The following is a transcription of an episode of our podcast, Where’s The Any Key? Feel free to reach out with any questions you may have in response to this recording. You can find our show on Apple Podcasts, Spotify, and wherever podcasts are available.
Ryan: Welcome to Where’s the Any Key? The podcast where we talk about anything IT related and even some topics that are IT adjacent. I’m your host Ryan Bacon, the IT Support Engineer at JumpCloud® Directory-as-a-Service®.
So today we are talking with Jim Matthews, security engineer here at JumpCloud, and we are going to talk about phishing. How’s it going, Jim?
Jim: It is going well. I think the last time we did this there was a pandemic or something going on?
Ryan: Oh yeah, that’s that’s long past… not really.
Jim: Now I’m feeling well, we’re both safe and healthy if not completely sane.
Ryan: But, really were we really sane before the pandemic?
Jim: Exactly. It’s tough to tell.
What is Phishing?
Ryan: Exactly. Alright, so I know that this is a big passion of yours, so my first question for you… freshwater or saltwater?
Jim: Freshwater definitely.
Ryan: Freshwater fish taste more fishy to me and I don’t like it.
Jim: I do like the fishy fish kind of taste because I grew up on the East Coast, so I did grow up saltwater fishing down at the beach, down the shore… and then when I moved to Colorado I got into fly fishing and there’s no comparison. Fly fishing is just wonderful and trout such a wonderful fish to eat. So, thank you for joining us today, that’s been our talk on fishing!
Ryan: Alright, so phishing with a “ph”, as I’m sure our listeners assumed. Let’s start off with a high level, I mean, this may seem kind of basic… what is phishing?
Jim: Sure, so what is phishing? Phishing is an attempt, usually through email, to induce a user to perform some sort of action, such as ‘click this link here,’ ‘verify your credentials here,’ claim your prize here’ that kind of stuff. It typically does take place over email though it does come across a SMS as well sometimes, but that’s it in a quick nutshell.
Ryan: Why would you say it’s common? Because it is probably one of the most common forms of social engineering.
How Phishing Works
Jim: It’s common because it’s so easy. So, let me paint you a word picture here on why phishing is so effective. Let’s say I’m an evil, mustache-twirling villain and I want to attack, let’s say, Acme Company. Acme is a mid-sized company that employs about a thousand people. So, you have two approaches to attack this company traditionally.
You can go the “Mission Impossible, Mr. Robot”: steal somebody’s badge, get access to their datacenter, compromise the datacenter somehow by knowing the PIN code, grafting their fingerprints on your hand, or an iris scan. Then once you’re in the datacenter, then you have to find the servers for the Acme Corporation. So you go through these rows of machines all over the place, all in locked cabinets. You eventually find the correct cabinet. You pick the lock on that and then you have a rack of servers and then you can start your attack and get what it is whatever you want to do. So that’s one you attack a company.
The second way is I can send a thousand emails to everyone in the company and I can pretty much guarantee that, at the very minimum, 5% of those people, 5% of the company, will click on an email and provide me their credentials without any hassle. So, let me ask you, which is the easier method to attack the Acme Company?
Ryan: Exactly. It doesn’t really matter who gets it, because even if you get the smallest fish in the pond, to go along with it with the analogy, you can work your way up the ladder. You could use their credentials, their information, to get their managers, to get somebody else’s, until you have what you need.
Jim: Exactly, it’s just a stepping stone. If you get one bite out of it, that’s usually enough that you can then leverage that into something else, and then leverage that into something else, so on and so forth, until you get to whoever it is that you’re trying to compromise, whoever’s credentials you need.
Ryan: Right, and I think that goes hand-in-hand with highlighting how dangerous phishing can be, because like you said, it just takes one person. It doesn’t matter what they do to compromise the company.
Jim: Exactly. You could have the most layered security approach. You could have fingerprint scanners, iris scanners, in order to eventually get to the crown jewels of your company, but nobody has the time or the talent, the investment into trying to do something like that except for someone like a nation-state actor. But on a low level, yeah, it’s very easy. Right now, within an hour, you and I together could sit down and go online. We could find a phishing tool. We could find a database dump of a company’s email addresses and pipe that in and send it out and probably by close of business today we have credentials for whatever company we happened to pick, unfortunately.
Ryan: Yeah, that really brings up another good point of how easy it is with, essentially, crowdsourcing and open sourcing of various tools and information. It’s not difficult for an unskilled person to go out there and get the tools and information that they need.
Jim: That’s why executives, higher ups ask me what worries me, what what keeps me up at night. It’s usually not ‘are we using the right encryption protocols?’ ‘Do we have the right ciphers enabled on our website? ‘Are we up to date on patches?’ All those things are important but the thing that keeps me up at night is Alice in accounting all of a sudden clicking an email saying ‘Hey, you’ve just won a million dollars, please click here.’
Ryan: Exactly. As someone who does monitor firewall logs and manages that sort of thing, I have, you do see like those automated attempts that just kind of blast out there and pretty much every firewall filters it out and it’s no big deal, but you really don’t see, unless you’re a big target, you really don’t see a lot of concerted hacking attempts.
Jim: Yeah, it’s getting much harder today than it was 20 years ago, 15 years ago to do those sort of old-school hacking attempts. It’s easy. That’s the nature of people, to find the easiest method to accomplish whatever tasks that they want to do. So right now, phishing, unfortunately, is the easiest way to sort of induce a company to provide their crown jewels, or their credentials.
Ryan: Right, and any kind of exposure, I mean, say if your organization’s in the news. Any word about your company gets out there.
Jim: You’re now high profile. It’s a death sentence.
Ryan: You’re exposed. Somebody, just on a whim could say, ‘Oh they’re big right in this moment. Maybe I should try something with them.’ As you mentioned before, within a day a phishing campaign can be done and have results.
Jim: Yeah, it’s that simple and it’s that scary.
Three Types of Phishing
Ryan: Moving on with this, there are various kinds of phishing. Different targets, different degrees… Could you give us an overview of the different kinds of phishing, and also, how you can easily identify them?
Jim: I would say there’s three levels, that’s how I’d classify them, of phishing. So you have sort of the level 1 or even the level 0, and these are the really bad phishing attempts that everybody sees. These are from the Nigerian princes, I think we’re all kind of becoming aware of that issue. They have spelling errors. They have grammar errors. English is maybe not their first language. These typically don’t fool people anymore. This is what you were seeing 10 years ago. That was kind of the first attempt at phishing.
Now we kind of have what is the standard phishing, where the spelling and grammar is great. The images, they’re trying to get you to click a link is going to take you to Google. They take the Google image itself and so it looks legitimate. That’s the one that I would say it is the most common; I’d say that’s probably 80% of your phishing attempts these days. The really, really bad ones, the level 1s, that’s probably 5% these days.
Then you have the level 3, which is sort of the very high-end phishing, and it gets a special name called ‘spear phishing.’ Spear phishing is a little bit more different than just general phishing. Rather than just sending thousands of emails to the Acme Corporation, I would, as an attacker, I would identify the person that I know as the credentials. So, Ryan, you’re the IT guy at Acme. I know that you are the IT guy. You probably have a lot of high-end credentials, so I would target you specifically. So what I’ll do is I’ll go to LinkedIn. I’ll go to Twitter, Facebook. I’ll start developing a profile on you specifically. I’ll find out you know where you used to work, who your boss used to be, who your friends are, and then I’ll send you an email and use all of that information that I gathered to target you specifically. ‘Hey Ryan, I see you used to work with Scott over at the ASPCA in the past. I’m working with Scott these days’ and just try and try to strike up a friendly kind of conversation with you. Those are a lot harder to spot because they are so finely crafted. It looks really legitimate. He says he used to work with co-workers of mine. We share some common interests, et cetera. So that’s the three levels, I would say, of phishing.
Ryan: That last one… it’s scary. As it is known out there, you can look at my LinkedIn page and see that I am the IT support engineer here at JumpCloud. I get legitimate vendor emails that sound a lot like that. Being that I can be super paranoid about stuff like this, I also look up who the person is that’s sending the email. I look at their LinkedIn profiles. Are they actually connections with the people who they say they’re connected with? All of this stuff.
Jim: I would love to have 500 of you as my end user, because that is the exact appropriate approach, but unfortunately we’re limited in the amount of time during the day to be able to do this kind of stuff, so there’s that.
How to Spot a Phishing Attempt
Ryan: That goes on to the next thing. How should somebody deal with a phishing email? They don’t have, most people won’t go and do private investigator, PI-level work to dig into who is sending them an email. What are some of your suggestions?
Jim: I’m not going to minimize that, I would say that everyone should do that PI work on behalf of security, because you’ll save your security team a lot of headaches and we would all appreciate it. But seriously, for the rest of us, for the 99% of us, how should a person deal with phishing attacks? That’s a good question.
I think it starts first with the organization. So, the organization should have a way for a user to report any potential phishing emails to the security team, the IT team, whoever to take a look and verify whether it’s legitimate. Basically get a second set of eyes on it. So, as an end-user, you should have that ability. At JumpCloud, we have a special email address that we share with everybody, and if anybody is in doubt whether an email is legitimate, they just forward it to us and we take a look at it. That’s probably the number one way a person should deal with phishing emails.
The second way is probably to take a breather. We all get hundreds of emails every day and, of course, they’re all very important and need to be with dealt with immediately, but usually, like I said earlier that at the top of this podcast, phishing tries to appeal to your emotions: It’s something like ‘you’ve won something,’ ‘you won’t believe what this celebrity just did,’ ‘please check your credentials, your account has been locked out.’ So phishing emails tend to play on your emotions and then they also have the second component: they have something for you to do. It’s not just an email that says ‘hey your credentials expired… thank you.’ It’s usually ‘your credentials have expired, please click here to verify,’ or ‘you want a prize, please click here to redeem it.’ So when you get one of these, you have to rely on your ‘spidey-sense’, you know that kind of little tingling in the back of your head that goes ‘Something isn’t right. Why is somebody all the sudden sending me $500,000?’ or ‘Why isn’t Ryan reaching out to me to say my credentials are compromised? Why am I getting a generic IT admin saying your credentials have been locked?’
So between those two things: have a way to report it to another set of eyes, either your security or IT team, and just take a minute when you received one of these kind of emotion inducing emails to see if maybe it is legitimate or maybe they are trying to trick you into doing something you don’t want to do.
Ryan: Exactly. I also feel it’s a very important thing with, on the organization level or at least on the IT team level, to have that relationship with your end users where they know your stance. I think a very good stance is that it is worth every minute of your time for your end users to check with you, to check with you if an email is phishy or not. Even if you spend an hour a week going over these, checking out these user emails, you’re going to be spending a lot more time dealing with a compromised user, system, whatever. So it’s well worth the investment, so having that understanding. Users know and they feel comfortable coming to you with suspicious emails so they don’t they don’t have to try to figure it out on their own.
Jim: Exactly, it’s tough. I’ll be honest, I’ve been fooled in the past. Not recently, thankfully, but I know in the past I’ve been fooled. It gets the best of us. All the sudden, it’s 7 AM in the morning, you’re waiting for your coffee and you’re going through email and all of the sudden I’m getting an email from Spotify: ‘What did I listen to last year?’ and you click the link and it’s like, ‘oh no, this is not taking me to a Spotify site. This is taking me to something else.’
How to Prepare Users to Combat Phishing
Ryan: Exactly, that’s definitely some good advice there. On the organization level, what can they do to prepare their end users and put up the infrastructure to combat phishing?
Jim: So, this is a more complex answer for an organization and how to respond and deal with phishing than an end user, because end users, they just get the end result and it’s ‘what do I do with it?’ For organizations, as most things IT, and especially in security, a multi-layered approach is the best. So, number one, I’d say training. We do quarterly security training at JumpCloud. I know I’ve done a couple of sessions on how to read an email. Just because the ‘From’: in an email says it’s from Jim Matthews, that may not be actually who it’s from. If you dig in a little deeper, you’ll see that it’s maybe not from Jim Matthews. It just says it is.
So, a lot of training to train users on what a phishing email looks like. At one point, I think I had a couple examples of phishing emails, and I would throw them up on screen and I’d ask users, ‘what’s wrong with this email?’ There’s usually a couple of warning signs: very generic addresses, may be a generic from: address like ‘IT admin’ as opposed to from Ryan Bacon. URLs that don’t go to where they say they’re going to go. Catchy language like ‘click here, do this immediately, you’re compromised’, that kind of stuff. Training is one of the most important things you can do.
To piggyback on the training aspect, phish your own company. There’s free tools out there, there’s paid tools. We said earlier that before the end of business today, we could fish the company easily. Take a look at some of these tools. If you don’t have the budget, take a look at some of the open source tools and try it out. Try to phish yourself, just phish the IT department and see what happens with that. That’s a great way so that users start to get very nervous when they get an email, and they start to hesitate and go ‘Maybe I shouldn’t click this because I know my IT guy sometimes phishes me, so let me just check with him to see if this is valid.’
What else… reporting! No fault reporting. I think that’s the key. So we have an email address, like I said, that is set up for users to report potential phishing emails, and I like to say I’d rather my users over-report than under-report. We had talked earlier, and JumpCloud employees, just to shout out the company, is great in this aspect. I get dozens of emails a day asking ‘hey, is this legit email?’ and I am more than happy to take a look at it and verify whether or not it’s legit or not. So, no fault reporting, so don’t think that you’re burdening your users by asking them to forward you potential phishing emails, because it’s really for your own kind of sanity, because if something goes wrong, it’s not the end user that’s going to have to clean up the mess and deal with the late hours and the weekend hours to fix things. It’s going to be you. So, if you could take that time beforehand to prevent the attack, you’ll save yourself a lot of trouble.
Ryan: I agree, and another thing I’ve seen work really well, both here at JumpCloud and in other organizations, is having a communication tool open, say like Slack or Teams or whatever, to where, when something, if there is a phishing campaign going on, because these things a lot of time will target the entire organization… where either the security or IT team could send out a blast about it. But also something I’ve seen that’s really effective is having the end users themselves pipe up and say, ‘hey I’m getting these emails? Is anybody else getting it?’ So it’s almost like crowdsourcing security.
Jim: Exactly. That’s something we use at JumpCloud and it works very effectively. There’s been a number of times where I’ve posted something in the general channel, or a user will receive an email and say ‘hey, I just got a free Disney Plus subscription for a year. Is this legitimate?’ So, yeah, that’s an awesome suggestion.
Ryan: Not only does it help to to solve that problem there, but it gives the end users exposure on what possible phishing attempts look like. That familiarity is a very good thing.
Jim: Another thing I just thought of, another way to train your users is a newsletter. A lot of companies do an internal company newsletter. At previous companies I’ve had this, where I would choose to do a ‘Phish of the Week’ or ‘Phish of the Month’ depending on the newsletter frequency, where I would take one of those emails and say ‘Hey, this is an email that currently went around last month. Can you spot all of the errors in this email?’ Sort of a fun thing for users trying to see what’s legit and what’s not.
The Most Devious (and Silly) Phishing Attempts
Ryan: So let me ask you this. What’s been the most devious phishing attempt you have ever seen?
Jim: Oh boy, most devious phishing attempt… So for me, it’s usually two things in the past that I’ve seen. Spotify, so at the end of the year, Spotify sends out a summary to you saying ‘hey, last year you listened to seven hundred hours of the Grateful Dead, this is the number one song played,’ that kind of stuff. It’s kind of this cool, data nerd kind of information that guys like me are interested in. I got fooled by that at the beginning of last year. It was not a legitimate email. It took me to a phishing site. It was early in the morning. I wasn’t ready. I saw the Spotify, all the logos look good and I just clicked it, and unfortunately I got caught.
The second one is Netflix. That’s a rather common one. We’re all kind of dependent on Netflix, Hulu, Amazon Prime, one of those streaming services. If I were to lose Netflix, it’s sad to say, but half my life would go away. I mean that’s kind of what I do at night. Years ago, I got this email that my account credentials have been compromised, ‘please click here to reset,’ and again, it appeals to your emotions, and me, losing Netflix is like ‘oh my God!’ So, once I got that email, immediately clicked it and it took me to a site that looked like Netflix, but actually instead of, this is another thing that phishing people do: Rather than take you to netflix.com, it took me to do netf1ix.com, so it’s kind of a typosquatting bug. So it looks like Netflix, but it actually isn’t Netflix. Something about their graphics didn’t quite strike me right, kind of that spidey sense tingling… little too late it turns out. Those were kind of the two most devious attempts on me personally.
Ryan: Yeah I was going to give one that was misspelling, the clever misspelling to hide a URL. It was a banking website and I think they omitted a letter or something like that, and it was almost successful until I remembered ‘oh, I haven’t banked with this place in years. I closed my account!’
Jim: Yeah, those typosquatting… I mean that’s another thing that organizations can do to help protect your organization is, if you have a domain, try and find the alternatives to your domain. Any slight misspellings, you know for example, JumpCloud. Replace the L with a 1. Replace the O with a 0, something like that. If you can register those domains for yourself, you’ll prevent any criminals from taking those domains and then having another asset to try and fool your users.
Ryan: That’s actually a good idea: Scoop up those possible domains before anyone else can. Domains are cheap, especially weird ones. There’s really no reason not to.
Jim: Unless you’re just starting out and times are tight, but once you get to be a bit bigger fish, no pun intended, you would probably want to start investigating those typosquatting domains that are similar to your domain name.
Ryan: Okay, now on the flip side of that, what is the most obvious phishing example somebody’s fallen for?
Jim: The most obvious example… So, unfortunately in an organization of pretty much any size, you can count on at least 5% of your users always clicking the email no matter what. No matter the training. no matter how many times they get burned in the past, you will always have 5% that will always click every single email that comes across.
So, at a previous company, part of that 5% I had a guy that would click any email that would come through and I was actually phishing the company, so I’m thankful that it was me doing this, but it was horribly misspelled. It was a Google email; we weren’t even using Google at the time, we were using Outlook. So it was something like ‘change your credentials in Google here.’ It was misspelled. It said it was coming from a department that didn’t exist, and then sort of the clicker or the clincher was the URL that had to click on. So usually, they try and make it look like it’s going to be a Google URL or or something along those lines, but the Domain that I used was ‘do-not-click-this-it-is-a-phish.com.’ So if you would just hover over the URL for one second, you would see it’s not going to take you to Google. It’s going to take you to please-don’t-click-this, and the user just clicks it anyway.
Ryan: Yeah, actually that reminds me of a piece of advice that could be passed on to the end users, to not use your not use your work email for anything that’s not work-related, so therefore if you get something from your bank to your work email address, that would be a red flag right there.
Jim: Yeah that’s actually a great point. That should be the number one thing an IT organization does for their end users during the new hire security training or quarterly security training, yearly security training, however you do it, emphasize that work and personal are entirely separate. I know it seems very easy to do both on the same computer, but it just makes sense from a security standpoint to keep them both separate. Great suggestion.
Ryan: So, is there anything else with phishing? Let me pull out the soap box for you to stand up on. Is there anything that you want to say to our audience?
Jim: Like I said, I get asked a lot of times by executives, higher ups, managers, directors… What keeps me awake at night? My answer for the last five, six years is always phishing. Phishing is one of the most identifiable means that a company is compromised and a data breach occurs. I would say that, as an IT department, you definitely want to invest resources in protecting your end users from phishing, whether or not you set up training, whether you set up a special email address, or whether or not you phish your own company. You need to spend resources on phishing. It is not a waste of time. This is a legitimate concern, and unfortunately, it has been a concern for a number of years.
I don’t think we’re anywhere out of the woods yet, so I would say go to your executives. Share with them the Verizon DBI Report, Data Breaches and Investigation Report, which the new one just came out this year, or just came out today. Share that information with your executives and show them that phishing is something that they need to address, and it’s not somebody else’s problem. ‘It’s not going to affect us; we don’t have anything that people want.’ That’s a common thing that you hear: ‘We’re not going to get phished because we have nothing that anybody wants.’ Your company is making money, and that’s what people want, and that affects everyone. Go to your executives, ask for resources, ask for time to spend it on phishing.
Ryan: That is definitely some good advice, and I feel that it’s worth touching on a little bit, the flip side of things. With so many companies out there realizing that phishing is a problem and setting up their resources to help fight back against phishing, if you’re an organization that relies on email communications to other organizations, there are things that you can do to help show that your emails are legitimate. This often falls on the IT team or security team or DevOps team or whatever to do this. So when you’re configuring your email setup and your domain, make sure you things like DKIM and DMARC, and all your .txt entries and .txt referencing and everything like that are proper because I don’t know how many times that we’ve had sales or marketing people come back to us on our IT team and say, ‘these emails are bouncing or getting caught by spam filters, what can we do?’ There’s two answers to that: making sure you are set up with all the proper security features and verification features on your email servers, but also the less popular answer is that sometimes there is absolutely nothing that you can’t do. If the recipient, if their servers are set up to reject anything that is even slightly, can be slightly identified as phishing, they’re going to get rejected no matter what.
Jim: Yeah, that’s a great point. Make sure your email infrastructure is set up properly. There’s a bunch of online tools that’ll do checks for you. Check your DKIM/DMARC records, SPF records. That’s a great suggestion.
Ryan: Also, making sure that your domain is not on any blacklists, too.
Jim: That’s another good one. Something I just thought of to wrap this up, like I said earlier, 5% of your users are going to click on every email that comes through, and depending on what that email is, whether it’s asking to verify their credentials, whatever it is, 5% of your users are going to do it. They’re going to input their credentials. The thing that IT teams need to be aware of is to first, know that this is going to happen, and make sure you have a way to detect this. That’s a whole other conversation in and of itself, but you have to assume that Alice in Accounting is going to click that email, or Dennis in Engineering is going to always click the email. So, you need to have a way to be able to verify user credentials. If you have a SIM in place, there’s products that sit at the email gateways that monitor your emails and say ‘Hey, this user clicked this one. It looks like a potential issue.’ Just be aware that you do need to try and jump on this as quickly as possible if somebody does get compromised.
Ryan: Exactly, and a lot of the big-name tools, such as Google. We’re a Google shop so I just picked that. G Suite, depending on the level of subscription you have, will have these securities and alerts, where you’ll get emails that will say ‘this email was blocked for suspected phishing’ or even you’ll see things where messages were they will they will detect things as phishing post-delivery and remove it from from people’s inboxes, and you get alerts for that. Definitely, when you get these alerts, treat every single alert as seriously as you possibly can and move on it and verify and check and follow-up as quickly as possible.
Jim: Definitely, GMail, MSN, Hotmail… They all have these tools right now to make it a little bit easier, so if you’re using one of those, you do have some protections built in, but try and do what you can to detect it early.
Ryan: Again, our guest today is Jim Matthews, security engineer here at Jumpcloud. Thanks again for coming on, and chatting with us. Thanks for your time.
Jim: Thanks for your time; it was really good to see you.
Ryan: It’s now time for everyone’s favorite segment, Ryan Rambles, where your host, Ryan Bacon, rambles on about something mentioned in this episode.
I’d like to talk a bit about how to check to see if your domain is on a blacklist. There are numerous reasons why a domain may end up on a blacklist, the most common one being that your domain has been compromised. The tool I like to use is the MXToolbox; you can find it at mxtoolbox.com. It’s a free tool to use. If you go to mxtoolbox.com/domain, you can go through a domain health check. It does a number of things, but what we’re focusing on now is the blacklist portion of it. You run it, it checks against hundreds of blacklists and it shows you if you’re on a blacklist, with warnings, or if you’re good to go and you pass everything. It gives you details about, if you’re on a blacklist, what blacklist it is, and it gives you more information on said blacklists.
One thing to keep in mind, there are some blacklists out there where you cannot request to have your domain removed from the blacklist. They have to be on the blacklist for a certain amount of time, then they drop off. So just keep that in mind. You’ll be able to find if the blacklist you’re on is one of those when you click on More Information, or go into the blacklist’s website, and see if there’s a way to take yourself off.
Thank you for listening to Where’s the Any Key? If you like what you heard, please feel free to subscribe. Again, my name is Ryan Bacon and I work for JumpCloud Directory-as-a-Service, where the team here is building a cloud-based platform for system and identity management. You can learn more and even set up a free account at jumpcloud.com.
So until next time, keep looking for that any key. If you find it, please let us know.