Security - the case of the missing eye

Let’s track down a bad guy. Looking through the clues will help you catch the next criminal that tries to trick you with a malicious email message.

I received many reports last week of phony messages that appeared to be from Microsoft, Paypal, and others. There are some examples below. One of them was clever in an interesting way that will remind you of how careful you need to be.

Look at this message received by several of my clients.

Security - phony Microsoft message

Maybe you’ve spotted some grammatical mistakes and you’re thinking you’d never be fooled by that message. Well, aren’t we smug? Easy to feel confident when I’m calling it out in an article about security, isn’t it? Fine. Just pretend it’s in your inbox and you’re not sure about it.

When you’re evaluating an email message, the sender’s address is one of the clues. Frequently the actual address doesn’t match the company supposedly sending the message. This one, though, isn’t obvious. The sender’s name is “OFFICE 365” and the email address is “USER_ACTIVATION@MICROSOFT.COM.” That looks right.

Okay, Sherlock. Pull out your magnifying glass. Look at that address again.

Security - phony Microsoft message - closeup

Something there isn’t right. Pull out a bigger magnifying glass.

Security - phony Microsoft message - closeup

Do you see it yet? That second letter in “MICROSOFT.” The spacing isn’t quite right. It’s a fraction too tall. It’s like there’s a glitch in the way it’s displayed.

The penny drops.

That’s not an upper case “I” – eye. It’s a lower case “l” – ell. The bad guys used a trick to fool the eye into thinking the message comes from Microsoft.

One of my clients sent back the perfect response. “HOLY SHLT.”

Email is broken in many ways. There are no limits to how paranoid we need to be.

Now let’s look at the links. The real goal of a malicious email message is for you to click on a link in the message. You’ll be taken to a web page which will try to convince you to enter one of your passwords. When you give your password to the bad guys, they will cackle and clap their hands in glee and run from the room to destroy your credit and ruin your life.

Always hover over links in email messages or on web sites to make sure they lead where they appear. The address that appears above the link or at the bottom of the browser window when you hover over a link should look like something you’d expect. If it is a shortened link and you can’t tell where it goes, assume it is suspicious.

When I hover over the link in one of these messages, it’s pretty obvious that it’s not going anywhere related to Microsoft.

Security - phony Microsoft message - closeup

But here’s the same link in the same message to another client.

Security - phony Microsoft message - closeup

That’s a “shortened link.” Bitly is a well-known service that takes any URL and converts it to a shorter link that still directs to the right page. It’s used all the time on Twitter, Facebook, and other sites where it would be inconvenient to paste in the long, complex URLs that some sites use.

It’s also used by bad guys to disguise the ultimate destination of a button in spam email.

Real companies will never use a URL shortener in a legitimate message. A link in a message from Microsoft should always lead to a URL with “Microsoft” in it. Spelled with an i.

Here are a few more examples of malicious email messages sent to my clients last week.

Security - phony Paypal message

A closeup of the link in the phony Paypal message. “Paypalf8.beget.tech” is not the same as “Paypal.com”!

Security - phony Paypal message

Security - phony Zixcorp message

Security - phony Microsoft message

It is up to you to be vigilant. Hover over links in email messages. Hover over links in Google search results. Use good judgment and add a healthy dose of paranoia. Here’s a new rule:

Never type a password unless you are deeply confident that you are on that company’s website. Antivirus software will not protect you if you give your password to a 400 pound hacker on a couch in the basement. Or the Russians. I still get those two confused.

Be careful out there!

Share This