Phishing is becoming a hot issue these days as Covid really pushed digital transformation around the world. Hackers find this as a great opportunity to fool people, to both obtain sensitive information from the victims and even use it as a first step to access the victim’s employer’s system. Today, I would love to share some tips to help you stay away from phishing.
** May there be no more phishing could trick you after finishing this article. ** :)
Contents
-
Common strategies for phishing
-
What can we do to prevent being fooled as a potential victim
2.1 View before you click
2.2 View domain/website reputation
2.3 Domains and Subdomains
2.4 Be extremely careful on mobile devices -
Oops! What if I clicked !!
Common Phishing Strategies
It always starts with clicking a link.
No matter did you get a phishing email or text message, the bad actors always try to trick you to click the url embedded with in the message. Why? After you click the URL, many things could happen.
Scenario 1 — The link is said to be the link to a meeting invite or downloading a work related file. When you click, it automatically start the download to your computer. It’s likely a malware but it would pretend to be an expected file (file name and extensions are not trustable) and ask you to open.
Scenario 2 — The link point to a webpage to collect information from you. For example, it said you need to upgrade an app from Appstore and ask for your iTunes credentials and payment information. The website could look very legitimate but as you are entering the information, the hackers are logging your credential and other information on their side and ready to use it somewhere else.
Terrible Right?
Can we not click/open any links? Is there a way to verify the links before we click ? Luckily, YES!!! I will show you in a minute.
Before you CLICK
RULE 1 — Check the Embedded Link but the URL Text
Check the hyperlinks embedding but what said on the url. In the example below, it seems to ask you to visit “my-website.com”, but it actually links to “www.malware.com”. We all have the experience of making slides with hyperlinks, that’s exactly how easy it is to forge the url text.
For example, in the meeting invite case, if it’s real, it should be link to the meeting provider link zoom or teams. If the underlying website is something else, be aware and use the following steps to further exam it.
RULE2- Check the Reputation of the Website
Ok, Now you get the actual websites you are visiting. However, you are not sure if this “malware.com” is a benign website summarizing malware information or a malicious website that’s created by the bad actors to collect your information.
Here is what we can do, we can use WHOIS domain lookup service to check the reputation of this domain. What you should focus on is the registration date (“1997–09–15”), expire dates (“2028–09–13”) and the updated dates (“2019–09–09”).
For a legitimate business, they should have the website/domain registered the day when they start their business and they should keep renewing it. Therefore, if the registration date is fairly new or the expire date is quite recent, it’s definitely a red flag. There are also cases where the hackers obtained an old but expired domain and renewed the registration so the domain has a pretty old registration date but a fairly new update date.
Therefore, with the 3 pieces of information provided above, you should get a sense of the chances of it’s a malicious site.
More details can be obtain by this website — urlscan. An extra credit for this website is that it will return a screenshot of visiting this site. Therefore, if the link is just to trick you to download malware, it’s likely not having a valid website and you will be seeing a blank page with error message.
More Techniques
A little deeper dive into the techniques.
Domain and Subdomains
The attackers can be well planned. They love to fool users by what they see. A key concept here is “main domain”. The main domain is what the business registered and we should never be fooled by the subdomains. For example, I cannot own www.google.com because it’s registered by google already. However, I can register www.mylittlesite.com, assuming it’s not taken yet. Once I own this mylittlesite, I can create as many subdomains as I want. For example: www.google.mylittlesite.com or www.linkedin.mylittlesite.com. Both google and linkedin are subdomains, it can be anything under your own domain(website).
In the meeting invite example (Scenario 1), you found out the link to the meeting is “www.zoom.download-zoom.com”. You saw a bunch of “zoom”s and seems make sense. Hold on a second! The main domain is actually the part right before “.com” ( or “.edu” etc. which called top level domain). Therefore, the main domain is “download-zoom” which is too long to be legitimate (in my point of view). “zoom” before “download-zoom” is the subdomain which is unrestricted and can be named as anything. The main domain is what the business registered, so they try to be like zoom or read like zoom related. However, it’s too long… you never seen a companies domain looks like a sentence right? In terms of subdomain, no matter how legitimate it looks, don’t trust it. Once you own a domain, you can create any subdomains so that’s why they can put zoom in the subdomain and want to trick users by such action.
Mobile Devices
Be super careful with mobile devices. The hackers figured that it’s 100X easier to trick users when they are using their phones or iPads than computers. Because anti-virus softwares are installed on computers and browsers are also stronger to detect and block suspicious actions.
Researchers found some malwares or phishing attacks are designed for mobile devices only. It means that the hackers design the attack in a way filter traffic. If the visit is from computers, they wouldn’t trigger the later attacks such as malware download or info collection. These bad actions will only continue if the traffic is from mobile devices.
Therefore, be very careful with your mobile devices.
Oops! I CLICKED!! HELP!
If you have clicked the link, don’t panic, check out this blog for more actions.