For the third post in our 30 Days to Better Security series, we discuss the topic of phishing. The goal of this article is to help you understand the finer nuances of phishing attacks, the common ‘attack styles’ used by hackers, and how a simple rule can go a long way in avoiding being a victim of a phishing attack.
In 2016, prior to the US Presidential elections, hackers managed to access some critical campaign secrets by gaining access to Hilary Clinton’s campaign chair, John Podesta’s Gmail password. The hackers didn’t steal his password nor did they break into his account. They simply used the concept of Phishing, wherein John Podesta simply gave away his password, thinking it was the original Gmail login page.
Phishing is a type of cybercrime attack wherein the attacker pretend to be a legitimate business (or an individual known to the target), contacts the target through email, SMS or phone and tricks him/her to share passwords, banking/credit card information and/or critical personal data. The attacker does whatever it takes to look legitimate, with the fake page looking exactly like the original. While phishing has been around since the 1990s, it became a mainstream method of cybercrime in the early 2000s when a hacker created a clone of America Online (AOL) and used it to gather user’s credit card information and personal data.
The art of spotting a phishing attack
The fact is most phishing attacks rely on the assumption that typical users don’t pay close attention to the websites they visit and the links they click. For instance, some common but often overlooked signs of trouble are:
1. A one character difference in an otherwise normal looking domain name/URL.
2. The website is a replica of a common website, but without the proper security certificate.
3. A hyperlink where the displayed URL is different from the actual destination URL.
The attacker simply takes advantage of the fact that most users are in a hurry, not trained to spot the warning signs of an attack, and will click on a link if made sufficiently curious.
At K7 Security we suggest a very simple rule to avoid falling prey to a phishing attack.
We suggest the following approaches to spot and avoid common phishing attacks:
Pay attention to the URL & Website:
Every time you’re entering a password or credit card information, pay close attention to the entire website. Does everything look legitimate? Or, is there something fishy? Remember our rule no. 1, when in doubt don’t click, and don’t share.
Avoid Offers & Deals from unknown entities:
In most phishing emails hackers use a technique called social engineering to entice the recipient with tempting offers – for example, win a free iPhone, etc. Hackers, of course, spread a wide net and hope that for every thousand emails they send, a few fall prey. Users would do well to spot offers that seem too good to be true and avoid clicking on deals from unknown entities.
Don’t click on random attachments:
Hackers pose as a known business or individual, and type in an email that looks absolutely real. Sometimes, the mail may trick you into downloading an attachment. Don’t blindly download this, especially if it is something you don’t need.
Sense of urgency:
A common technique attackers use is to create a sense of urgency. The target feels the need to take action immediately. It could be to take advantage of a special price from an e-commerce website or avoid a late payment fee. At the risk of repeating ourselves, we say this again: think twice before taking action on such mails.
When in doubt, don’t share financial information or login credentials:
With the advent of e-commerce and online bill payments, it has become a necessity to transact online. However, we suggest that users transact online only on trusted websites and share credit card details only on recognized payment gateways. Many websites now use social platforms for user authentication and personalization. Similar to personal and financial information, users should exercise caution and verify the legitimacy of any website that asks for you to enter the login credentials for one of your social media accounts.
Phishing attacks extend beyond email
In addition to phishing attacks over email, we’re now seeing emerging techniques over voice (known as ‘vishing’ or voice phishing) and SMS (‘smishing’). The same rules we’ve listed above work in these scenarios as well.Our research team at K7 Labs is also spotting many more instances of phishing attacks on social media, be it through impersonated LinkedIn InMails or messages on Facebook Messenger. In this case, attackers rely on the fact that most social media users will share a funny or interesting posts without checking the legitimacy of the website or URL it links to. Hence the reason for the 2nd part of our rule, “when in doubt don’t click, and don’t share.”
There is also the concept of ‘Whale Phishing’ wherein attacks are targeted at wealthy or powerful individuals, much like how Hilary Clinton’s campaign chair was attacked. ‘Spear Phishing’ is a concept where individuals are targeted through a fake persona of someone very close to the target, say a boss or a spouse.
Regardless of the specific style, users can increase their ability to spot and avoid becoming a victim of phishing attacks by paying attention to the details. And, we repeat – “when in doubt, don’t click and don’t share.”