Countermeasures for targeted attack e-mail

What is targeted attack e-mail?


 It is a cyber-attack by e-mail aimed at stealing confidential information of a specific company/organization.

 A typical trick is to pretend to be a highly reliable person etc. (a staff of a business or a government agency, a systems administrator, a shopping website, etc.) and to send an e-mail with an attached file that includes a malicious program or a link (URL) to a fake website. The malware will infect the computer, or the fake website will lead you to input your account name and password to get them illegally. As a result of this, confidential information will be stolen from the company/organization.


Features and checkpoints of suspicious e-mail


Sent from an unfamiliar e-mail address though the message seems to be from a familiar person or organization

  • Check the right side of @ of a sender's e-mail address.
  • You should not completely trust an e-mail even if the right side of @ is familiar to you.

Leading you unnaturally to open an attached file or click on a link (URL)

  • Not all e-mails leading you to an attached file or a link (URL) are suspicious. Other points should be checked.
  • An attacker aims that you carelessly open such an attached file or click on such a link (URL).

Unknown organization's name

  • If the organization's name is unfamiliar, you should check the existence.

Difference between the written URL and the real destination URL

  • If you set to view e-mail messages in HTML format in your e-mail software, it may be difficult to notice a camouflaged URL. Set to view in plain text format and check the domain of real destination URL.

Attracting contents though the e-mail is not related to you

  • An attacker may attract you using trendy keywords like "Novel coronavirus (COVID-19)", "Cash handout of 100,000 yen", etc.
  • A likely issue such as "You can't receive e-mail because your mailbox is full", "Your account is hacked" may be a topic.

Including words that urge you to do something ("Emergency", "Urgent", etc.)

  • An attacker tries to loosen your ability to judge. However, not all e-mails including words like them are suspicious. You should check whether there are other suspicious points or not.

Nonexistent or unclear sender's signature or name

  • Real organization's name may be used in much trickier targeted attack e-mails. In this case, however, there tends to be other suspicious points.

Unnatural text or strange language

  • It may be just a typographical error. If there are some unnatural expressions, you should find other suspicious points.
  • There are still many unnatural messages but recently attackers' Japanese skill is improving.

Fake icon or filename extension of attached file

  • Daily used file like Word, Excel or PDF may be a camouflage of an executable (.exe) file that infects your computer with virus (malware). If some file is attached, check its file extension and file type before you open it.

Response to suspicious e-mail


 In the following case, immediately contact NAIST CSIRT (Cyber Security Incident Response Team).

  1. In case that you receive a suspicious e-mail thought to be a targeted attack e-mail and its technique seems to be clever
  2. In case that you open an attached file or click on a link (URL) of an e-mail and you think it suspicious
  3. In case that an unfamiliar login page is displayed by clicking on a link (URL) of an e-mail and you input your account and password

 Especially in the case 2 and 3, the delay of your contact will cause the spread of damage because it will allow an attacker to have enough time to attempt to steal confidential information.


General cautions for security


 Make sure to take the following countermeasures for security as well as that for suspicious e-mail.

  • Don't assume you are always safe
  • Update OS (operating systems) (Corresponding to vulnerability issues)
  • Install and update antivirus software
  • Update software and applications
  • Activate firewalls
  • Understand the risks in browsing and downloading from webpages
  • Set security configurations of web browser
  • Prevent leakage of information individually
  • Don't use the password of your NAIST MANDARA account for other internet services

(c)NAIST CSIRT All rights reserved 2016-2020.