• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

How to Spot Spoofed or Phishing Emails on Your Mobile Device

November 12, 2019 By Emil Hozan

Full disclaimer: spotting spoofed or phishing emails on a mobile device like a cell phone or a tablet isn’t as straightforward as on a laptop or desktop. As you’ll see shortly, mobile clients can hide a lot of the telltale signs of a phish. This post will use a spoofed email claiming to be from our CTO Corey Nachreiner, sent to Trevor and myself, with Marc cc’d. The main focus points here are the email addresses and the email body, more particularly the embedded link.

 

For starters, Figure 1 shows how the email appears in Outlook’s Android email client. It looks like a legitimate email; no misspellings (I double-checked while forging this email myself), for the most part the context flows well (minus the missing “are” between “…you two *are* excited…”), and it’s rather plain with no images. Personally, it looks legitimate at first glance and it’s not uncommon to see emails with missing or added words. To top it all off, Corey’s picture is included as well!

Figure 1: View of Email as Seen Within Outlook’s Android Email Application

Now if you’re thinking, “well, just look at the email addresses” then you’re on the right track. Most mobile email apps hide the sender’s email address by default, showing only the name from the ‘From:’ email header instead. These headers are easily spoofed but even non-spoofed addresses won’t show up here. Let’s take a look at Figure 2 where I expanded the email to show recipients and indeed, they all appear legitimate. The display names match the corresponding emails. Nothing really seems off. Again though, this is easy to spoof if the recipient isn’t using something like DMARC to validate message headers.

Figure 2: Expanded View of Included Email Recipients

Additionally, the Reply All option as seen in Figure 3, merely displays the display names with no indication of each person’s respective email in this view. Unfortunately, this particular trend is also making its way to desktop email clients as well. This isn’t too alarming, considering you can still view the full email address details as we did in Figure 2, but it is a concern since there are no other ways to validate where your response goes to until after you send the reply. Figure 4 reveals the recipients’ respective emails only after sending the email. You might notice something off though. In this example, you can see that Corey’s email changed from his WatchGuard account to a Gmail account. This shows the “Reply-to:” header in action, another way for attackers to abuse mail clients and get around spoofing protection.

Figure 3: Reply-All Action to Reply Back to All Participants

 

Figure 4: Reply all Action Showing Recipients’ Email Addresses

 

There is concern in this, but attackers may not even particularly care to spoof a “Reply-to:” address. Often times, the attacker isn’t trying to open a line of communication with the victim but instead they try to trick them into clicking on a link. Since this email looks like it is coming from a “trusted” source, the email addresses match and there’s no real sign of this being a spoofed or phished email, clicking on the link just seems logical. If you’re on track so far, I don’t blame you, but that “click” may be more dangerous than you initially thought.

 

On desktop email clients, we always tell users to ‘hover over’ email links to check where the real destination is. You can’t exactly hover over a link on a mobile phone, but you do still have an option for checking a link’s destination. Rather than simply clicking a link, regardless if the email is legitimate or not, long-press the link to “Copy Address” as shown in Figure 5. This could be the difference between landing on a legitimate web page or an attacker-controlled web page. The latter can lead to a credential phishing page (notice the “…to log into…” pressure in email body contents). As you can see, the link directs to https://www.google.com but that’s just a placeholder and can be easily changed to any domain desired.

Figure 5: Long-Pressing the Embedded Link Reveals These Options, Displaying the Embedded Link Itself

In summary and to recap lessons learned, don’t blindly click on links in an email while on a mobile device. Take a few extra steps of precaution and investigate the email recipients as well as the email body content. In this post’s example, all was fine (except for a missing word, which may not be a sure sign of an illegitimate email) and all that was left to investigate was the link itself. The long-press action is up to you, the mobile device user, and you are what separates yourself from potential danger in an ever-changing threat landscape.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Email Attacks, email security, Malicious email, mobile security, mobile threat, Phishing

Comments

  1. Mark Braden says

    November 12, 2019 at 11:30 am

    Good article. Do you have something like this that I could share with my users?

    Reply
    • Emil Hozan says

      November 14, 2019 at 11:28 am

      Hey Mark,

      Thanks for reading and engaging with this post! I am glad you enjoyed the article.

      Could you clarify what you’re asking here?
      You are more than welcome to link this post to your users – is that what you’re asking?

      Regards,
      Emil Hozan

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use