The content of this article can be associated or mapped to CompTIA Security+ Exam Objective 3.2 “Summarize Various Types of Attack”. Regardless of your dealings with computers, be it as a network administrator for a corporate enterprise or a basic user who surfs the internet at home, chances are you have an email address. Just like regular mail cyberspace presents us with a fair amount of annoying junk or stuff posing as mail otherwise known as SPAM. While SPAM is generally annoying, it can serve as an attack vector for threat actors seeking to do harm. Generally and quite frequently SPAM contains advertisements or coupons for products you may or may not be interested in and usually contains hyperlinks and for the most part is genuinely harmless. Alternatively, threat actors or ‘bad guys’ use SPAM with the intent of conning the uneducated into disclosing viable personal information or even to deliver malicious payloads to our computer. The real downside here is it is difficult to tell the difference what is merely a benign nuisance and what is truly evil.
Let’s lay down some best practices and ground rules. Since we have already discussed that it is difficult to tell the difference, any email you didn’t expect or didn’t come from a known source should be deleted. Let’s face it, if your bank or bill collectors or doctor really need important information from you they will call you or send you paper mail. If you do get suckered into opening it do not click I highly recommend not clicking on any hyperlinks. For the sake of argument let’s say you do get an official looking email from your bank or similarly important organization call the source and verify. Don’t respond to the email and again don’t click on any embedded links. When in doubt, call the source. You may want to ask “did you mean to send this email?” or “is this form requesting my signature available for completion on the official website?”. I get document alerts from my bank and CPA all the time but not once has any official email requested my signature, confirmation of SSN, or anything of the sort outside the confines of the protected and secure website. Here’s the kicker, truly malicious SPAM may appear official in every way and may even include a hyperlink to your “bank” but DO NOT click on it. Instead, manually open a browser and navigate to the official website the old-fashioned way. Also remember that anything that is too good to be true probably is. No one wants to give you anything for free and no one has ever won the lottery by email so chances are…It’s a trap!
Now the reasoning behind the ground rules is simple. Hyperlinks can be manipulated very easily for example if I sent you an email saying Click Here to confirm your account information somewhere in the message body. Go on, click it, I can wait…Now while this is a lame demonstration it is a demonstration nonetheless. Instead of being directed to your account information page you would have been directed to the Drudge Report website. Now in a truly malicious SPAM attack that same destination could’ve redirected the unsuspecting user to a malicious payload delivery site before redirecting you to the official site. Though it may go unnoticed that brief visit to the delivery site could have dropped a virus on your system or worse directed you to a spoofed website where you would be prompted to enter your login information thus giving your credentials to a bad guy trying to gain access to your bank or steal your personal information for identity theft. Truth be told, I could go on and on about the various potential outcomes from SPAM. For many, just understanding that unexpected emails should be approached and handled cautiously should be enough to keep you better protected from the various threats SPAM presents and facilitates. Just remember the rules I provided above and you will be okay. When in doubt call the source and confirm the transmission otherwise, just delete it.