Gone Phishing

March 15, 2018

Today’s guest blog post is written by Ben Ferber, Operations Manager, PatronManager.

Late last year, I got a very fishy email. It looked like this:

I was standing on the A train in New York City at 8:35 am when I opened it. A once-over of the email raised a bunch of red flags:

The text of the email was unspecific — it didn’t reference a particular account.
It was written in a clumsy style that made it seem not legit. Specifically, the awkward wording of “Records have been received,” and the double-spacing after periods/between lines.
The email was from an unclear source; it wasn’t from our Director of Data Security, or someone else with a recognizable face and voice, which emails like these will almost always come from.
It came out of the blue, unsolicited. I hadn’t just tried to reset a password, nor could I remember entering my password for any of my accounts in a place where it could’ve been leaked. (It helps that I use 1Password, which alerts you whenever a password has been compromised! I’m also an occasional visitor to the lovely website haveibeenpwned.com.)
The email address was from a non-company domain. In this case, one attempting to look like a company domain! “@patrontechnolgy.com” is missing the last o. [Similar tricks like this are: replacing letters like “m” with two “n”s (“nn” vs “m”), or letters like a lower case “L” with an upper case “i” (“l” vs. “I”.]

The reset link itself wasn’t to a recognizable domain; it was to an obviously malicious one. I was on my phone, so I pressed and held the link down rather than opening it; that brought up this screen which showed me the link without opening it [pictured right].

This email was deeply concerning to me — and if you’ve never bumped up against a phishing attempt, you may be wondering why. What’s the difference between this and a run-of-the-mill spammy email? In short: this email was explicitly trying to milk sensitive information out of me.

The explicit dangers of opening emails and links like this are as follows (all of which ran through my head as I imagined dozens of emails like this going out to our staff):

When you open an email, if there are images in the email’s body, those images can collect analytics about who you are, where your computer is, and when you opened the image. [To avoid this, if you so wish, you can enable “Ask before displaying external images” in your Gmail settings.]
When you click a link in an email, the webpage that opens can run malicious code within your browser — most notably if you have Flash or Java enabled. That malicious code can do various things, but at the very worst it means an attacker can gain full access to everything on your computer, including to any logged-in accounts like your email. [To somewhat mitigate this risk, you can always disable Java and Flash in your various web browsers, only enabling them when you’ll be running trusted Java-using or Flash-using sites, which is a rare occurrence in the age of HTML5.]
If a malicious email, or link, prompts you to give your username and password, either to your email or another account, and you give the phishers your username and password to anything, they’ll be able to log in as you and access all the info in that account. In the case of your email, they can send email as you, download any attachments from your emails, and gain access to any other accounts that use your email as a recovery method.
Often when you click a malicious link, it’ll trigger a download of a malicious application, that may or may not appear to be an application. If you run and install an application (either via your browser automatically running it upon download, or your opening it yourself), at the very worst it means an attacker can gain full access to everything on your computer, including to any logged-in accounts like your email. [To avoid this, you can disable automatic downloads, and autorun, in your web browser; and generally be wary of things you download from unknown sources.]

In short: this email was clearly a bad actor (not like Jared Leto, it was a hacker) trying to steal whichever password I might be foolish enough to give them. And since it was personalized to me, I feared similar emails could’ve been sent to other staff members. And we’re a smart bunch, but better safe than sorry!

I jumped off the train at my stop, and into action. First, I forwarded this phishy nonsense to our Data Security Evangelist, Mark Famiglietti. Then, I went to Chatter, the internal network we use to communicate, to warn our full staff. Just before I hit the “Share” button, I got an ominous reply from Mark [pictured above].

I got him on the phone post-haste. He laughed. “It’s me. Click the link.” I did, and this page greeted me:

And a wave of relief washed over me.

We’re always trying various tricks to strengthen our data security. And Mark, intrepid as always, had orchestrated a phishing test as one of those tricks. Fortunately, our staff did quite well! Most folks reached out to Mark or myself with the same degree of urgency I had just experienced.

The takeaways from this whole experiment are 1. it’s fun to prank your staff, I totally recommend it, and 2. it’s worth reminding your staff about what phishing is, what its dangers are, what it looks like, and how to avoid it. In fact, you might consider setting up a similar phishing test for your staff.

Just in case you get phished anyway despite diligently following all this advice: enable two-factor authentication on all your accounts that support it! Every time you log in, you’ll get a message on your phone with a code to enter into the login page that confirms you are indeed yourself. That way the only way to log in is to have your cell phone on hand — which Phishy McGee almost certainly won’t.

Congratulations: now that you know how not to be phished, you’re officially:

Gone Phishing

Suggested Blog Posts