We are often asked to take a look at e-mail headers or to give our professional opinion on embedded links contained in emails.
On the drive back from a customer site one evening Steve got to thinking “if we create a tool for our customers that can automate those checks they can check instantly for themselves greatly reducing the threat window”.
From that our ‘x ray’ tool was born. It looks underneath the surface and presents the user with the truth behind what would be displayed (rendered) in their web browser. For example what a link displays on screen and where it actually takes the user off to are two very different things. The main benefit though is the speed at which information can be relayed to a companies user base, especially if they are distributed across sites or working remotely.
User1 receives an e-mail. It looks legitimate but they are concerned about the link it contains and so they scan it with our tool. The scan results highlight that all is not right and so they delete the e-mail. They also tick a box on the results screen to state that to them the results are highly suspicious and that adds a ‘peer’ validation record to the database for that link url.
User2 comes along and scans the same link, gets the same scan results but also sees that one of their colleagues has already scanned it and marked it as suspicious. They too delete the e-mail and mark it as suspicious creating another ‘peer’ record.
Further users comes along and scan the same link. They are shown that many of their colleagues at their site plus possibly others within the wider company and others outside their company have all had the same e-mail and have classed it as suspicious.
If everyone uses the tool to scan links before clicking on them the time taken to warn against threats can be reduced to seconds. The first user to click on a link doesn’t need to be particularly clued up to protect the rest of the workforce, the tool does all the hard work. If a user isn’t sure, they can refer the url back to us for a second opinion and in the mean time users will be presented with a message stating not to click on the link until the further analysis has been completed.
Without that instant reporting it takes time for word to get around from more clued up staff that the e-mail is dangerous. In that time a number of users are likely duped into giving away login details to internal or cloud based systems or unwittingly downloading a trojan horse to the network (many of these are now written specifically to target a company and may not be picked up by traditional anti-virus scanners).
How does it work – empowering the user
The tool opens the html source of the page and interrogates it in the same way that we would manually. In fact it is cleverer than us as it is able to follow redirected pages (one of the common tricks is to use several page redirections to hide the true destination) and highlight that trick to the end user.
It uses a method called recursion to drill down to the final page that would be displayed on the users browser and interrogate the contents, it then displays that final URL, IP address, domain suffix & associated country and where in the world the web server serving the page is hosted. It also highlights the location of all external links that pull components/pages/resources into the end page that would be rendered on the users browser.
The tool has since been enhanced to include the ability to check e-mail headers themselves as we are often asked to check whether spoofed inbound e-mail is legit.
Outlook: Headers can be viewed by opening the message and then clicking on the little downward arrow in the Options bar at the top of the page)
Google/Google Apps Webmail: Click on the downward arrow next to the reply button and select ‘Show Original’
Copy and past the header text into the box on the xray tool and it will explain where the e-mail originated and whether it has been spoofed.