Full disclaimer: spotting spoofed or phishing emails on a mobile device like a cell phone or a tablet isn’t as straightforward as on a laptop or desktop. As you’ll see shortly, mobile clients can hide a lot of the telltale signs of a phish. This post will use a spoofed email claiming to be from our CTO Corey Nachreiner, sent to Trevor and myself, with Marc cc’d. The main focus points here are the email addresses and the email body, more particularly the embedded link.
For starters, Figure 1 shows how the email appears in Outlook’s Android email client. It looks like a legitimate email; no misspellings (I double-checked while forging this email myself), for the most part the context flows well (minus the missing “are” between “…you two *are* excited…”), and it’s rather plain with no images. Personally, it looks legitimate at first glance and it’s not uncommon to see emails with missing or added words. To top it all off, Corey’s picture is included as well!
Now if you’re thinking, “well, just look at the email addresses” then you’re on the right track. Most mobile email apps hide the sender’s email address by default, showing only the name from the ‘From:’ email header instead. These headers are easily spoofed but even non-spoofed addresses won’t show up here. Let’s take a look at Figure 2 where I expanded the email to show recipients and indeed, they all appear legitimate. The display names match the corresponding emails. Nothing really seems off. Again though, this is easy to spoof if the recipient isn’t using something like DMARC to validate message headers.
Additionally, the Reply All option as seen in Figure 3, merely displays the display names with no indication of each person’s respective email in this view. Unfortunately, this particular trend is also making its way to desktop email clients as well. This isn’t too alarming, considering you can still view the full email address details as we did in Figure 2, but it is a concern since there are no other ways to validate where your response goes to until after you send the reply. Figure 4 reveals the recipients’ respective emails only after sending the email. You might notice something off though. In this example, you can see that Corey’s email changed from his WatchGuard account to a Gmail account. This shows the “Reply-to:” header in action, another way for attackers to abuse mail clients and get around spoofing protection.
There is concern in this, but attackers may not even particularly care to spoof a “Reply-to:” address. Often times, the attacker isn’t trying to open a line of communication with the victim but instead they try to trick them into clicking on a link. Since this email looks like it is coming from a “trusted” source, the email addresses match and there’s no real sign of this being a spoofed or phished email, clicking on the link just seems logical. If you’re on track so far, I don’t blame you, but that “click” may be more dangerous than you initially thought.
On desktop email clients, we always tell users to ‘hover over’ email links to check where the real destination is. You can’t exactly hover over a link on a mobile phone, but you do still have an option for checking a link’s destination. Rather than simply clicking a link, regardless if the email is legitimate or not, long-press the link to “Copy Address” as shown in Figure 5. This could be the difference between landing on a legitimate web page or an attacker-controlled web page. The latter can lead to a credential phishing page (notice the “…to log into…” pressure in email body contents). As you can see, the link directs to https://www.google.com but that’s just a placeholder and can be easily changed to any domain desired.
In summary and to recap lessons learned, don’t blindly click on links in an email while on a mobile device. Take a few extra steps of precaution and investigate the email recipients as well as the email body content. In this post’s example, all was fine (except for a missing word, which may not be a sure sign of an illegitimate email) and all that was left to investigate was the link itself. The long-press action is up to you, the mobile device user, and you are what separates yourself from potential danger in an ever-changing threat landscape.