Email threats are among the most common types of attacks encountered by Security Operations Center (SOC) analysts, and they often occur multiple times during a working shift. Moreover, malicious emails are often the first step in an attacker’s attempt to gain access to a target environment. Given the increase in these types of threats, SOC analysts and cyber investigators must understand attackers’ techniques to initiate attacks via email and how to investigate and respond to email threats.
The objective of this chapter is to learn why attackers prefer phishing emails to gain initial access, the most common email threats, the most common techniques by attackers to evade detection and trick the victim, how to analyze email secure gateway logs, and how to investigate suspicious emails.
In this chapter, we will cover the following main topics:
Let’s get started!
In the cyberattack chain, once an attacker has conducted reconnaissance against the target victim’s environment and infrastructure, and prepared the necessary weapons and equipment, the next step is to determine their preferred method and technique to gain initial access to the victim’s environment. Attackers have several techniques at their disposal to gain initial access, including sending phishing emails, exploiting public-facing applications, luring users to visit a compromised website through drive-by compromise, and stealing valid remote credentials such as a VPN or RDP. Understanding the various techniques attackers use to gain initial access is crucial for security professionals to identify and prevent attacks before they can cause damage.
As per the IBM Security X-Force report, 41% of the attackers prefer phishing techniques to gain initial access to the victim’s environment, either by sending a weaponized document or a malicious link to the target victims (see Figure 1.1).
Figure 1.1 – The top infection vectors from the IBM Security X-Force Threat Intelligence Index 2022
Let us explain why most attackers prefer to gain initial access by using phishing mechanisms.
A phishing email is a type of social engineering attack where an attacker tricks target victims into opening a malicious file or link or providing personal or confidential information, such as passwords and credit card numbers, through fraudulent emails. The reason why phishing is a preferred and successful way for attackers to gain initial access to the victim’s environment is due to several factors, including the following:
The reconnaissance phase is the first step taken by intruders to breach a target environment. This phase can last for hours, days, weeks, or even months. During this phase, attackers collect information about the target victim, including their email addresses, which can be used to deliver a weaponized document or link. Attackers can collect email addresses in several ways, such as through job postings, social media platforms such as LinkedIn, third-party subscriptions, data leaks on the dark web, Wayback Machine archives such as Archive.org, or data collection from marketing platforms such as ZoomInfo.com.
It is relatively easy for an attacker to upload malware to legitimate cloud platforms and then share the download link with the victim through email. They can also weaponize a document through Visual Basic for Applications (VBA) macros or send the malware executable itself in a compressed format, all of which can be sent to the victim via email.
Attackers exploit the fact that many users may be vulnerable to social engineering attacks, and a majority of them may not have received proper security awareness training to recognize and respond to these threats.
Now that you understand why most attackers choose phishing emails as a way to achieve their goals, such as gaining initial access to the victim’s environment, let us discuss the various email threat types.
Email threats are every threat your environment faces when deciding to use an email service. They are not limited to phishing emails only; some attackers also use email for blackmailing, information leakage, data exfiltration, and lateral movement. In this section, we will focus on email threats that originate from external sources and discuss in detail four common types of email threats that organizations face:
A spearphishing attachment involves adversaries sending phishing emails to target victims with malicious attachments, either to gain initial access to their systems or harvest their credentials. After defining a list of the victims’ email addresses and preparing the weaponized attachment, the attacker become ready to send the email to the victim with one click. However, the question remains, which weaponized attachment will an attacker choose? Let us discuss the most common weaponized attachment types used by threat actors.
Note
Phishing and spearphishing are both types of email attacks that aim to steal sensitive information or compromise a target’s computer system. While both methods have the same ultimate goal, the primary difference between the two is the level of targeting involved. Phishing emails are mass email attacks that are sent to a randomly large number of people. In contrast, spearphishing emails are much more targeted and personalized. They are specifically crafted to target a particular individual or group of individuals, such as employees of a particular company or members of a specific organization.
When you hear the term phishing attachment, you may think about just one or two types of attachments, but due to the different preferred attacker methods, target victims’ infrastructure and business, and attacker goals, there are variants of the malicious attachment types that attackers email to their target victims. The following are the five most common examples of phishing attachment types:
.iso
files to deliver malware to target recipients. Attackers depend on ISO image files because they are like disc images; hence, they can be used to bypass file filters and evade antivirus detection.Figure 1.2 – An HTML phishing attachment impersonating a Microsoft login page
As you can see, an attacker developed an HTML phishing file impersonating the Microsoft login page to trick the victim into entering their credentials.
A spearphishing link involves adversaries sending spearphishing emails to target victims with a malicious link, to either harvest their credentials or trick them into downloading malware and executing it on their machine, thus gaining initial access to their systems. As with all email threats, after defining a list of the victim’s email addresses and preparing the phishing link, the attacker is ready to send an email to the victim. But what is the attacker’s purpose in sending the spearphishing link to the victims? Let us discuss the two most common types of phishing links used by attackers.
As we mentioned before, every adversary has different intentions. Some of them just want to harvest a victim’s credentials, while others want to gain an initial foothold in the victim’s system. As with spearphishing attachments, there are variants of malicious link types that attackers use to mail to target victims. The following are two common examples of phishing link types:
appspot.com
and web.app
domains, as we will see later in the Attacker techniques to evade email security detection section. In 2014, an American multinational financial services company fell victim to a cyberattack. The attack started when attackers sent phishing emails to employees that contained a link to a fake website resembling the company’s VPN login page. The employees were tricked into entering their login credentials, which were then harvested by the attackers. With access to the company’s network, the attackers were able to steal data on more than 76 million households and 7 million small businesses.A blackmail email, also known as a “sextortion” email, is a term used to describe an email scam where an attacker claims to have compromised the victim’s machine and exfiltrated sensitive data, including sexual content and pictures to the attacker’s server. The attacker then demands payment in bitcoin and threatens to publish the data on the internet if the victim does not comply. In order to convince the victim that they have indeed been compromised, attackers typically employ one of two methods, which we will discuss in the next section. This type of email scam is particularly effective as it preys on people’s fear of having their private information exposed, and the use of cryptocurrency makes it difficult to trace the attacker.
Proving a data breach to the victim may seem simple if the attacker has acquired actual sensitive data, such as sexual content, pictures, or confidential files. However, in many cases, attackers may not have accessed valuable data or compromised the victim’s machine at all and simply attempt to scam the victim. There are two common methods that attackers use to convince victims that a data breach has occurred:
The email spoofing technique will be covered in detail in the next chapter, Email Flow and Header Analysis.
Figure 1.3 – A spoofed blackmail email (Malwarebytes)
As you see in the preceding screenshot from the Malwarebytes website, the attacker in this scenario used the email spoofing technique to spoof the victim’s email address to send a blackmail message to the victim, claiming that the victim’s data has been compromised and that the attacker possesses sexual content, which they will release to the victim’s contacts if the victim does not transfer 1,000 USD to the attacker’s bitcoin wallet.
Business Email Compromise (BEC) is a type of email scam where the attacker targets a specific individual within a company who has access to financial information, such as an executive or a finance employee, and tricks them into making a fraudulent financial transaction or wire transfer. BEC attacks often involve the email thread hijacking technique, which we will discuss in the Social engineering techniques to trick the victim section, or spoofing the email address of a trusted partner or company executive to convince the victim to transfer money or sensitive information to the attacker’s account.
BEC attacks are one of the most trending and result in significant financial losses for organizations, making them a growing concern in the cybersecurity community.
In 2018, the US Department of Justice reported that a Nigerian cybercriminal group called Gold Galleon had used the email thread hijacking technique in BEC attacks against maritime shipping companies. The group would first gain access to an employee’s email account through spearphishing or other means. Once they had access, they would search the employee’s emails for ongoing conversations related to cargo shipments and then use the email thread hijacking technique to intercept and take over the thread. Using this technique, the attackers could impersonate the legitimate email sender and request that payment for the cargo shipment be redirected to a new bank account. Since the email appeared to be part of an ongoing conversation, the victim would often not suspect anything was wrong and would comply with the request, resulting in significant financial losses for the targeted companies.
In one case, the Gold Galleon group was able to steal over $1 million from a shipping company using this technique. The group is believed to have targeted over 100 maritime shipping companies in the United States, Europe, and Asia, with losses totaling tens of millions of dollars.
Now that you are familiar with the most four common email threat types, let us see the attacker techniques to bypass email security solutions deployed in the victim’s environment, as well as the attacker techniques to evade email security detection.
As cyber defense and security controls have become increasingly advanced, attackers have become more creative in their techniques to evade detection by email security solutions. Many critical organizations have now deployed such solutions to check every email sent from external senders to internal recipients, and they have skilled SOCs and threat-hunting teams to detect and respond to threats. In this section, we will explore some of the techniques that attackers use to bypass email security solutions and carry out successful attacks:
appspot.com
and web.app
domains. Attackers were able to abuse these domains by hosting malicious subdomains that contained phishing login pages targeting well-known brands, such as Microsoft Outlook and Dropbox. Due to being hosted on legitimate web servers, these phishing URLs were not categorized as malicious domains in threat intelligence platforms, which made them difficult to block with email gateway security solutions. However, email gateway security solutions that received threat intelligence feeds that included specific phishing subdomains/hostnames could block the phishing attempts (see Figure 1.4).Figure 1.4 – A phishing subdomain targeting Outlook hosted in a web.app domain
As you can see, an attacker developed an HTML phishing file impersonating the Microsoft Outlook login page and hosted it on a subdomain of the web.app domain.
Now that you are familiar with most attackers’ techniques to bypass the email security solutions deployed on a victim environment, let us see some attacker techniques to trick the victim into listing their email as a trusted email and interacting with its contents.
Now, after bypassing the email security controls, an attacker will trick the victim into listing their email as a trusted email and interacting with its content, such as executing attachments or browsing URLs. To trick the victim into interacting with the attacker’s email as a trusted mail, the attacker conducts some social engineering techniques. Social engineering is when an attacker accomplishes malicious activities by tricking the victim into performing human interactions – for example, executing malware, entering credentials into phishing URLs, spreading malware by sending it to their colleagues, and providing sensitive information. There are several techniques used by attackers to conduct successful social engineering attacks, as listed here in detail:
Figure 1.5 – Spoofing an IRS domain to send a phishing email (ABC7 Chicago)
As you see in the preceding screenshot, the attacker spoofed the US government Internal Revenue Service (IRS) domain to send a phishing email to their victims.
organization.com
by compromising the victim1@organization.com
mailbox. The attacker then spots an email thread between the compromised email address and the target company’s email address, target@targetorg.com
. Using their access to the compromised victim mailbox, the attacker copies the email thread to his external server and replies to the thread, using a newly created domain email address similar to the compromised organization, such as victim1@organization.co
. The attacker then asks the targeted user to perform some actions, such as changing bank account information, transferring money, providing sensitive information, or executing attachments. This way, the attacker hijacks the email thread between victim1@organization.com
and target@targetorg.com
for their newly created domain email address, victim1@organization.co
(see Figure 1.6).Figure 1.6 – The steps of email thread hijacking
Attackers usually utilize the email thread hijacking technique in a BEC attack, a type of social engineering attack where the attacker targets a specific individual within another company with whom the victim has an established business relationship, often someone who has access to financial information. The attacker then poses as the legitimate business entity, using similar email domains, and sends a convincing email requesting a change in payment instructions, such as instructing the victim to transfer funds to a new bank account number.
appspot.com
and web.app
domains), to trick the victim.Now that you are familiar with some attacker techniques to trick victims into listing their email as a trusted email and interacting with its content, let’s move on to analyze secure email gateway logs.
Email gateway security is a security solution that checks and analyzes every email, including its content, sent from external email addresses to internal email addresses and vice versa. Such an inline position allows email security controls to have visibility of all emails sent and received, which makes its logs very valuable during threat detection and investigations.
Email security solutions typically provide several types of logs to help organizations monitor and analyze email activity. Here are some common types of logs:
During this section, we will discuss and analyze the most common log fields that are generated and exist in all security email gateways, regardless of product name or vendor:
Purchase order
, Important note
, and Invoice
) will help you detect the spearphishing attachment emails.Now that we are familiar with the most common possible log fields in all email security gateway logs, let us learn how to investigate suspicious emails.
Investigating suspicious emails is the process of investigating every digital evidence related to an email, such as the email appliances log attributes, email body content, email sender behavior, analyzing the email header (as we will see in the next chapter), and investigating the attachments (either a file or URL). We will divide our investigation of the suspicious email process into subsections. In each one, we will try to confirm whether an email is either malicious or benign. To do such confirmation, you will need to follow all the investigation subsections, even if you felt during any subsection that you were sure about the email classification as either malicious or benign.
We will be discussing the following topics in the sub sections:
While investigating suspicious and unusual emails, a useful initial step is to examine the reputation of the email sender domain by conducting a search engine query, such as on Google. By researching the domain’s reputation, you may find several threat reports, articles, and threat tweets, indicating that the email sender domain is a well-known malicious email sender domain that is currently used by an active threat actor to deliver spearphishing emails. Alternatively, you may find the email sender domain is related to an organization that your organization may do business with and the email seems legit. Also, you may not find any results of the email sender domain and find it was recently created, which makes the email even more suspicious, as most attackers now find it easy and cheap to create a new domain with a non-malicious history to send phishing emails. However, it’s important to note that conducting a search engine query on the email domain is only an initial step and does not provide a confirmation of whether the email is malicious or not. It’s also worth considering that attackers may use public mail domains such as Gmail or Yahoo for spearphishing emails, due to their easy account creation and non-malicious history reputations.
One of the most popular online tools that you can use to check whether a specific domain sender or sender SMTP IP is blacklisted due to its reputation is MxToolbox (https://mxtoolbox.com/). The tool allows you to check the suspicious email sender domain or the sender SMTP server IP against 82 known blacklists (see Figure 1.7).
Figure 1.7 – Checking a suspicious sender IP on MxToolbox blacklists
As you can see in the preceding screenshot, I checked a suspicious sender SMTP server IP, as we can check suspicious email sender domains also as well. After checking the IP against the 82 blacklists, we found it blacklisted on two lists, which indicates that it has a history of sending malicious emails.
During the previous subsection, we discussed that you may find an email sent from a legit organization domain address that your organization has business with. However, as we mentioned before, the attacker can spoof a legit domain email address to trick a user into interacting with their email content. Hence, if we identified during the previous subsection that the Email sender domain is related to a legit organization, we have to validate that the sender domain is not spoofed by the attacker. We will learn how to check and investigate the presence of spoofing during our analysis of email headers in the next chapter, but you will not always have an email header to analyze; hence, we will try to check the presence of spoofing instead by using the email security appliance logs.
To check for spoofing attempts, we will try to validate whether an email sender domain sent an email from its authorized SMTP server IP or not. For example, in the screenshot in Figure 1.8, the email sender claims to have sent the email from an email address associated with the legitimate domain fedex.com. To validate this, we extracted the sender’s SMTP server IP by analyzing the email security appliance logs and identified that the email was sent from the 95.211.214.81
SMTP server IP address.
Figure 1.8 – A suspicious email, sent from an email sender who claims to be a member of the FedEx domain
To investigate whether the email sender spoofed the fedex.com domain to send this email, we will use MxToolbox to check the MX record of the fedex.com domain to verify the authorized and acceptable SMTP servers that send emails on behalf of the fedex.com domain. While the primary objective of MX servers is to receive emails sent to specific domain recipients, as we will see in the next chapter, I have observed that many domains also utilize their MX servers to send emails to external recipients. To check the domain MX record, open the MxToolbox MX lookup URL (https://mxtoolbox.com/MXLookup.aspx), then enter the domain that you need to verify, and press Enter (see Figure 1.9).
Figure 1.9 – Checking an MX record FedEx domain
As you see in the preceding screenshot, we checked the MX record to verify the authorized SMTP servers to send emails on behalf of the fedex.com domain and found that the authorized servers are mapper.gslb.fedex.com, mxa-0002ee02.gslb.pphosted.com, and mxa-0002ee02.gslb.pphosted.com, and their corresponding IPs. You can also see in the preceding screenshot that there are multiple MX records with different preference values. The preference value is the way of setting the priority of each MX record. The lowest preference is the MX server with the highest priority – that is, the first one that a sending mail server should attempt to use.
On the other hand, in the email gateway security appliance logs, the SMTP server that sent the email is the 95.211.214.81
IP. To verify whether this IP is related to one of the three aforementioned authorized SMTP servers or not, we checked the WHOIS record of the IP and found it was not related to any of them, which means the attacker used an unauthorized SMTP server to spoof the fedex.com domain to scam the recipients (see Figure 1.10). To check the IP Whois record, we used the Domain Tools platform (https://whois.domaintools.com/).
Figure 1.10 – The 95.211.214.81 Whois record
Now, you should have the basic information to determine whether the email was spoofed or sent from a known malicious source. In the next subsection, we will explain how to observe suspicious email sender behavior.
Let's suppose that the previous two investigation steps show that the email sender domain and its SMTP server are not blacklisted, and the email sender domain of the suspicious email has not been spoofed and is related to a company that your organization may have business with. Now, you may be confused because the email seemed suspicious but your investigations show that everything is normal. To make a decision on this, we need to check the email sender behavior by checking the following:
All previous checks and email characteristics may indicate legitimate emails sent from a legitimate sender without any malicious content, or they may also be a legitimate organization compromised by an attacker who is trying to gather new victims by utilizing the trusted relationship between the current victim and the new targets. To determine which of the two situations is the case, you will need to analyze the email content, as we will see later.
The email subject and attached filename usually refer to the email content. When investigating suspicious emails from email security log properties, try to observe the most common attacker keywords used in the subject lines of phishing emails, such as RE:, FW:, Invoice, Missing Inv, New Message from, New scanned, You have a New Message, New message from, Verification Required, and Action Required. Also, attackers use common keywords in filenames, such as invoice, order, contract, payment, offer, planning, and SWIFT. All these keywords are used by an attacker to encourage and trick the victim into interacting with the email content.
As you may know, the main objective of phishing emails is to convince the victim into interacting with malicious email contents, such as malicious attachment files, phishing URLs, or forms to harvest the victim’s information. Hence, to accurately classify an email as malicious or benign, the best option is to carefully examine its contents, including any attached files or URLs; to do so, we will depend on two online tools – the URL scan tool to analyze the suspicious URLs and the ANY.RUN sandbox to analyze the suspicious files.
As previously mentioned, attackers can send phishing URLs to victims in an attempt to harvest their credentials or download malware onto their machines. In this section, our investigation will focus on identifying and analyzing URLs used for credential harvesting, utilizing the URL Scan platform (https://urlscan.io/). URL Scan is a powerful platform that allows users to investigate suspicious URLs, in both public and private modes. Public submissions can be viewed by other visitors, while private submissions are only visible to the user who submitted them. Additionally, the platform provides a searchable database of historical URL submissions for those that were scanned using the public scan mode (see Figure 1.11).
Figure 1.11 – The URL Scan platform main view
As you see in the preceding screenshot, upon opening the URL Scan platform, this is the primary view that appears. Also, note that I have highlighted the most interesting features, such as the Search button that allows you to search in the submissions history of URLs scanned in the public mode, the URL submissions bar that allow you to submit the URL to scan, and the current scan mode. As you can see, you are in public scan mode by default; to explore the possible custom configurations and to switch to private scan mode, you can click on the Options button.
Now, let us assume that you are investigating a suspicious URL sent over email to a recipient who is an employee at your organization. The suspicious URL is hxxp[:]//omwowxisx[.]ml/Archive/
. To analyze this URL, we just need to copy and paste it into the submission bar (URL to scan) and press the Enter button (see Figure 1.12).
Figure 1.12 – An analysis of suspicious URLs using URL Scan
As you can see in the preceding screenshot, the investigation of the suspicious URL resulted in the URL being a malicious and phishing one. And as you see in the targeted brands section, this phishing URL targets the SharePoint and Microsoft brands to harvest their users’ credwentials. If you were investigating a phishing URL and found the target brand is your organization brand, the attacker may use your organization logo and its login page to harvest the organization’s employee credentials. If so, you need to know that your organization and employees are under attack by a threat actor.
As we mentioned before, an attacker may send a spearphishing email containing a malicious file to the victim to gain an initial foothold in their machine and environment. In this section, we will learn how to analyze and investigate suspicious files by using an online sandbox platform called ANY.RUN (https://app.any.run/). ANY.RUN is an online interactive malware sandbox that presents a virtual machine interface, which can be controlled in real time and perform file analysis. ANY.RUN allows you to submit both files and URLs to interactively analyze them (see Figure 1.13).
Figure 1.13 – The main view of the ANY.RUN online sandbox
As you can see in the preceding screenshot, in the upper left of the main view of the ANY.RUN sandbox platform, there is a New task button, which allows you to submit either a file or URL for analysis. Under the New task button, we find Public tasks, which allows you to view the history of all users’ submitted tasks, analyzed in public mode. Also, you are able to search this history data by using some filters, such as file extension, submission country, and tags. The History button allows you to view your account submission history. On the right, you will find statistics of the submissions, such as the top submitting country and trending tags.
Important note
To prevent unintentionally becoming involved in a data leakage incident, it is recommended to refrain from submitting any potentially suspicious attachment files that may contain sensitive information about your organization or its business to any cloud sandbox or analysis tools.
To analyze a suspicious file on ANY.RUN, click the New task button, choose to upload a file, and then upload the suspicious file for analysis. In this case, we will analyze a Microsoft Office document file type, which is the most used file type in spearphishing attacks to gain initial access to the victim’s machine. The file that we will analyze is named VISA PAYMENT (1).xls
(see Figure 1.14).
Figure 1.14 – Analyzing a suspicious file using the ANY.RUN sandbox
As you see in the preceding screenshot, we submitted the VISA PAYMENT (1).xls
file for analysis on ANY.RUN. As you can see, the file is encrypted by a password that is shared with the victim through the email body. After submitting the file, ANY.RUN will allow you to interact with the file and the virtual machine desktop as if it were opened on a regular machine. Upon the opening of the excel.exe
process that is responsible for opening the Excel sheets, a .bat
file named UkMes.bat
is dropped on the disk under the user profile path, then the Excel process spawned the cmd.exe
process to execute the dropped UkMes.bat
file. After the execution of the .bat
file, the cmd.exe
process spawned the powershell.exe
process with a long command argument that is not visible in the main view. Hence, we need to explore the powershell.exe
details to be able to see and analyze its command-line argument. Before that, I just want you to pay attention to the details bar in the preceding screenshot of the VM machine where you will see several tabs. HTTP Requests shows you whether any process during submission initiated HTTP requests to external servers with great details, such as the reputation of the remote server, the process name, and the URL. As you can see in the HTTP Requests tab, powershell.exe
performed suspicious communications to external malicious servers to download binaries. The Connections tab shows you that all connections initiated from the machine to external servers including the same details that exist in the HTTP Requests field. The DNS Request tab contains all the DNS queries initiated from the machine during file submission to external servers. Finally, the Threats field shows you that the IDS signatures match with the process network communication packets.
Now, let us explore the PowerShell process details by clicking on the PowerShell.exe bar and then More Info to see and analyze the full powershell.exe
command-line argument and its behavior (see Figure 1.15).
Figure 1.15 – Exploring the powershell.exe details
As you can see in the preceding screenshot, after exploring the powershell.exe
process details, we find that the calculated threat score of the process is 100 out of 100, which means that the process behavior is malicious. While the Windows interpreter executable itself is legitimate, the command-line argument used in this case is malicious. As you can see in the screenshot, the argument consists of base64
-encoded characters that cannot be easily analyzed, which is a strong indicator of malicious activity. To decode the encoded command, we can depend on an online platform called CyberChef (https://gchq.github.io/CyberChef/). Also, note the process behaviors on the right of the screenshot; as you can see, there are categories of the behaviors, such as the Warning level, that show the process tried to discover the machine computer name, language, and installation date, which is usually considered an initial discovery activity by a threat actor.
In this chapter, we explored the most common attack vectors used by hackers to gain an initial foothold in victim environments, with a particular focus on email-based attacks. We reviewed the different types of email threats and discussed the techniques used by attackers to evade detection and trick their victims into interacting with malicious email content. Additionally, we delved into the anatomy of email secure gateway logs and provided insights on how to investigate email threats effectively.
In the next chapter, we will learn about email flow and header analysis.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.