Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

The challenge is, how do you tell a phishing email that claims to come from your friend, your bank, or other trusted source, from a real email from your friend, bank, or other trusted source?  Using an example phishing email that hit my inbox yesterday, this blog post will provide some helpful and easy to use tips to spot phishing emails that get past your spam filter.

Yesterday’s email claimed to come from a friend, with subject, “Confidential document”.  I happen to know my friend is away from work, so the subject already raises an alarm.  Here is a screenshot with a picture of the offending mail message.   I blacked out the sender name and other identifying information in the text of the email.

Take a look at the little popup near the “click here” link.

And that leads to the first clue on whether that email is what it claims to be.  Most phishing emails come with embedded links you can click on – but where do those links really take you?  Here is how to find out.  Position your mouse cursor over the top of those links – don’t click anything, just position your mouse cursor there.  A little popup should appear with the URL of the website where this link really points.

In my example, the link points to a suspicious website named Altervista, even though the text of the email suggests the link should point somewhere inside Google.  But look closely – Altervista?  One of the original Internet search engines, before Google, was named Altavista (no “r” in the middle).

This is another favorite phishing trick.  Register domain names that look similar to legitimate or familiar domain names and use fake websites to fool people into giving up sensitive information.  See a few sentences below for a quick discussion about domain names.

I don’t need to dig any deeper.  With less than 5 seconds of analysis, I can confidently conclude this email is no more legitimate than a confederate $3 bill.

But we can do better.  I owe it to my friend and this blog entry to chase this one down a little more.

Digging Deeper

On the Internet, everyone who is anyone has a domain name.  Think of a domain name as kind of a trademark name on the Internet, managed by various registrars.  For now, there are a few top level domain names, such as .com, .org, .edu., .net, and others.   Thousands more are on the way and nobody knows how popular they will be.  But, at least for now, the real action is in the second level domain names.  Names such as google.com, whitehouse.gov, infrasupport.com, and millions of others comprise today’s Internet.  Most organizations today operate a website, typically named www.  They may also operate an email server, typically named “mail”.  Some offer additional services with different names.  Google, for example, offers another popular website named maps.google.com.

Here is where things become interesting.  In one of the more famous cases of name hijacking, a creative porn operator registered the name “whitehouse.com”.  The idea was, the United States Federal Government operates a website named www.whitehouse.gov.  This website has all the attributes we would expect from the Executive Branch of the United States Federal Government.  But www.whitehouse.com was a porn site – and not even the United States Federal Government had power to stop it, even though its name was similar to the website of the real White House.

Back to our suspicious email.  Domain registrars offer tools to find the current holder of any given domain name.   Some owners pay extra money for privacy, others identify themselves, although not always accurately.  So who is behind altervista.org?

The easiest way to find out – go here and do a whois lookup.  Type “altervista.org” in the search box, and here is the result.  Apparently, this domain name belongs to somebody in Italy.  The name was first registered in 2000 and expires in 2015.  The odds are pretty good the current domain name holders will renew it before it expires.

What can we do about this?  Realistically, not much.   Other than a few high profile cases in the headlines, law enforcement is generally not willing to work these cases because they are labor intensive.  But now, knowing the domain name is registered in Italy, we find yet another nail in this phishing email’s credibility coffin.  Stay far away from the website in that link.

Will the real sender please stand up?

Next, where did this email really come from?  In one of the most regrettable engineering design oversights of the Internet, the SMTP email protocol has no real security and anyone can impersonate anyone else in an email message.   This is a particularly nasty problem because, to date, nobody has come up with anything foolproof to address the problem.  This means, if I want to compose an email and claim I am, say, the vice-president of your bank, I can make the body of the email look like it really came from that sender.  I can even grab a copy of your bank’s letterhead and make the email look like it’s on bank stationary.  If I do a good job of editing, then when you receive the offending email, you will not have any inkling it’s a forgery.

Unless you look at the header.

Here is a picture of the header for the phishing email I received, with my friend’s name blacked out.  Email headers provide valuable diagnostic clues, including routing information and where  the message really originated.  We can compare this with where it claims to come from.  Most phishing emails claiming to come from your bank or credit card company in fact usually originate in China, Russia, or other country.

How do you look at the header?  Every version of every email program is different.  In Outlook 2010 and 2013, click File…Properties.  In Outlook 2007, click the little checkbox in the “Options” menu ribbon graphic.  In Outlook 2003 and earlier, click View…Options.

Notice my sender claims to come from gmail.com.  Gmail is Google’s free email service and my friend does, in fact, have a Gmail account.  Looking at the header, the evidence strongly suggests this message really came from my friend’s mailbox.

But my friend did not send it.  Somebody compromised my friend’s email account and is now trying to pursue my friend’s contacts, including me.  No doubt, that altervista website will try to extract personal information such as credit card numbers or passwords and use them illegally.  One day, I might use a throwaway computer to see what that website does, but not today.

I warned my friend and hopefully by now, that email account and any other accounts my friend operates have new passwords.

I want to thank the people who are reading this blog post and leaving comments.  If you don’t mind, I would appreciate it if you would fill out the Contact Us form and let me know how you found it.  And, of course, if you want some help eliminating “phishy” emails, or you suspect you have a malware problem, or just need IT help in general, please Contact Us too.

The saga getting this blog page up and running is a typical example.

Apparently, it all started about a year ago when somebody decided it would be better to setup the new systemd to start mysqld on Fedora using a private tmp directory instead of the system wide tmp directory.

Understanding the sentence above needs some background.  Briefly – I am hosting this website on a Fedora 18 virtual machine.  Fedora is a free, open source offering from a great company named Red Hat.  Because Fedora is free, lots of tech enthusiasts use it and help debug it and provide feedback back to Red Hat.  Red Hat incorporates the feedback and periodically releases another product with paid support subscriptions named Red Hat Enterprise Linux.   The model works for everyone.  I get a free platform, Red Hat gets a more solid paid offering.  And I’m a Red Hat partner, so it’s good to use the products I help resell and support.

Mysqld (pronounced, “My-S-Q-L-D”) is part of the well known open source mysql database package.  And systemd (pronounced “System-D”) is a new, sophisticated set of software to start Linux systems.  Systemd is an improvement over the old way to do it.  It’s rapidly maturing will soon become part of Red Hat Enterprise Linux.

The takeaway from all this is, it’s bleeding edge packaging and I am essentially a tester for this packaging.  Sometimes that testing produces unexpected results.

Why is this important to me?  Because I chose a package named WordPress to develop my new website and I’ve spent a significant portion of the past month of my life learning how to use it.  The website and blog you’re reading right now is the fruit of my labor.  WordPress depends on the mysql database hosted on my Fedora system, which, in turn, uses systemd to start itself.

Mysqld apparently writes temporary data to a temporary directory to perform its work.  This could be a potential security issue if others have access to that same temporary directory.  So about a year ago, somebody decided it would be a good idea to use systemd to “fool” mysqld into using a private temporary directory only available to mysqld.  Take a look here for details.  Unfortunately, apparently systemd removes these private temporary directories periodically and this breaks mysqld, but only after it has been successfully running for several days.   Problems like this are maddening to identify and troubleshoot because the system passes all tests and then suddenly fails for no apparent reason.

Around the time I set up my first blog post, systemd apparently decided to clean out its temporary directories.  This broke mysqld, which, in turn, broke WordPress, which, in turn, broke my blog entries and website menu construction.  This triggered a flood of electronic correspondence in various support forums to find an answer.  The problem was magnified because the WordPress theme I chose, named “Responsive” had an upgrade around the same time and the upgrade had some bugs.

Here and here are a couple of links with details.  Here is another one.  The one sentence summary – I haven’t slept much the past few days and I really need a shower.

I am deeply grateful and indebted to the people in this discussion thread who found the mysqld/systemd problem and to the support staff at Cyberchimps.com who seem to work the same weird late night hours as I do.

And now, this blog should finally be visible to the world.