Phishing attacks have long been an effective way for attackers to trick people into divulging sensitive information or infecting a system with malware. Malware can give an attacker remote access to protected systems and networks, encrypt a user’s data and charge a ransom to decrypt the data, or use that system as part of an attack against other systems.

In March of 2017, Google stated that its machine learning models now can detect and stop spam and phishing with 99.9% accuracy. However, this is a cat and mouse game that has been played for years by the spammers/phishers on one side and the spam filter developers on the other side. Once the defenses get better against the latest spam attack methods, the spammers change their tactics to bypass the filters.

Below is an example of a fairly obvious spam email that Google’s filter caught and put in the Spam folder of my gmail account. There is no subject and just a link. When Google discovers rogue links, the message in the red box shown in the email serves as a warning not to click on links or reply with personal information.

image002.png

In a 2012 blog post, I walk through a rather well-done phishing attack that was found in my inbox. Even though it is over six years old, I think that email would still trick most recipients so I encourage you to read it.

Interestingly, the author of the 2012 phishing email did not try to mask the actual link, which is easy to do and might be a little more effective in tricking someone to click on the link.

Here is an example of how easy it is to mask a URL. If you hover over the link below, you’ll notice that it does not link to yahoo.com, but rather, google.com.

The VERY tricky phishing tactics of modern attacks.

https://www.yahoo.com/

Hovering over is a good way to scrutinize a url but it’s not 100%. There are ways to Click-jack urls that will show one link when you hover over it but send the user to another link when you click.

One method of executing this is to write Javascript that shows one domain when you hover over the link, and another when you actually click!  Here is an example:


https://www.google.com

Another tactic is to use character sets that look similar but are not. In this example, apple.com was registered using Cyrillic characters instead of Latin/English characters.

https://apple.com/ - This is the REAL Apple url with Latin/English characters

https://аррӏе.com/  - This is a fake site using Cyrillic characters

When you click on the second link in Firefox and some other browsers, the url shows the Cyrillic characters. The good news is that most modern browsers now show the Punycode url.

image006.png

A security researcher registered the above domain. You can read his blog post here to learn more about the attack. 

RECOMMENDATIONS

While it is increasingly difficult to identify a well-crafted phishing email, there are some steps that can be taken to reduce the risk of falling victim to a phishing attack.

1.     Look at the email headers. Check the From and To fields for anything suspicious. While we already stated that these can be spoofed, they can be a good first indicator of a suspicious email. Here is how to check the full email headers in Gmail. https://support.google.com/mail/answer/29436?hl=en

2.     Hover over links and be sure to read the url from the first forward slash, back to the left, to see where that link is actually going. For example, http://www.google.com.search.us/query.html is actually going to a server called search.us, not google.com. Again, hovering over a link doesn’t necessarily tell you where it’s going but usually it will give you an accurate link.

3.     If you have a gmail account, use this trick when registering on a website. If you’re registering on facebook.com, and your email address is [email protected], give facebook the following email address, [email protected] you will get all email sent to that address but if you ever get unsolicited email sent to that address, you know that it was obtained through facebook.

The United States Computer Emergency Readiness Team (US-CERT) recommends the following ways to minimize your chances of becoming a victim of phishing attacks.

•       Filter spam.

•       Don’t trust unsolicited email.

•       Treat email attachments with caution.

•       Don’t click links in email messages.

•       Install antivirus software and keep it up to date.

•       Install a personal firewall and keep it up to date.

•       Configure your email client for security.

Comment