It is 2024, yet scam and spam emails are still a significant part of the cyber-threat landscape. And there is still such variation in the email scams that there is always a percentage of them that will make it through well maintained email filtering systems of large organisations. The percentage that do make it through the filters can only be stopped by the awareness, attention, and practices of the end user.
For many years the cyber-security industry has been educating end users on how to spot scams and phishing emails with some simple rules:
- Are the promises of the email too good to be true?
- Is the spelling and grammar of the email wrong?
- Is the sender's email address different to the organisation that they are pretending to be from?
- Hovering over any links in the email, do the URLs fail to match the corporate brand, or do they contain long query strings that might be code?
- Is the email threatening the user with something unless quick action is taken?
Answering “Yes” to one or more of the staple identifiers builds our confidence that the email is a scam or phishing attempt. But now, with the popularity and availability of a number of Large-Language-Models (LLMs), which the popular media is selling as “AI”, and the adoption of such tools by cyber criminals to write their phishing email content, detecting phishing emails has become harder for the end user. Some of the old points to look for are still valid, but others need to be updated.
I will investigate this in the light of a phishing email that I recently received, via my personal Telstra Bigpond inbox. Whilst I cannot prove absolutely that the content of the phishing email was generated by an LLM, I believe the qualities of the email suggest that it likely was generated by such a tool.
Promises to Bait the Hook
Does this email make a promise that is too good to be true?
Knowing the status of my account with Telstra, the immediate subject line of the email does not immediately raise alarm bells. Though it is not entirely comforting, for three reasons:
Passive prose - “You can request”. Perhaps a subtle way of offering something.
Terminology - “refund of your money”. I would expect this to say “refund of payment”.
Past experience - I know from the past where there have been issues with the products or services that Telstra provide, they prefer not to refund, but will happily put a credit on my account as their preferred remediation step.
I suspect that the subject line of the email was written by a human.
Misspelling and Wacky Grammar
Does this email have a stack of misspelled words and poor grammar. No, and that is what leads me to think that this may be generated by an LLM tool.
On the whole, the email is short, succinct and to the point. If this was crafted by a human, the brevity of the text has helped them to avoid translation errors, grammatical errors and misspellings. But it is not perfect.
There are two places in the text that do pique my attention, and both of them exhibit incorrect use of capitalisation;
Situation Requiring User Action
Yes, this email has a call to action, but it is expressed passively. “To fix that problem, You need to update your information in your account.”
I feel that this is an indicator of either LLM generation of text, or a very smart human operator. They have not actively told the user that they have to fix something. Instead they have suggested that the user could fix something. Why do I feel that this indicates that the cyber criminals are using an LLM? Because active threats and calls to immediate action with unrealistic consequences are the hall-mark of phishing campaigns of the past. This email takes an entirely subtle approach, likely generated by an LLM that has been fed examples of past successful phishing campaigns.
The email suggests that the user needs to fix a problem. It does not tell the user that they need to fix the problem right now. It does not threaten the user with consequences if they do not fix the problem. By taking this approach, this email is more likely to slip under the guard of many users. Even if it is too subtle to actually prompt a percentage of people to take action, it could still be successful with a smaller percentage.
Links and Technical Things
So, the text and general presentation of the email don't clearly identify this as a scam. If I had recently changed bank accounts or recently had some issue with my Telstra account, I might be tempted to follow up by clicking the action button in the middle of the email. But let's check out some of the other details first.
In my email inbox, if I hover over the email in the list, you can see that the sender's email address does not match Telstra's branding. medgasbd.com ≠ telstra.com
Within the email, there is the action button, and three hyperlinks that appear to lead to corporate information; contact details, privacy statements and terms and conditions. I do not believe any of these lead to where they pretend to. This can be revealed by hovering over each button/link in turn.
The action button leads to a shortened URL:
I attempted to use a couple of services that can reveal the full URL from the shortened URL. Both getlinkinfo.com and unshorten.it were not able to reveal a result. To my mind this suggests that whatever site the action button did lead to, that site has been taken down. Either the cyber criminals were done with it and have moved to a new URL, or law enforcement may have acted against the site.
The ‘corporate’ links - .Contact Us, Privacy, and Our Customer Terms:
One immediate visual inconsistency - “.Contact Us” has a full stop at the beginning. Odd.
The expression of terms and conditions as “Our Customer Terms”, is different to what I would expect, but I checked it against known legitimate emails from Telstra, and they do use that terminology.
When hovering over these links, the URLs are revealed. At first look they may be legitimate Telstra links. The concern I have is that the query string part of the URL “?qs=a660bf42ba...” is an encoded string and is not humanly readable. We do not know what it is doing, what the result of clicking on the link will be. However, when compared to the links in a legitimate Telstra email, this is very similar. The “https://click.messages.telstra.com/?qs=” is the same, but the encoded query string at the end is a different value. From this, my thoughts are that these are legitimate links to Telstra, that were possibly copied from an earlier Telstra email that the cyber criminals have found.
Review the Original Source
Most reputable email client applications or web-mail applications like Google's GMail, all have some option for viewing the raw text information behind an email.
Using such features, you can quickly discover further clues that support or defeat the legitimacy/authenticity of the email you have received. The first part to look at is the summary of the email header information.
These details make it clear that the sender of the email is not part of Telstra. First the sender email address appears to be timc@medgasbd.com. Second the DKIM (DomainKeys Indentified Mail) has a ‘pass’ result, but is specific to the domain NETORG674477.onmicrosoft.com.
So the sender's email address does not match Telstra, and does not match the domain that they were sending the email from. Further to that, the email domain “onmicrosoft.com” does not belong to Microsoft, and is part of cyber criminal infrastructure that has been in recent use across many phishing campaigns. Definite red flag here.
Scrolling down to the further details, we se a potential reason why the Bigpond mail filters failed to trap this email. Its content is encrypted.
Because of the encryption, the Bigpond mail servers may not have detected the wording in the body of the email, and may have missed the dodgy link of the action button.
The Final Clue - The Big Picture
Sometimes, the best way to determine if an email is fraudulent is to read the whole email. Read all of it, and ask yourself does it make sense. With this specific phishing email, this was actually the biggest and most obvious clue that did not require technical know-how.
In this email there are three elements that are readily visible to the user, and all of them are inconsistent with each other:
- The subject line - the subject line tells the user they may request a refund
- The body of the email - does not mention a refund, but tells the user a payment has failed and that they can fix the problem
- The footer of the email - tells the user “THINGS YOU NEED TO KNOW”, and refers to service and performance related outcomes/limits. This has nothing to do with refunds, nor account details. Perhaps the scammers put this in because the server that they were hosting their dodgy fake-Telstra site from was not very powerful. (Just my speculation)
To my mind, the three pieces of information I've listed above, do not feel like they come from the same email, nor do they belong in the same email. I feel that any well practiced corporate organisation would pick up such issues when they are designing their email templates.
To Recap - Red Flags
This post is longer than what I envisaged, and there is a lot to take in. Some of the elements of the email that we investigated lend some credence to potential authenticity, but I feel that this is truly outweighed by the following red flags that mark this email as a phishing scam:
- Shortened URL for action button, which appears to no longer be active.
- Inconsistent content - effectively changes topic and voice in a couple of places
- Sender email address does not belong to Telstra
- DKIM domain identifier is clearly not Telstra, and aligns to infrastructure that has been used in other phishing campaigns
- Capitalisation is incorrect.
In summary, LLMs and AI may be helping the scammers to produce more authentic looking phishing emails. But for now, many phishing or scam emails can still be spotted by a user who is paying attention.
No comments:
Post a Comment