In no way are we trying to diminish the importance of good email security practice, but sometimes I think about the unforeseen impact email can have on our daily lives. We focus on the fancy malware and the sophisticated credential grabbing techniques all too often in InfoSec. For most people in the UK going about their day, the importance of keeping your inbox squeaky clean can be lost. So I’m going to delve out of the box and look at how emails – especially phishing emails impact us in ways we never thought of and why some good housekeeping is going to make us safer and more productive.
So you get to work after your holiday and open your emails up, an hour later a sales person calls from the same company and follows up… all too often marketers place tracking pixels (amongst over methods) in emails to determine when an email has been read and whilst fine with some, this invasion of privacy is often overlooked. The information is normally sent to the sender the second you open your email, you don’t even have to click! In a similar fashion phishers can use information from this to get your rough location, device type, and ISP.
All this can slow us down with our day, cause a spike in calls and further emails and makes us less productive – it can even place us at risk.
- Play email sniper, press delete on your emails simply by reviewing the sender & subject line alone!
- Don’t enable images in emails as a default! The dangers might not be so apparent, but disable images from loading
Spam has evolved over the decades, most email providers will cull “adult medication” and “Time shares in Spain” type of spam because of ways it was sent or the content it has. This stuff doesn’t tend to get to us often in 2018. What starts to be a chore however is the constant barrage of focussed advertising – recent studies show we receive about 60 of these emails a day! You know that magazine you were into in 2003 – well guess what you’re still signed up and they are going to email you when they want. Of course we could also click unsubscribe, but thats not guaranteed in some marketing emails to make it stop. If the email was a phishing email and you clicked ‘unsubscribe” that would also be bad news… so we look at it this way:
- Create an inbound mail filter rule to catch all events, ecards, facebook and alike – focus on a few words such as ‘un-subscribe’ ‘unsubscribe’ or ‘opt out’ and get these sent to a folder. This is a brash first step but 95% of these emails will be avoidable, we can assume an urgent message from your boss wouldn’t have small print allowing you to ‘opt out’ or ‘unsubscribe’ right?
- Take a second to organise your email contacts, like we culled the above spam emails it might be a good idea to nudge some VIP contacts more into focus. Most emails platforms will facilitate this.
All this extra clarity has a few effects… it lessons that ‘I have 200 emails in my inbox’ feeling of panic and stress and allows you to focus on the more important stuff! At a basic level it saves you time analysing these emails constantly throughout the day – it makes you more productive and drags you away from your phone.
Are you sending spammy emails?
Here we are curtailing the efforts of would be spammers and we haven’t given it a thought that we might be a little spammy too. The very way we use email might mean our own address is classed as spam or the links we send out are unknowingly quite spammy. Fear not though we can simply check this over at mail-tester.com they give you a temporary email address, you send them a quick test and they will walk you through some of the errors you might be experiencing. If you have a higher score it is more likely your emails will get to where you want them to go.
So you’ve disregarded the company IT policy and you’ve clicked an email a few times and typed your password in – hey, I’m not blaming you, you’re a busy go getting executive with things to do – all this boring computer stuff might not effect you. Well it seems it does post breach…
Commonly social engineers will be in this exact scenario, they have obtained some poor souls username and password and first on the list to be rifled through is your company email inbox and sent folders. Attackers will setup mail clients and download every last email on your account for perusal.
In assessments we monitor these communications. We note internal security practices, flirty emails to colleagues and door pin codes being sent from HR. We create spreadsheets from all the passwords and snippets of data you leave in there. From an attackers prospective we often have a sense of “this is their whole life” there seems to be little overlap from discussing work nights out and social life right next to ‘predicted accounts 2018.xlsx’.
- Take a second out to search your emails for words such as password, login, code, account number, pdf, xlsx – hopefully you’ll be the first person to do this and see that having a sort out is for the best.
- If you have a company merger or really important internal information you need to circulate, don’t use email. Hackers have been placing trades on the back of your emails for years.
- Never send usernames and passwords to colleagues or customers via email!
I’ve heard people say “oh you could read my emails I’ve nothing to hide in there, I’m not bothered” but they don’t understand the link an email account has to other aspects of your life. If you fail to take this seriously an attacker is in your inbox looking at your emails – no big deal to you yet! but he is looking for Microsoft, Google, Facebook, LinkedIn, Gov.UK accounts they can reset the password on, they want the connected accounts more than the email account itself half the time. Saying your email account isn’t important is like saying you can have access to most aspects of my online life too.
Who’s reading my emails?
Some accounts such as Gmail and Office 365 allow you to monitor the last locations of people accessing your account. Now could be a great time to look for account compromise or simply to put your mind at rest in the future. Heres a list of guides for checking last access to your email account:
- Gmail – https://support.google.com/mail/answer/45938?hl=en
- Microsoft – https://support.microsoft.com/en-gb/help/13782/microsoft-account-what-is-the-recent-activity-page
- AOL – https://help.aol.co.uk/articles/account-management-identifying-suspicious-activity
- GoDaddy – https://uk.godaddy.com/help/view-your-email-login-history-6844
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.