CreditsLast Updated 2014-03
In this exercise participants will examine an email for clues about its authenticity, including its origin, content, and context. From this analysis, participants will be better equipped to determine whether or not it potentially contains harmful malware or could otherwise lead to a user compromising their identity or personal information.
Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.
This will take an hour or so to prepare, though once it is prepared you don’t need to do so again. You can identify examples “in the wild” or from news stories to use, although creating your own can provide more utility and practice for training participants, since you can ensure it illustrates everything that needs to be covered.
Be sure you have examples of very obvious and general malicious phishing emails that most participants would be suspicious of when paying attention, and a very convincing spear-phishing email.
Send an e-mail to yourself and export it as a .EML file (Mail message file) so that you can edit the source code. You can use Notepad or any other text editor to do so.
To export to EML, simply select your message and click “Save As”. Then select “Outlook Message Format - Unicode” as your file type.
To export to EML, right-click on the e-mail message you would like to export and select “Save as”. Leave “All files” as your file type.
To export to EML, click the down arrow next to “Reply” in the header area of the e-mail you want to save. Select “Show original” from the menu that comes up. Select all text, copy it and paste it on any plain text editor (such as Notepad) then save the file as “.EML”.
When composing the e-mail you will send to yourself, include an attachment, such as this “report” to download which is infected with the EICAR script (EICAR simulates a virus, but is otherwise benign and not harmful).
Locate the From: header and add a Reply-to: firstname.lastname@example.org header to show an e-mail can be sent from a spoofed account:
From: Legit Sender <email@example.com> To: Bad Guy <firstname.lastname@example.org>
On the HTML section of your message body, create a “fake URL” that links to a harmful site; for instance, the email might contain what appears to be a link to “example.com” but the link actually points to “harmfulsite.com”.
Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Remember to visit <a href=’http://www.harmfulsite.com’> http://www.example.com</a> to win our contest! <br><br>
You may choose to create a “stock” email for this exercise, with customized versions for various trainings. Keep in mind that most participants will be familiar with your average general phishing email and may benefit more from an email that is more targeted towards them and their community. Be sure to include:
Also include a URL lnk that appears to go to an innocuous site, but actually goes to a different, malicious-looking URL; for example, a sentence that says:
Please check out our campaign page at www.facebook.com/OccupyMainStreet
…where the URL actually links to a malicious URL that only becomes visible when you either mouse over it or click on the link and are redirected.
Choose your sender and receiver emails wisely, along with any cc’d emails - these can be used to illustrate how emails can seem trustworthy or valid at first glance, and should be examined more closely especially give the common tactic of cc’ing contacts the recipient may know or are familiar with.
Other examples can be addresses that may be secondary accounts for legitimate contacts (e.g., “email@example.com” as a misleading Human Rights Watch staffer emailing about regional human rights issues if your participants work with HRW).
Anything else you can think of, especially any contemporary tactics or tactics that are being employed to target high-risk actors similar to your participants.
You can also create a website as an example of phishing. This is recommended for trainers with some previous knowledge of HTML editing, Apache server configuration, and name to IP-translation using the HOSTS file.
You don’t have to link to this site in your email. The purpose is simply to show how a hacker might camouflage a fake site with a clever URL - such as “tvvitter.com” - while maintaining the design of the genuine site.
Use WinHTTrack to create a local copy of the website on your computer. After opening WinHTTrack click “Next” to start a new project.
Make sure that the address is correct, as some websites redirect the user to other domain names; for example, at the time of this writing [http://www.facebook.com] was redirecting users to [https://www.facebook.com] (the SSL-enabled Facebook), meaning that WinHTTrack would not find files to download under [http://www.facebook.com].
Install XAMPP on your computer - if you extract XAMPP in a top level folder like “C:" or “D:", you can start most servers like Apache or MySQL directly.
Follow these steps to edit your hosts file based on your operating system. Each line of your hosts file translates a certain name to a specified IP address - the typical syntax consists of three parts, each separated by a space:
If, for example, you would your fake website (currently hosted in 127.0.0.1) to link to the domain “tvviter.com” then you will need to include the following in your hosts file:
127.0.0.1 tvvitter.com #Optional Comment
Remember that this will only point “tvvitter.com” to your mirrored website. If you would also like the website to be accessible from “www.tvitter.com” you will need to include a separate line, like this:
127.0.0.1 tvvitter.com #main url 127.0.0.1 www.tvvitter.com #www
Save the changes to your host file. Open your browser and go to tvvitter.com. You should be able to see your mirrored page.
This activity directly blends into the discussion that follows, so the division below is somewhat false.
Each participant receives the email via their mail client or via USB.
Display the e-mail on the projector and walkthrough the analysis together as a group.
Share the e-mail you’ve prepared with all participants, and ask them to open it using a mail client to see what happens when they click the links or open the attachment.
Display the email via projector and engage the participants as a group as you analyze the email and its contents, going through the same steps as above.
Once the email is shared, you can lead a discussion as participants explore its content and components. Items to cover as you have participants explore the email: