What is Phishing?

Phishing is a made-up word composed of password and fishing. In this method of attack, cyber criminals send fake emails and ask recipients to follow links to fake websites and enter confidential information such as credentials, passwords, credit card numbers, etc.

In the case of phishing e-mails with Emotet, this malicious code can read the users' e-mail correspondence, both the addresses and the content. This data is then used to generate further e-mails whose sender, subject (subject line) and content imitate the authenticity of the sender in a way that has never been achieved before. As soon as attachments in these phishing e-mails are opened or "clicked on", EMOTET then loads further malware. Often, the user is asked to confirm the execution of the macro. In such a case, it is recommended to ask the sender.

In the document Detect and fend off phishing attacks you will find more helpful information, including indications of dubious e-mails, and real phishing examples.

What makes phishing e-mails easily recognizable can also be found on the pages of the BSI. Among other things, information about EMOTET is provided there.

Phishing Mail Videos

In the following you will see two videos that will give you valuable tips on how to recognize phishing emails in real life.

The videos were created by the SECUSO research group, which is part of the Institute for Applied Informatics and Formal Description Methods (AIFB) at the Karlsruhe Institute of Technology (KIT).

More information: https://secuso.aifb.kit.edu/99.php

Video: SECUSO / Alexander Lehmann 

NoPhish Video I: Absender prüfen & gefährliche Anhänge erkennen

NoPhish Video II: Gefährliche Links erkennen

  1. Only open the attachment if you are sure. Calling the supposed sender helps immensely!

  2. The display name can be arbitrary. Do not use it if the display name and the sender address do not match. But beware: the sender address is not forgery-proof.

  3. In the mobile view, press Forward to display the sender's address and to the sender's name.

  4. You can check attached links by holding the mouse cursor over the link (without clicking on it!) and checking the address! Alternatively, use Virustotal. Copy and paste the link and have it checked.

  5. When following a harmless link, ALWAYS check the browser's address bar.

  6. Disable automatic execution and display of active content (macros...) in Office applications and PDF readers. Most often, the attachment of a phishing email contains the malicious code in the form of macros.

  7. Refrain from saving password files in the browser (for convenience) - Strong passwords make a difference.

  8. Use administrator rights only for administrator activities, not for general office work.

  9. Regular updates with an active AV-SW form the basis of IT security.

  10. Disable automatic execution and display of attachments and external links, images.

Anyone who receives a suspicious e-mail purporting to come from TU Dortmund University can send it to the e-mail address
 
 
 
However, it is best not to simply forward the e-mail, but to save it as a file and then send it as an attachment.
 
Other social engineering e-mails (spam, phishing without TU reference) can be reported quickly and easily to our e-mail appliance provider via the corresponding button of the plug-in for Outlook (Spam, Phishing...) to improve the filter rules.
 
No one is immune from phishing attacks!
Worst case scenario: "No one will notice".
  • Disconnect the potentially infected computer from the network
  • Contact us at alarm.sic@tu-dortmund.de for further steps

Fraudulent messages often contain one or more dangerous links. The goal of these links is to make you, the recipient, click on one of them. In doing so, you will either be redirected to a deceptively genuine-looking but malicious website that will install malware on your device or you will be asked to enter your confidential credentials on this page, which will subsequently be tapped for criminal purposes.

Check the URL or the web address

Before following a link, ALWAYS check the web address that is actually assigned to the link, because what matters here is not the link name displayed in a message, but the actual link address.

The procedure for finding out this information can vary depending on the end device, application or service (tablets, smartphones, PCs, etc.). Often, the information about the URL can be obtained by hovering the mouse over the link without clicking on it. Depending on the environment, the information is displayed (e.g. in the info field or tooltip). In the following figure Outlook serves as an example for the display of the searched URL.

Screenshot einer E-Mail in Outlook

 

Identify the so-called "who section" (Wer-Bereich) in the web address

The who area is composed of the two terms before the third slash - separated by a period.

URL mit markiertem Wer-Bereich, der lediglich "tu-dortmund.de" enthält

The Who section provides information about the sender's domain name or server address and usually contains the sender's name. If domains are displayed as IP addresses (such as 192.168.0.1), this could possibly be an indication of a fake page.

 

Pay attention to small variations of the web address

Criminals make use of various obfuscation tactics, such as moving the real who section within the given web address. For example, the link above could be falsely stated as follows:

URL mit markiertem Wer-Bereich, der "login.de" enthält

 

Sometimes the real domain names are deceptively imitated by marginally changing the string. For example, www.tu-dortmund.de could be modified to www.tu-dortmnud.de or www.tu-dorrtmund.de.

If there remains a residual uncertainty in the interpretation of the web address, it is always recommended to find out the web address of the sender using a search engine such as Ecosia.

On this topic, we also recommend watching NoPhish Video II: Detecting Dangerous Links.

Source: The above security tips for recognizing dangerous links were created, among other things, based on the flyer "Fraudulent Messages" by the Secuso research group of the Karlsruhe Institute of Technology)

Use certificates for signing e-mails.

A digital signature is a proof of authenticity and could be compared to a seal in the analog world. It ensures the real identity of the communication partner as well as the integrity of the mail contents by means of a cryptographic procedure.

As a rule, e-mail programs such as Outlook identify such digitally signed e-mails by a certain symbol in the form of a seal.

Clicking on the circled icon will show you the correctness or validity of the signature:

Pressing the "Details" button will display the certificate chain.

The digital signature thus enables the recipient to ensure that the e-mail actually originates from the specified sender and, moreover, has not been modified since it was signed. If the signature is successfully verified, recipients can be sure that the e-mail is authentic and has not been manipulated by third parties. Otherwise, a system message is issued. This helps to ensure the authenticity of mail communication and reduce the outgoing risk of forged or manipulated e-mails. In this way, digitally non-signed, suspicious mails in which the supposed senders* ask for sensitive data or request certain actions, for example, can be better identified as criminal fraud mails.

Group certificates for your functional mailboxes are also recommended - especially if you send emails with attachments and included web links. The intended learning effect is that emails of similar formats immediately stand out as critical if they are not digitally signed: Phishing e-mails tend to be structured in such a way that they imitate central entities such as the technical service desk as the sender in order to more easily persuade the recipient to take action. In the future, such emails could be immediately classified as suspicious unless they are digitally signed. The service portal at https://service.tu-dortmund.de/group/intra/zertifikate provides further information on how to apply for your personal certificate and then integrate it into your e-mail client. If you have further questions about this, please contact the Service Desk at ITMC directly.  

For applications  for group certificates and if you need support, please contact the Registration Agency of the TU Dortmund University.