Phishing is a scam by which an email user is duped into revealing personal or confidential information which the scammer can use illicitly (M-W.com)
With the growth of electronic commerce, consumer online presence and proliferation of email communication, scammers have also adapted to leverage the electronic medium to con people into providing their personal and financial information. The most common mechanism followed by these scammers is known as ‘Phishing’. Scammers send an extremely believable email often claiming to be the user’s financial institution, an ecommerce organization or online auction. These email messages entice the user to click on the link provided in the email. Below is a screenshot of a phishing email claiming to be from Bank of America: The email html format looks identical to the layout of Bank of America website. The user is deceived into thinking that the email originated from Bank of America and they are likely to click on the provided links, and enter their confidential credential information. However, once the user clicks on the link, the user is directed to a fake website. In the above email, the links point to the url: Although the web link initially seems like it is pointed to www.bankofamerica.com, if you look closely you will notice that the actual url is pointed to bernadinec.com. If the user clicks on the link and enters the login credentials to the online banking site for bankofamerica.com, the scammer has just managed to obtain the user credentials to the online banking site. Typically, smart scammers go a little beyond this. They would display an error message to the user indicating that user entered the credentials incorrectly and then would redirect the user to the actual bankofamerica.com website. The user would be able to successfully login to the website and therefore would never realize that their credentials have been compromised.
Advances in Phishing
Spear phishing are similar to phishing attacks in operation but the emails are targeted to specific individuals or organizations. These targeted emails contain some personalized information about the individual or the organization, thereby, increasing the likelihood that the user is going to click on the fake link.
Phishing Using UTF-8 Encoded Characters
Modern day browsers now support Unicode characters in the URL. UTF-8 is most commonly used encoding for the web and has been adopted by W3C. These additions were made to support characters in different languages spoken across the world. However, this has created new opportunities for the scammers. Scammers can create URLs that look identical to human eye but they use different Unicode characters. For example, look at the two URLs below:
The two URLs look identical. However, URL 1 is the real URL to the Bank of America website, while URL 2 is a fake. URL 1 uses the actual Latin character lowercase ‘a’ (Unicode U+0061). However, URL 2 uses Cyrillic small letter ‘а’ (Unicode U+0430). These two characters look identical to humans but are interpreted as different characters by the browser. Now, the attacker can make the link in the browser window appear identical to the actual website without having to resort to long links (as in the above phishing example). This increases the likelihood that the user is going to click on the link.
Phishing Using QR Codes
QR Code is a high-tech multidimensional bar code. Most smartphones can scan and decode messages contained in the QR box. Smartphones require some QR code reader app to decode the QR codes. Mostly the decoded information is a web link. Some of the QR reader apps will display the web link to the user prior to redirecting them to the target website. However, most of the apps don’t do that and they immediately redirect the user to the target website without requiring any further action from the user. QR codes are being used increasingly in product or service marketing. By putting the QR codes on the advertisements, the user is immediately redirected to a page that either allows the user to quickly sign up for the product or service. This increases the effectiveness of the marketing campaigns. However, attackers can utilize the feature to redirect the users to phishing websites. The attacker can paste a fake QR code over an advertising poster or even on products. The user may get deceived into believing that they can scan the QR code and gain advantage of the offer or the service, instead they are redirected to an attacker controlled website.
Phishing Using Near Field Communications
Near Field Communication (NFC) is a standard for radio communication between devices that are in close proximity to each other. NFC capable devices can communicate with low-cost self-adhesive sticker with an embedded NFC Tag called TecTile. TecTiles are pre-programmed and when a capable device is tapped against the tag, the pre-programmed action is taken (like browse to a website or switch the device to silent mode). Attacker can utilize the TecTiles pretty much the same way as QR codes, though; TecTiles could be even more dangerous than QR codes. TecTiles could also be configured to modify your device settings allowing attacker to have more control in increasing the likelihood of success of phishing attack.
How not to be a victim of a Phishing Scam
Think Before You Click That Link
- No reputable organization will ask for confidential information via e-mail
- Never click on a link on email asking you to provide confidential information
- Never reply to a pop-up messages asking you to provide confidential information
- Sometime emails may contain a phone number to call. Because of VoIP, area codes can be misleading. Do not provide confidential information to an unverified phone number.
- Review your account statements (back, credit card etc.) on regular basis.
- Always check the authenticityof a Web site before you provide any of your personal information
- Never provide any personal or confidential information on “http” links (Look for “https”).
- Use the build-in technology within the modern day web-browsers to help you
- Most browsers provide support to help prevent you from becoming victims of phishing scam. All authorized businesses that require credentials will utilize SSL connections. You can look at the browser address bar for verification. Below is an image from Chrome browser showing the SSL lock.
Most of the bank websites now use extended validation SSL certification that display the full name of cooperation nexw
- Browsers also change the representation of uncommon Unicode characters into punycodes and display the punycode in the browser bar. Below is the image of www.bаnkofаmericа.com where Latin character ‘a’ (Unicode U+0061) is replaced by the Cyrillic small letter ‘а’ (Unicode U+0430)
Always Remember: Think Before You Click That Link By: Mukul Gupta, Alert Logic Corporate Security Team