Have you ever received a suspicious email that made you wonder if it was a scam? Join Yigal Behar on The Cybersecurity Insider as he investigates a real-world case study of phishing emails.
This episode deconstructs the tactics used by cybercriminals to deceive unsuspecting victims, and provides fundamental insights to enhance your email security awareness.
The Email
Yigal begins the podcast by recounting a recent email he received from a customer, a continuation of a previous case study on an Office 365 data breach.
The email, seemingly from the company’s help desk, is addressed to “Steven” and warns that his password will expire today, offering a link to “retain” his password. Yigal notes the suspicious nature of the email, highlighting the sender’s masked information and the unusual “.co.jp” domain, characteristic of Japanese corporations.
He then proceeds to dissect the email further, revealing the embedded link that, if clicked, would lead to a dubious website.
Yigal displays the URL, a complex string of characters that further confirms the email’s malicious intent. He emphasizes the deceptive nature of such phishing emails, designed to trick unsuspecting recipients into compromising their sensitive information.
The URL
Yigal identifies the gibberish-like URL as suspicious and not an official Office 365 link. He then stops sharing his screen, minimizes the window, and copies the suspicious link to further investigate its destination. He prepares to share his screen again to walk his audience through the process of uncovering the phishing attempt.
Redirect
Yigal pastes the copied link and presses enter. A message pops up, indicating a redirect is in progress. Yigal contrasts this with the typical redirect path for an official Microsoft Office link, emphasizing the irregularity of this specific link.
To avoid revealing sensitive information, Yigal cleverly employs a CAPTCHA-solving service to bypass the “I am not a robot” verification step. The redirect then leads to a seemingly legitimate login screen, adding another layer of deception to the phishing attempt.
Yigal prepares to showcase this misleading screen, highlighting the intricate tactics used by cybercriminals to lure unsuspecting victims.
Full Email Address
After successfully bypassing the “I am not a robot” check, the screen redirects, revealing the full email address targeted in this phishing attempt.
Yigal decides to stop sharing the screen temporarily, likely to safeguard the sensitive email address from being publicly exposed. He then attempts to proceed with the investigation but encounters an unexpected delay as the page seems unresponsive.
Password
Yigal describes the multi-stage login process of the phishing website. After entering the username, a new screen prompts for the password. However, the site accepts any password entered, raising a red flag. The website accepting any password suggests it’s a scam.
Interestingly, the site then redirects to another location, prompting Yigal to share previously saved screenshots of the process.
After some technical difficulties and a brief musical interlude, he successfully displays a screenshot showing the “wrong password” message, even though any password leads to the same result. He notes a peculiar redirect link and attempts to showcase another screenshot but faces some navigational challenges.
Release Message
Yigal points out that the misleading login page then redirects to a strange URL: cloud.surface.com, with the message “release.” This peculiar combination raises further suspicion. He explains that the phishing website’s purpose is to collect the password associated with the entered username, while falsely claiming that the email has been released. Yigal criticizes the attackers for their sloppy approach, evident in the inconsistencies in their messaging.
Yigal assures his audience that he has additional screenshots showing the password request, but refrains from displaying them to protect the customer’s information. He urges listeners to exercise caution and emphasizes the importance of reporting suspicious emails to cybersecurity experts. He recounts how the customer wisely sought professional advice before interacting with the phishing email.
He also details how he personally tested the phishing link and successfully captured the entered password. He insists that the links within the phishing email are inactive, and the only way to proceed is by entering the password.
He stresses teaching employees how to spot and avoid phishing emails, suggesting this video as a helpful training resource to prevent future attacks.
Tune in to The Cybersecurity Insider podcast for more in-depth case studies, expert insights, and practical tips on staying safe online. Make sure to follow and subscribe to our YouTube channel, Apple Podcasts, and Spotify to never miss an episode and keep your digital life secure.
Here’s to safe Internet browsing!