by Philine Heß
Published in: Background

Malware in phishing emails is a major concern of many businesses and individuals. No wonder, because in the digital age there is always the risk of malware being accidentally downloaded via email. One popular strategy cyber criminals use to hide malware in email is through ruthless phishing methods. But how can you identify phishing emails as such? With preventive measures, the risks and consequences of infection with malware through phishing emails can be minimized considerably. In the current blog post, we examined what is behind the malware and how you can protect your IT from phishing attacks with the smallest of measures.

Blog post: Detect Phishing Mails
(c) Free-Photos / Pixabay

Risk of malware software in emails

The most common malware infections occur when users accidentally open a contaminated link or email attachment in phishing email, which then downloads a malware virus. These actions in phishing emails can be equipped with dangerous malware such as Trojans, bots or ransomware, so malware can spread with just one click. In order to increase awareness of such dangers, it is important to know what exactly is hidden behind the links and attachments. First, let's look at some examples of malware.

What are Trojans?

You have probably heard of the Trojan Horse. The battle for Troy seemed to be unsuccessful for the Greeks until the Greek king Odysseus came up with the cunning idea of the wooden horse. A gift for the Trojans in recognition of the battle they had won, but Greek soldiers hid in the wooden horse. And already the inhabitants of Troy pulled the enemy into their city with this gift. A similar method that cyber criminals use today to install Trojans on foreign systems. Hackers disguise their malware as something useful and just wait for the ignorant to install it themselves.

A current example is "Emotet" - a malicious program that has recently wreaked havoc on businesses and households around the world. The attackers proceeded as follows: Affected persons received authentic-looking e-mails with fabricated content from senders with whom they had recently had an e-mail contact. Because the sender's name, title, signature and email address were correctly entered in the subject, these phishing emails appeared to be trustworthy. It is understandable that such messages would mislead you into opening malicious attachments or links. Once the device is infected, Emotet continues to download malware until Emotet can finally take complete control of the system.

What are botnets?

Botnets are computers that have been infected with malware (bots) and then connected to a network. A computer is then remotely controlled by criminals via bots and misused for certain actions. For example, to automatically send spam or even carry out DDoS attacks. The aim of these malware attacks is to put large websites out of order by bombarding a server with so many tasks that the system can no longer process them and ultimately crashes. This malware can be intercepted again through sophisticated phishing e-mails with malicious attachments and websites or through weaknesses and errors in already installed programs, operating systems or through incorrect implementation of protocols. Hackers then use these security vulnerabilities to deploy their bots. On the other hand, botnets can also help you to be not only the victim but also the perpetrator of an attack, as your system executes commands without your control. The dangerous thing about it - all of this usually happens in the background without even realizing it.

What is ransomware?

Probably the most direct form of malware software that can hide behind phishing emails is ransomware. This malware is also tactfully referred to as an extortion trojan, and not without reason: once ransomware is installed, it immediately blocks access to the infected device. Otherwise, important files or drives will be encrypted. As insidious as it is, ransomware requires a ransom before you regain full access to the affected devices and data. And even paying a ransom does not necessarily guarantee that the blocked devices and data will be activated. Particularly malicious ransomware versions are even equipped with a timer.

How to recognize phishing mails

As mentioned earlier, hackers like to use various methods in the form of phishing emails or websites to launch the malware attacks just listed. So that a malware attack does not occur at all, we will now show you how to recognize phishing emails

and how to determine that an attacker has thrown their fishing rod into your email inbox.

Some time ago the dubious nature of a phishing email was usually identified by poor writing style, grammatical errors, incorrect addressing, or strange sender details. Today, many attackers use insidious methods and unscrupulous deception to initiate user actions and distribute their malware directly to third-party devices. Well-known debt collection agencies ask you to open invoices even though you are not aware of any debt collection cases yourself and the private bank threatens to block your account if you do not enter your access data. You get a queasy feeling and start to think. However, they are often based on malicious phishing campaigns that look very similar to the email design / structure of a well-known company. Large companies and Internet platforms such as PayPal, Amazon or banks are often specified as the sender in order to simulate a certain trustworthiness for the user. Many of these phishing emails have been around for a long time and are known to contain threatening calls to action. In most cases, email services can filter this type of phishing email so that it ends up where it belongs - right in the spam or junk mail folder. However, if it doesn't, here's an important note:

Banks, online shops, classified ads platforms or providers in particular always request customer data in accordance with the GDPR and never by email. Allow yourself to be tempted by the threatening consequences in e-mails, such as an account lock, to open an attached file or link, let alone reveal personal data. This is usually only used as a fishing lure. So please don't bite. ;)With spear phishing, things are a little more sophisticated. The sender of the phishing email disguises themselves as the recipient's trustworthy person and then pretends to be a colleague or friend etc. These types of personalized phishing attacks seem so credible at first glance that there is little doubt.

Another type of bad phishing is whaling. Here the hunt for a large fish is targeted, especially a manager or manager. As with spear phishing, the goal of whaling is to induce targeted individuals (recipients) to take certain actions, such as: B. Disclose confidential data or make a transfer. The only difference is that he is always portrayed as a high-ranking person in the company who usually enjoys high recognition (CEO fraud). For even more credibility, the attacker takes personal information from the target person's social media channels in order to generate tailor-made content and further strengthen trustworthiness. Clever method, because who likes to reject inquiries from influential employees or superiors if the content exactly suits you?

Features for detecting phishing emails:

  • The sender poses as a well-known company
  • The sender poses as a friend or colleague
  • Text with urgent need for action
  • Threatened consequences → e.g. personal data must be updated, otherwise the account will be blocked
  • The entry of personal and confidential information is required
  • You will be asked to open a file or link → Fishing Lures
  • Wrong salutation, wrong sender address (see Protection against phishing emails on a psychological level)
  • Mail headers (see Protection against phishing e-mails on a psychological level)

Protection against phishing emails on a psychological level

It often turns out to be difficult not to track the requested action in a phishing email, as attackers like to play with human weaknesses such as fear and curiosity in their well-thought-out attacks. It is therefore important to always keep a cool head, not panic and reconsider whether or not you should really heed a stranger's call to action. As already mentioned, banks, internet service providers or social media platforms would never request confidential data by email for data protection reasons. The same goes for colleagues or friends. Protection against phishing therefore always requires a healthy amount of skepticism. Because if you are generally skeptical, do not open any links or attachments that you are not necessarily expecting.

Phishing only works if an attacker finds enough relevant information about the target person. Popular contact points for this are the social media channels of the respective target person (recipient). Anyone who reveals a lot about themselves in their social media profiles provides the attacker with their personal data on a silver platter. For reasons of personal safety, it is especially important to post confidential information about yourself. Because the more information an attacker has, the more trustworthy he can create a phishing e-mail. It is therefore an advantage to publish personal data only to a very limited extent on social media.

Anyone who is asked in an email by a supposedly trustworthy person to unexpectedly open a link or attachment should always be skeptical first. In some cases the e-mail addresses are obfuscated and it appears to be an address of the colleague or friend at first. If you look closely at the email header (1) you will see the actual address which is far from trustworthy. In addition, the forgery-proof IP address of the sender should always be in the email header. If you know the sender personally, if in doubt, keep asking whether this e-mail actually came from them. The same can be traced back to links and URLs in emails.

URL spoofing can make domains look like legitimate addresses to attackers. Without having to click directly on a camouflaged link or button, the actual link can be verified by moving the cursor slightly over it. In most cases, insecure encryption (http), a typo in the second-level domain (2) or an unsuitable country code in the top-level domain (3) are a signal that the link should not be opened under any circumstances.

How to protect yourself against phishing attacks with simple measures:

  • No matter how trustworthy the sender appears to you, never give out personal information such as passwords, credit cards or transactions etc. via email
  • Only open file attachments and links in e-mails carefully, even if you think you know the senders
  • Check suspicious links before clicking on them
  • When in doubt, always contact the suspected sender to determine whether this email was actually from them and to inquire about its credibility

Protection against phishing emails on a technical strategic level

It is part of everyday work that you open e-mail attachments and search for information on the Internet. Of course, this increases the risk of opening a phishing email link or attachment that seems deceptively real. Basic protection, especially at a technical strategic level, should then be provided to prevent attackers from breaking into hardware or software. First of all we would like to give an overview of possible IT security precautions.

  • Make backup copies

Especially if you want to protect yourself against ransomware, it is important to make backup copies. If an attacker actually succeeds in gaining unauthorized access to a device, the device can ideally be formatted with a current backup and reloaded with a clean version. It is therefore particularly beneficial to create a backup and recovery plan so that your systems are regularly backed up. Various cloud storage solutions such as KeyDisc Pro provide a secure basis for performing regular backups. Thanks to the cloud backup storage, confidential data is stored centrally under the strictest security and data protection conditions in optimal server environments and can be accessed at any time.

  • To stay updated

Not only can recent backups reduce the negative impact of malware controls, but updates and security updates for general software, application sequences, anti-malware tools, and device firewalls can also help. This means that attackers have no chance of gaining unauthorized access through potential security holes caused by outdated systems. The updating of systems should therefore be part of the firm basis of IT security precautions.

  • Segment the network

Another way to prevent malware attacks is to segment networks. The network is divided into different security zones, so that attacks can be blocked and their spread to other network areas can be prevented.

  • Sensitize employees

Even if you don't like to hear it, employees are the weakest link in the security chain. It is then a good idea to make employees aware of how to carefully handle unfamiliar files or links. Employees should also be instructed to use strong passwords and manage software updates themselves. To be on the safe side, it is a good idea to restrict PC users' access rights. When employees use personal devices on the corporate network, what has already been said about software updates, anti-virus scanners, and handling personal attachments and links also applies.

  • Detect and close security gaps

If you want to gain even more security, you can use a penetration test (pentest). This is an IT security scan. He examines a system from the perspective of a cybercriminal to discover vulnerabilities and to what extent previous security measures can ward off known phishing attacks. Open ports, insecure software and other security gaps are discovered and strategies are developed by IT experts to eliminate them. Further information on the process and the follow-up measures for the IT security scan can be found here: https://www.keyweb.de/en/hosting/pentest

Affected by phishing, now what?

How do I behave if I ...

  • received a phishing email

If you discover phishing emails as such, that is already a valuable finding. Move them to the Spam folder or delete them immediately. To protect others, inform the affected company and warn your colleagues and friends. You can also read whether there are platforms like Verbraucherzentrale.de on which you can report phishing e-mails in order not to offer the attackers any further attack surfaces.

  • accidentally opened a prepared link

Phishing attacks have become very persuasive, so it is very likely that you will open a compromised link or attachment. In addition, with some phishing methods, you will not immediately discover that malware has just been installed. Comprehensive, basic IT protection would then be an advantage. In the best case, there is a current backup so that the device can be formatted with a clean version and reloaded. If you find that your device has been infected with malware, inform everyone you have come into contact with so that this malware does not spread unstoppably. In any case, get advice and support from an IT expert who specializes in such cases. If you have been affected by ransomware, it is important to know that paying a ransom is not a guarantee that your data will be restored.

Conclusion:

As in many other cases, the following applies to protection against phishing: prevention is better than aftercare. Treat the preventive measures tailored to your IT security ideally as early as possible in order to avoid unnecessary problems later. It's important to remember that security is an ongoing process and should never stand still. The more relevant security measures are anchored in everyday processes, the more efficient the protection against potential phishing attacks. The combination of healthy suspicion and the basic security measures described is intended to serve as a guide for developing an individual approach to preventing phishing attacks.


(1) The full email header can be viewed in most programs using View or Options. The email address of the sender, the IP address of the sender, the recipient of the email, the sending date and the subject of the email can be read out.

(2) The second-level domain is the middle section of a domain and contains the domain name; www.keyweb.de. In this case, “Keyweb” is the second level domain.

(3) The top-level domain is the last section of a domain; .de, .com, .net

Sources:

https://www.wud.de/it-security/7-gefaehrliche-phishing-angriffsmethoden-die-sie-kennen-muessen/

https://www.bsi-fuer-buerger.de/BSIFB/DE/Risiken/Infektionswege/infektionswege_node.html;jsessionid=D05F77EB52E6727CF52175704CD5B09E.1_cid50

https://www.computerwoche.de/a/diese-mitarbeiter-gefaehrden-ihre-sicherheit,3330382

https://www.ip-insider.de/wie-netzwerksegmentierung-fuer-mehr-sicherheit-sorgt-a-794444/

https://www.verbraucherzentrale.de/wissen/digitale-welt/phishingradar/so-lesen-sie-den-mailheader-6077