Introduction to Phishing and Emails Flashcards
Introduction
This section of the course will introduce you to how email works in terms of infrastructure and protocols, the structure of emails themselves, and what phishing actually is. It’s important to know how email works, because then you’ll understand how we can defend against phishing attacks, and knowing how emails are structured will make it easier to collect artifacts which are an important part of phishing investigations, and allow for defensive measures to be conducted and intelligence can be shared.
Phishing is the primary route of compromise over all other methods, such as vulnerability exploitation. This is an incredibly important aspect of cybersecurity and learning how to identify, triage, and defend against phishing attacks is absolutely vital in protecting an organization and preventing incidents such as data breaches.
Learning Objectives
By the end of this section of the Phishing Analysis domain, you will be able to:
Explain the structure of an email, and how emails are composed, transported, and viewed, in terms of infrastructure, protocols, and clients.
Explain what phishing is, and the impact it can have on both individuals and organizations in regard to confidentiality, integrity, availability, financial, reputation, and other factors.
Understand what phishing is and the impact it can have on businesses and individuals.
How Email Works
Before we teach you about phishing, it’s important that you understand how electronic mail works, both in terms of protocols and infrastructure. This lesson will go over protocols such as SMTP and POP3, email servers, relays, and email clients. Once you have a good understanding of how email works, we will cover how emails are composed, and how we can retrieve useful information from them with the ultimate goal of protecting an organization from future phishing attacks.
Email Addresses
Most people send emails on a daily basis - but what actually is an email address, and how does it help us to send and receive emails? Email addresses are composed of two parts, a mailbox, and a domain. Let’s take a look at an example:
In the above example, we can see that the mailbox (also known as the ‘localpart’) is named “contact” and the domain is “securityblue.team”. We use a number of other mailboxes here at SBT, including:
certified@securityblue.team
business@securityblue.team
joshua@securityblue.team
So in its simplest form, email addresses help us to select the recipient of our message to ensure it reaches the right person or people. In the below example the sender is JohnSmith (mailbox) @gmail.com (domain), and the recipient is contact (mailbox) @securityblue.team (domain):
Don’t worry about the servers or how emails are actually transported, we’ll cover that in the below sections.
Email Protocols
Simple Mail Transfer Protocol (SMTP)
Simple Mail Transfer Protocol works on TCP port 25 by default, is a communication protocol for electronic mail transmission. Once an email is created it is sent to the organization’s SMTP server, which transports the email to the next server, before it eventually reaches the SMTP server of the recipient organization.
However, the world is moving away from port 25 and the new standard is becoming TCP port 587. This port, coupled with TLS encryption, will ensure that email is submitted securely and follows the guidelines set out by the IETF.
Post Office Protocol 3 (POP3)
Post Office Protocol (POP) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server, with version 3 (POP3) being the most widely-used version on the internet. POP works by contacting your email server and downloading all emails from it. Once they are downloaded onto your system, they are deleted from the email server. This means that after the email is downloaded, it can only be accessed using the computer that downloaded the emails, and trying to access your emails from a different device will not work.
Internet Mail Access Protocol (IMAP)
IMAP allows you to access your email wherever you are, from any device. When you read an email message using IMAP you’re reading it from the email server. As a result, you can check your email from different devices, such as a laptop, desktop, and mobile phone. IMAP still allows for emails to be downloaded, but you must manually click to save the email locally. This method for accessing emails is a lot more common than using POP, as it allows for better accessibility.
In the below diagram, we will be following a scenario where John Smith working at BlackArch Solutions is emailing a friend, Aimee Faren at DicksonUnited. We will cover which protocols are used to deliver emails, and make them accessible by clients.
John Smith writes the message in his email client, which is sent to the organization’s outbound SMTP server. At this point, the server doesn’t understand where “DicksonUnited.com” is.
The outbound SMTP server queries the DNS server to find the IP address that is associated with “DicksonUnited.com”.
The result is sent back to the SMTP server so it now understands where to send the email to.
The message is sent across the internet and may pass through other SMTP servers on the way.
The email reaches the destination domain’s outbound SMTP server.
The email is moved from the first server via SMTP to a different server running either POP3 or IMAP, which allows the recipient to log into a client and access the email that is stored on the mail server.
Webmail
While we can access emails via an email client such as the Outlook application or Mozilla’s Thunderbird program, a more convenient method is to use webmail. These are web-based email accounts, such as those offered by Hotmail/Outlook, Gmail, and Yahoo Mail. Internet service providers often provide free webmail accounts as part of their internet service package. Webmail allows users to access their emails as long as they have access to an Internet connection and a web browser. As with any web application, webmail’s main advantage over the use of a desktop email client is the ability to send and receive email from anywhere via a web browser, such as your laptop, desktop, phone, or tablet. The main disadvantage is that email cannot be accessed without an internet connection, which can be done with an email client, where emails are downloaded and stored locally.
GoDaddy has a great short article on webmail!
