Secure communication

Cybersecurity courses

Students Teachers Employees

In the electronic environment, we communicate constantly, sending and receiving dozens or even hundreds of emails and messages through chat and messenger applications every day. However, online communication hides many cybersecurity pitfalls. For example, how can we be sure that the message was actually sent by the person listed as the sender? Or who and how might try to exploit known weaknesses in electronic communication to extract personal data or even money from us? And who else might be able to read our communication in cyberspace? In this module, we will first focus on email communication - an inseparable part of our study and work lives. Although it seems that chat applications are slowly but surely pushing it out, billions of emails are still sent worldwide every day. That is not a negligible number. Hand in hand with this volume, the possibilities and chances of attackers to exploit our inattention and cause us significant damage in both work and private life are also growing. So what do attackers do to obtain sensitive data and cause as much damage as possible? Let's first look at their basic techniques.

Is the Dean Writing to Me... or Not?
(In)nocent Spam
Who Can Read My Communication?
What to Do? Encryption!
Can Emails Be Encrypted Too?
One More Important Rule at the End

Is the Dean Writing to Me... or Not?

Have you ever received an email that, at first glance, seemed to have a legitimate sender address, but upon closer inspection, something was off? You probably encountered a method known as sender spoofing. Spoofing the sender of an email is almost as easy as with traditional letters; practically anyone can write whatever they want in the sender field. The apparent goal of such spoofed emails is to make the recipient believe that the email address looks legitimate and trustworthy. In reality, the message is sent by an attacker. Unfortunately, we have been encountering this method more and more frequently in recent years.

It is important to realize that the sender of any email may not actually be the person listed in the email header!

To be able to detect a spoofed email, we need to know what to look for and where to look. Therefore, let's examine the suspicious signs together.

How to Recognize a Spoofed Email

The first step is, of course, to carefully observe the context. Can I really expect such a message from this sender? Isn't it suspicious that this person is asking me, for example, to pay an invoice or sending me a document attachment that we never discussed before?

The second step is more technical. Each email, besides the body (content of the message), also contains a so-called header. These headers contain basic information about the email, which usually includes the sender, recipient, reply-to address, copy or subject of the email, as well as more detailed information about the email's journey through cyberspace or whether it is digitally signed, etc.

The email header is displayed in a shortened form in the email program or service. However, we can usually view its full version - this is useful if we are unsure about the authenticity of the email and want to verify some additional information. In each email client, however, we have to look in slightly different places.

An attacker can use several tricks and methods to confuse us. The most commonly exploited field by attackers is the "From" field, which contains information about the sender. This is where the Achilles' heel lies, the forged address used by the attacker for malicious purposes. But how can we identify this spoofed address? What can help us detect a spoofed email is the "Reply-To" (Return-Path) field, which contains the address to which the reply should be sent, i.e., the email address actually used by the attacker. Other methods include using a slightly different domain (e.g., dekan@universita.cz instead of the real dekan@univerzita.cz) or the attacker may directly compromise the sender's account and then does not need to spoof anything - at that moment, they are writing from the actual sender's address. We must also consider this possibility.

Attackers often exploit so-called homoglyphs. These are characters that look similar but actually come from different alphabets. A typical example can be some letters from Cyrillic or Greek, which at first glance resemble Latin letters. Does dekan@univerzita.cz and dekan@univеrzita.cz look like the same addresses to you? The computer doesn't think so; in the second case, the letter "e" from Latin is replaced with a small "ie" from Cyrillic, which looks almost the same. For the computer, these are two different addresses, but as recipients, we might not notice. Or try clicking on these two links: https://www.аррӏе.com and https://www.apple.com. They seem the same, but each link leads to a different website. Clever trick, isn't it?

Why would anyone want to spoof the sender? Of course, it could just be an innocent prank. Someone might want to trick a friend into thinking that a famous actress is asking them out on a date. While this is morally questionable, it doesn't cause much harm. Much more serious are attacks known as BEC or Business Email Compromise.

This is fraudulent behavior aimed at extracting sensitive information - personal and login details, private keys, trade secrets, etc. These details are most often sought from individuals within the organizational hierarchy who are involved in activities related to financial operations. Recently, there has been an increase in attacks where attackers impersonate prominent university officials and send employees fake invoice payment orders. However, this is one of the methods of phishing attacks and social engineering, which you will learn more about in another module.

What to Do If You Suspect a Spoofed Email

The most important thing is never to click on any link or attachment that comes in the email. Similarly, do not succumb to any pressure that may arise from the email (e.g., an expiring invoice deadline, etc.) and handle everything calmly and thoughtfully.
If the email prompts us to take some action (pay an invoice, log in and reset your password, etc.), it is advisable to verify everything through other channels. It is recommended to contact the sender, for example, by phone or through another communication application. Always use means that we have obtained through trustworthy methods. Never, for example, call numbers that are used directly in the suspicious email!
Never reply to the email! By responding to the email, we let the attacker know that our address is functional and active. The result will be just many more similar attacks or spam. We simply need to grit our teeth and wholeheartedly ignore the message.
If we suspect (or are certain) that the email is spoofed, it is best to forward it to the cybersecurity team! The quickest way to forward the email is to send the entire email as an attachment, including headers and attachments or links if they are present in the email.

(In)nocent Spam

In today's online world, probably everyone has heard of spam, i.e., unsolicited messages. Spam is ubiquitous today and can be found not only in emails but also on blog pages, social networks, various communication programs, and in recent years even in the form of SMS messages, etc. When it comes to emails, spam accounts for an incredible 45% of all sent messages (some sources even state up to 98%).

What is Spam?

If we look at spam in more detail, we would find that it is unsolicited communication sent to a large number of users. We most often encounter advertising spam. Annoying offers with a plethora of advantageous discounts and great products occasionally land in all our email inboxes.

For every 12,500,000 spam emails sent, attackers receive at least one response. It doesn't seem like much, but it's important to realize that approximately 14.5 billion unsolicited emails are sent every day.

The line between spam and more dangerous phishing is very thin today. Over time, the scope of spam has shifted from silly advertising messages to more dangerous goals - spreading hoaxes or distributing malware. The goal of spammers (those who send spam) is to obtain personal data from recipients or participate in spreading misinformation or other half-truths and frauds. Last but not least, spam significantly overloads the email infrastructure of an organization. Spam simply cannot be taken lightly.

Why Did I Receive Spam? Where Did the Attacker Get My Address?

Each of us has probably asked questions like "Where did they get my email address?" or "Why do I keep getting spam when I haven't entered my email anywhere?" while cleaning the SPAM folder. Most email addresses are obtained by spammers through robots that browse web pages and look for email contact links. Often, spammers also buy address databases, either legally or on the black market. There are many ways to get our email without us having to provide the spammer with the slightest clue.

What to Do When You Receive Spam?

It is not recommended to open spam, respond to the email in any way, and it is definitely not a good idea to click on links or open any attachments. In some cases, just opening a spam email can confirm that the email has been read and the mailbox is in use. As a result, we can expect another flood of spam. The best thing to do with spam is to bury it deep in the trash and not even open it.

How to Prevent Spam?

If you are annoyed by constant offers of advantageous advertising opportunities and "millions" of spam emails, the way to go is to regularly mark unsolicited messages as SPAM in your email inbox. We can also minimize the amount of spam in our work email by not using our university address for online shopping, for example. For private purposes, we use a private email address. In addition to our private email address, we can also have a secondary one that we will use exclusively for online shopping, subscribing to newsletters, etc.

Try using services like Temp Mail or Mail.tm, which allow you to receive email at a temporary address. This address will then self-destruct after a certain period. Many websites or blogs often require us to register before allowing access to content. In such cases, we can use a temporary email address instead of our real one, which could end up on a spammer's list. Just be careful, if you forget the password for such a service, you won't be able to recover it via email.

Suspicious Attachments

Spam today is not just about advertising and advantageous offers. It often carries attachments that can wreak havoc on our device. Just a few clicks and a moment of inattention are enough to download dangerous malware to your device. Yes, we are talking about suspicious attachments, which are an integral part of many types of cybersecurity attacks.

How to recognize a suspicious attachment? The easiest way is when we receive an email with an attachment from an address we don't know at all and that doesn't seem trustworthy, or the email message itself is strange. In such a case, we immediately consider the attachment dangerous. Unfortunately, it also happens that the method of sender spoofing is used to spread a dangerous attachment. The malicious attachment comes from a source we know and trust, but the email header has been manipulated, or the sender's account has been compromised by an attacker. In such a case, we must use all the critical thinking we have. Identifying the type of file in the attachment or using a handy tool for checking suspicious files like VirusTotal can help us.

Be careful, some attachments seem trustworthy because of their icons or names. They give the impression of being legitimate documents or media files. These can be icons like PDF, Word, MP3, or JPEG. But be careful! The actual name of the spoofed attachment has a different extension! We don't encounter the classic form ".DOC" or ".DOCX" but completely different letters that don't match the icon at all. Sometimes the actual file extension is even hidden! Compressed attachments (RAR, ZIP, etc.) are also more suspicious. In these situations, having a quality antivirus program installed and updated, or using a tool for checking suspicious files like VirusTotal, is invaluable.

The most problematic files are those that can be called executable applications, typically files with extensions like .EXE, .JS, .VBS, and other types of files that we usually don't encounter as regular users. It is always good to evaluate the entire email as a whole. Look at the header, the body of the email, and its grammar - and finally, the mentioned attachments.

Who Can Read My Communication?

Do you still occasionally send traditional paper postcards from your vacation? We probably wouldn't write any secrets or personal things on such a postcard. We understand that in the entire process of sending a postcard, its content is visible to anyone - from postal workers to mail sorters at the postal center to our curious neighbor.

A regular email is unfortunately somewhat like a postcard. Instead of postal workers, many email servers, whose administrators we usually don't know, see it on its way. And it's the same with most of our other online communication. In the hustle and bustle of everyday life, we often use the communication channels that are most convenient for us. However, these may not always be the safest.

Magda sends messages to her colleagues from the department and her doctoral students via Facebook. It is often faster for her to handle administrative matters through Messenger. She sends internal work documents, her work reports, contracts - basically whatever needs to be quickly resolved. Recently, she even sent her colleague a password for logging into the Erasmus international mobility system via Messenger - it was simply the quickest solution to respond to her colleague's query on Messenger in the same way.

It's exactly the same as if Magda wrote the password on a postcard and sent it by mail. Some communication tools can still send messages in so-called plaintext (plain readable text that is transmitted in the form that we can see and read it). Everything can thus be intercepted and read under certain conditions - and here we are not even talking about the level of privacy protection.

What to Do? Encryption!

In the case of the mentioned vacation postcard, we can protect our secrets by encrypting the text and giving the recipient the secret key to convert the incomprehensible jumble of characters back into readable text. A bit like at a scout camp. In electronic communication, it works very similarly, except that instead of camp ciphers, more advanced mathematical processes are used. Such communication is called encrypted communication.

One type of encrypted communication is so-called end-to-end encryption (E2E). Let's say I need to ask my colleague or classmate something important and I don't want anyone to read the message along the way. Therefore, I can use a communication application that offers E2E encryption. The message is encrypted on my device and sent to the internet in an encrypted, unreadable form. For anyone who wants to read it along the way, it will look something like this:

oR9MzsC3FTobl3Ph9T/aQng5HZ+hhS3udDwzYix83oE=

It will be decrypted back into readable form only on my colleague's device, who uses the same application. Even the operator of the tool through which my colleague and I are discussing today's lunch cannot see what we are writing about thanks to E2E encryption.

Some tools present themselves as encrypted, but in reality, they only partially encrypt the message - on the way from us to the operator's server, where it is decrypted into readable form and re-encrypted for the journey to the recipient. But this is not true end-to-end encryption. When choosing a tool, we look for one that explicitly states that it offers E2E, i.e., end-to-end encryption.

Many providers of communication applications (including email accounts) take advantage of the fact that the conversation is not encrypted and snoop in our personal conversations. They look for interesting information to better target ads at us. By preferring an application with E2E encryption, we also avoid this modern nuisance.

Which Tools Use E2E Encryption?

Among the most widespread E2E encrypted communication applications that should currently use this type of encryption are WhatsApp and Signal. Second one is generally perceived as a safer option today. Messages on Instagram, Google Hangouts, or Snapchat and most other communication platforms do not use E2E encryption - we should not use them for communicating more sensitive topics. Some tools offer E2E encryption only if we specifically enable it (e.g., Facebook Messenger, Telegram).

Do you use Facebook Messenger? Did you know that it allows communication in end-to-end encryption mode? However, you need to enable the Secret Conversation feature. Facebook itself does not promote it much, as it has no commercial interest in its users communicating encrypted. Yet, a higher level of security is just one click away!

Can Emails Be Encrypted Too?

Yes, emails can also be encrypted. When we send an email, we want to assure the recipient that it is indeed from us, i.e., we want to digitally sign the email, and then also encrypt it so that only the recipient can read it. We will need a personal certificate for this, which we will then set up in our email program. For more information, please contact your IT administrators.

Any encryption of communication may be useless if we do not sufficiently secure the end device. While the messages are not readable along the way, they are readable on our device and the recipient's device. If, for example, we do not sufficiently secure our phone and leave it lying around, an attacker can read the messages, encryption or not. The same will be true if malware gets into our phone. Everything goes hand in hand, and it is worth to pay attention to device security as well.

One More Important Rule at the End

Prefer the solutions offered by our university.

Petr forwards his school email to his private Gmail account. He does this because he doesn't want to log into multiple emails and finds it easier to handle everything from one environment. The password for logging into Gmail is also simpler, and he has remembered it over the years - he also uses it elsewhere. However, his data was recently part of a data breach. An attacker logged into Petr's account and changed his password. Now, the attacker can read both Petr's personal and work emails undisturbed and can easily impersonate Petr. Petr wrote to Google's support, but no one responded. Moreover, Petr has no way to prove to Google that he is indeed Petr. He then turned to his university's cybersecurity support, but they couldn't help much either. They do not manage Google's servers and do not have access to them. If Petr had used the services officially supported by the university, the cybersecurity team would now have much broader options to help Petr in his difficult situation.

Therefore, it is not advisable to use personal email accounts for work matters, such as forwarding work emails to your private email (like Gmail, Seznam Mail, and similar). In the event of a security incident, internal work information lies on a third-party server, such as Seznam or Google, and may be at risk there. Always use the tool and email client provided or recommended by your university. Whenever a security problem occurs, it will always be easier for the university's qualified experts to solve it in an environment they directly manage or have better access to.

This also applies to messengers and quick communication. For work and study matters, prefer the tools provided by the university when communicating with classmates and colleagues. This could be, for example, Microsoft Teams for quick messages and groups (instead of unencrypted Facebook Groups) and similar tools.

If a security incident has occurred or you suspect that your cybersecurity may have been compromised, please report it to us.

Author: CRP-Kyber, edited and translated by Jiří Krčmář | Date: 21.09.2024