The tl;dr summary for those with short attention spans – Don’t open the attachment, be quick to delete anything you’re not sure about, and if you want to help in the fight against phishing, report it using the guidelines I’ve outlined below.
I received a pretty awesome phishing email today. It included a significant attachment that I’m looking forward to analyzing at a later date.
Since it will take me a while before I’ve got the time to run the analysis, I decided I wanted to forward it around to the appropriate organizations to ensure that they take some time and analyze it and make sure other individuals can be protected from it.
It turns out that there are more places to forward this than I expected. So here’s what I’ve found. You can forward the email to these addresses:
- US-CERT (Computer Emergency Readiness Team) at email@example.com (link)
- The Federal Trade Commission at firstname.lastname@example.org (link)
- The Anti-Phishing Working group at email@example.com (link)
- If IRS-related, the IRS at firstname.lastname@example.org (link)
- If appropriate, some state governments have cyber-crime divisions as well, such as here in Virginia: email@example.com
- You can also often forward to abuse@[domain] where applicable.
You can submit phishing websites to:
- The FBI’s Internet Crime Complaint Center (IC3)
- US-CERT (Computer Emergency Readiness Team) by sending email to firstname.lastname@example.org
- The Anti-Phishing Working group (APWG)
Most anti-malware providers are part of the APWG, so definitely make sure you submit there to increase the chances of later defense against the same attack.
Now what happens when you forward the email and you get an error?
Well, some (good) email providers scan email upon sending. In that case, you might not be able to actually email the example for further analysis. In this case you can typically send an encrypted zip file.
To do this, find a way to get the raw message source for the email. (Some help here and here.) Then, save the source as a plain text file using a local text editor. Finally, use a method to zip that text file with password-based encryption (use Google to find steps that will work best for you).
When you send the email, attach the encrypted zip file and explain you attached an encrypted zip file of the suspected phishing email, and include the password you used when zipping it. The password is just there to get past the email server, you don’t want the recipient to not be able to view the message!
Now, pat yourself on the back for helping take a bite out of crime.