protecting Yourself from Scams

The number one thing that you and the rest of your organization can do to protect yourselves from bogus emails is to stay vigilant. Read every email carefully, and never click on an attachment that you don’t anticipate, even from a trusted colleague or family member. If you don’t have an ongoing cybersecurity awareness training campaign, it might be a good time to start, since the attacks are always evolving to be more effective against typical defenses. No amount of spam filtering can give you perfect security; it’s up to you to read messages carefully and take the warning signs seriously.

In fact, this particular email made it through Proofpoint’s threat analysis and found its way into an email inbox. That’s not to say that filtering or spam protection don’t work, but instead shows how sophisticated the behind-the-scenes battles between attackers and defenders can get. When attackers change just enough of their behavior to go undetected, it may take time for security experts to block them again. While some spam messages still make it through, it’s not a good reason to stop protecting yourself from all of the mess

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team