Phishing, the art of getting users to click on malicious links in bogus emails, is the favorite tool of scammers, by far. The reason is, phishing works. Scammers are getting better are slipping their phishes through spam filters and past anti-malware software. Ironically, the successful campaign to raise users’ awareness of online security hazards is making phishing more successful. Read on to learn about the latest phishing developments…
The Latest Phishing Baits
The irony is that increased awareness of phishing techniques has driven scammers to adopt techniques that are more sophisticated, and often more successful. Since January, 2017, a phish email targeting Netflix subscribers has been highly successful. The email tells dismayed users that their Netflix account has been suspended. It says the account can be restored by updating payment information, and provides a link to a page where the user can log in and update said info.
Of course, that link actually takes the user to a fake Netflix login page, and from there into a series of forms that demand ever more sensitive personal information. If you take the bait, your account password (and any other information you provide) is sent directly to Hacker HQ.
Several things stand out about the Netflix phish. First, its creators have gone to great trouble to replicate familiar Netflix pages almost exactly; there’s even a background image on the login screen that promotes recent Netflix’s original content. Second, the phishing site to which users get connected encrypts the HTML of fake pages it sends to victims, making it impossible for anti-malware apps to scan it for suspicious code.
A third line of defense for the scammers is that the pages won’t load for IP addresses that belong to Internet security monitoring groups, like Google, or the anti-phishing initiative Phish Tank. This trick keeps the Netflix scam sites off the blacklists of real-time Web monitoring services.
Phishers also evade detection by hacking into well-known, reputable sites and hosting their fake pages there. A fake page delivered from a reputable site will not be flagged by Web reputation services like Google’s Safe Browsing or the Norton SafeWeb service.
And of course, scammers are not interested only in your Netflix account, The same techniques are being used by phishes that purport to be Second Life, big banks, online publications, email services, and social media sites. Paypal, eBay, Facebook and Capital One bank have long been targets of phishers. But more recently there has been a focus by phishers on your Apple ID, Microsoft Outlook and Google Drive credentials. Be especially careful when dealing with online document signing services.
Simple Things You Can Do To Avoid Phishing Traps
Use the phone. Yes, it’s old school, but a quick call to your friend, mortgage broker, attorney, customer service, or the bank’s security department can confirm if an email is legit or not.
Don’t re-use a password on multiple sites. Use a password manager such as RoboForm to generate strong passwords and audit your entire database of passwords for duplicates. If you use the same password everywhere, it takes just one phish to open all of the doors to your digital life.
Confirm the apparent sender really is sending from the right email address (e. g., firstname.lastname@example.org if you know that’s John’s address). In Gmail, you can do that by opening the email, clicking the down-arrow in the upper right corner, and selecting “Show original” to find the “From:” line. But just because a message comes from someone you know, that doesn’t mean it’s safe to open links in it. Your friend’s email account may have been compromised, spewing malicious emails to all of his or her contacts. (See “use the phone” above.)
Hover over an email link, and its full URL should appear. Does it lead to where it should, based on where the email seems to originate? An alert from Netflix.com should not steer you to a page hosted on some other website. When in doubt, don’t click a link in an email. Instead, go directly to the site via a browser bookmark, or by manually entering the URL.
Beware of email subjects that urge you to take action immediately. Phishers don’t want you to take time to think, or to research their bogus domains. “Panic” or alarm makes people act hastily, so it’s no surprise that the most successful phishing email subject lines include “SECURITY ALERT,” “REVISED VACATION & SICK LEAVE POLICY,” “PASSWORD CHECK REQUIRED IMMEDIATELY,” and the straightforward “URGENT ACTION REQUIRED.” The use of all-caps is deliberate, as it induces the adrenaline rush that comes with being shouted at.
Be careful with shortened URLs. Text messages that contain short URLs are another type of phish that targets mobile devices. Much to my alarm, I cannot find any simple way to preview the full URL represented by a shortened URL such as https://goo.gl/uNEbdN or http://bit.ly/2iT3S5y — it just takes me directly to its target, which may be a phishing trap. (Those examples are both shortcuts to AskBobRankin.com.) (You can do a “long press” on the message, then select “Copy text” and paste the URL into CheckShortURL.com/, but that’s a bit tedious.)
Let’s Review Some Perennial Favorite Holiday Phishing Scams
The fake invoice: invoices are hardly surprising during the busy shopping season, especially if it seems like something you’d buy as a gift. You may be inclined to click to see exactly what you’re being asked to pay, but that click may lead to a malicious download.
Shipping status notifications: a “click here to learn about the delay in your shipment” often works.
Unbelievable bargains, or even believable ones, appeal to greed, which is always unthinkingly in a hurry to be satisfied. “Hurry, only one hour left!” “Last one, on sale for 90% off!” is another good one.
Fake surveys promise some sort of reward for completing them. They start out innocently, asking reasonable questions about your shopping habits. But the questions get more and more personal, leading to requests for your name, address, phone number, and even credit card data (to defray shipping charges). If the questions get personal, it’s time to stop. Let that “reward” go.
Bottom line: Bad guys are getting better at evading all sorts of anti-phishing defenses, and at crafting bait that people will take. Ultimately, the best defense is your own thinking skills and common sense.
Have A Great Week and Be Safe This Holiday Season!
Deuce Marjeta and The Zi Staff