Checking e-mails for dangerous content

Dangers caused by e-mails can consist of technical, but also simply only social components.

Technical aspects are in particular:

• E-mail attachments: These can be directly malware or contain malware. Attachments should only be opened, after it is checked, that they are not dangerousness!
• Links in e-mails: These can lead to dangerous websites. Links in e-mails should only be clicked,after it is checked, that they are not dangerousness!

Attempts to induce wrong or harmful actions by e-mail are not at all technical. It is referred to as Social Engineering . Criminals try, for example, the following:

• Attackers pretend to be superiors or business partners and try to persuade the recipients of an email to money transfers. People in finance departments and administrations are targeted here.
• Attackers pretend to be superiors and try to persuade the recipients of an email to buy vouchers and send coupon codes to the attackers by e-mail. Any employee, e.g. of a working group, may be attacked here.
• Attackers pretend to have broken into a victim’s computer and have accessed or generated embarrassing information. It is often threatened to have recorded videos of sexual acts with the camera of the hacked computer. The attackers threaten to release the material and demand ransom.

When you check e-mails, you should check sender, plausibility of content, type of attachments and Targets of links.

In principle, the sender is not more trustworthy in an e-mail than the sender on the envelope of a letter. Always keep in mind that the sender’s message may be forged altogether. An exception are only cryptographic signatures (see at the end of the section).

Despite the possibility of a complete falsification of the sender specification, the sender information should first be formally checked. Email programs display the sender in a field called “From” or similar. The sender specification contains the (possibly forged) e-mail address of the sender and often a “Display name”, e.g. “john.smith@example.com” as e-mail address and “John Smith” as display name. The display name is technically meaningless, a mere description as comfort for the receiver and can therefore easily be falsified by the sender. The display name is displayed by most e-mail programs at the beginning of the From field. The e-mail address usually appears after the display name. Some e-mail programs (especially those on smartphones) only show the display name and not the e-mail address at all.

Don't trust the display name! Check the e-mail address! Often a familiar name is used as an display name in the email and is a fake. The sender’s e-mail address is often not falsified. In these cases, behind the familiar display name there is an e-mail address that is not suitable for this purpose, e.g. after the name of the head of department an e-mail address for a free e-mail service (such as gmail.com, web.de, gmx.de, etc.), e.g.

Prof. John Smith <director111@gmail.com>

Such a combination is, in principle, suspicious. It is probably a malicious e-mail in such cases.

On smartphones only the display name is usually shown. To see the e-mail address, for most smartphone programs it helps to press on the display name a longer time. With Apple-Mail, another click is needed to open another window, which then displays the e-mail address.

Because the sender may be forged, you should always check plausibility based on the content of the e-mail:

If you know the person who allegedly sends the e-mail:

• Is the display name and e-mail address used before?
• Is the same signature (i.e. the information such as postal address or telephone numbers at the end of the e-mail) used as before?
• Are you addressed as usual? A change between first name and surname, collegial or formal writting is suspicious.
• Do information, requests, etc. correspond to the usual and expected forms in the e-mail?
• Is the writing style the same as before?
• Is the email an expected response to a previous request?

If you don't know the person who allegedly sends the email:

• Check who the sender is, e.g. via websites of the organisation from which the e-mail is supposed to come.
• Ask if the email really comes from this organisation using contact details on the organisation’s web pages.
• Also check if the writing style, the content and the prompts in the e-mail are suitable for this organisation.

If you‘re unsure if the sender is authentic, you’d better ask. But don't ask by clicking on the answer button in the email. Ask by phone or other ways. If you need to use a request by e-mail, then use an e-mail-address from a reliable directory (your address book, an official website, etc.).

In general, it is suspicious if

• the e-mail contains many spelling or grammar errors,
• the e-mail is poorly formulated in language,
• the email contains threats or creates pressure to act,
• the email entices with winnings or promises,
• the e-mail allegedly promises important or secret information from prominent persons,
• the sender quotes excuses as to why a callback is not possible and one must therefore act without question,
• the sender argues that secrecy requirements would prohibit queries to other persons, wich should normally be involved.

Open attachments only if you are sure that they are safe. In case of uncertainty, ask the sender or do not open the attachments. When asking, consider the above information on sender identity and queries.

If you have previously asked a known person via a known and verified e-mail address to send certain documents to and you then receive exactly the requested documents, you can assume that they are safe.

The potential danger of attachments also depends on the file types. Especially files represent program files or can contain program code (“executable files” or “files with executable content”) can be dangerous. When using Windows operating systems, the file types are recognised by the file extensions.

• Executable files have the extensions like .exe, .com, .cmd, .vbs, .pif or.scr.
• Files with executable contents (especially macros) e.g. are files from Microsoft Office with the endings .docm, .xlsm or.pptm.
• Files that may contain executable content (but not always contain such content) are among others the older file formats .doc, .xls or .ppt from Microsoft Office.
• The Microsoft Office file formats.docx, .xlsx and .pptx cannot contain macros (or Office would not run macros contained in these files, if you try to outwit the system by simply renaming a.docm file to.docx). So these files are safe.
• Also.pdf files may contain code. So here too, caution should be exercised.
• Archive files (such as.zip,.7z,.tar or.gz) can contain arbitrary files. Here, the contents of the archive must be checked for files and file types contained therein.

Unfortunately, in Windows operating systems, the option is often preselected that for known file types, the extension in the file name is not displayed. This shows only “MyDocument” as a name for a file with the full name “MyDocument.doc”. The verification of the file type is generally complicated. You can guess the file type based on the icon used. You can only get save information about the file type if you stop with the mouse above the file name and wait until the information about the file appears in a pop-up window!

Hidden filename extensions attempt to use attackers by selecting filenames in such a way that if the true extension is hidden, the impression of another safe file type appears. For example, the file is called “Dangerous.txt.exe”. So the true file type is .exe, so this is an executable file that is potentially dangerous. The file name is then displayed as “Dangerous.txt”. A .txt file would in principle be harmless. This gives the impression that you are dealing with a non-hazardous file.

Always keep in mind that the true file type does not appear in the name when the known file extensions are configed to be hidden.

Better: Do not use the option to hide the file extensions.

Only click on links if you are sure that they are safe. In case of uncertainty, ask the sender or do not click on the link. When asking, consider the above information on sender identity and queries.

If you have previously asked to send certain links to a known person via a known and verified e-mail address and are then sent exactly to the requested links, you can assume that they are safe.

Links on the Internet and in e-mails (if they are displayed in HTML format) consist of two parts: A description and the actual link. For example, the as description of a link “Website of the GWDG” could be displayd. The corresponding link, which is not directly visible, would correctly be ”https://www.gwdg.de“.

In malicious e-mails, you will often find phrases such as “click here” as a description. To see the actual link, you have to point to the description with the mouse (but don't click!). Then, depending on the e-mail program, a small pop-up window appears next to the description or in the footer an information, in both cases there is the actual link, which has to be checked for its plausibility and dangerousness.

Caution: The attackers occasionally try to make the description look like a link in order to induce their potential victims not to examine it at all. For example, the description could be ”https://www.gwdg.de/Rechnungen/IhreRechnung12345.doc“, while the actual link to which a click would lead looks quite different, e.g. “https://irgendeineseite.com/irgendwo/irgendwas.exe”. Really check the link by pointing the mouse over the description. If the description looks like a link, but the real link deviates from the description, you should assume a dangerous link.

No mouse is available in e-mail apps on smartphones. Here, the link is usually displayed by not clicking on the description briefly, but by pressing on the description until a window appears that shows the actual link.

Most e-mail programs display e-mails in HTML format by default. You can also change the configuration of e-mail programs such as Outlook or Thunderbird so that e-mails are displayed in text-only format. in this case the actual link would be displayed directly in the text and a waiting with mouse pointer above the description could be omitted. The above examples would then be displayed as “Website of the GWDG<https://www.gwdg.de>“ or ”https://www.gwdg.de/Rechnungen/IhreRechnung12345.doc<https://irgendeineseite.com/irgendwo/irgendwas.exe>“. The link is the part in the sharp brackets <>.

Links describe at which provider (more precisely which server of the provider) a certain information is located and where exactly on the server of the provider the information is to be found including a file name.

The testing of the danger of the where (on a server, including the file name) is likely to overwhelm you.

Easier to check is the information in the link to the who (is the provider). This part of the link is to be found in the first section of the link. The IT experts call the first part the domain name.

A link then consists of three parts:

• a protocol specification that ends with the characters "://"”. Usually ”http://" or ”ftp://", sometimes “” or otherwise,
• After that, the domain name follows. This ends with the first ”/” after the initial "://"“ (or, if the third part is completely missing, with the end of the text string),
• At the end there is a description of where information can be found on a server (this part can be omitted if the top entry point of a website is to be linked).

In the example https://www.gwdg.de

• the protocol specification ”https://",
• the domain name ”www.gwdg.de",
• The indication of the where on the server is missing here, so the entry point is meant.

In the example https://irgendeineseite.com/irgendwo/irgendwas.exe

• the protocol specification ”https://",
• the domain name “somepage.com”,
• the indication of the location on the server “somewhere/something.exe”.

The domain name contains the indication of the provider, i.e. the who. Here, attackers try to fake seriousness with complicatedly constructions of domain names. It is important to know that the domain name is actually constructed from right to left (i.e. you have to start reading at the end). The important information about the provider, the Who-area, stands at the end of the domain name after the penultimate point of the domain name (or it is the entire domain name for short domain names with only one dot).

The following examples are intended to illustrate this. The Who-Area is highlighted with yellow background. Irrelevant names added to deceive potential victims are written red:

• www.g.de
• www.uni-goettingen.de-i.in
• www.maschinenbau.uni-goettingen.de
• eCampus.uni-goettingen.de
• eCampus.uni-goettingen.de.calculation.25799.hack.me
• www.mbipbc.mpg.de
• www.mpg.de.logme.in.videompg.tv

When assessing the danger, you must first look at the yellow highlighted Who-area. Does this Who-area fit to the alleged purpose of the link? If you can't say yes, you should consider the link to be dangerous and should not click on the link.

Attackers try not only to use the complexity of the domain names, but also use inconspicuous typing errors. uni-gottingen.de or uni-goetingen.de, for example, would be variations that can easily be overlooked. Some combinations of letters can also give similarities that can be overlooked. A “rn” resembles a “m”, a “cl” resembles a “d”. When looking at it, a “rnpg.de” could be considered a “mpg.de” or a “gwclg.de” a “gwdg.de”.

If you are not sure when assessing the danger of an e-mail, then get help! In addition to local IT personnel or simply on-site people who simply know better, the support of the GWDG is also available to you.

When assessing the danger, experts can also evaluate log information in e-mails, which usually are hidden by e-mail programs in daily use. This information should be shared if you ask experts for assistance. To do this, you have to forward the e-mail in your e-mail program with the function “Forward as an attachment” instead of just by normal forwarding.

Work in Progress / Description to be added