Cyber Defence: invisible but pivotal
November 2018
Suspicious emails. Dodgy websites. They’re out there… and they’re out to get you. But, how can you tell what you can trust?
In the modern age of the internet, cybercrime is on the rise. In 2017 alone, a total of £4.6bn was stolen from British internet users according to cybersecurity firm ‘Symantec’.
One of the most common ways of targeting internet users is the phishing scam. Phishing scams are attempts by criminals to obtain sensitive information by posing as a legitimate & trustworthy source. Their goal is to trick you into giving out details such as bank account/credit card numbers or passwords.
In this blog, we will cover the two most common phishing scams that you might encounter and how you can avoid falling victim to them. You will likely recognise some of the attacks listed below… and in the past you might have been caught out by them (possibly without realising)!
Phishing emails claim to be sent from a trusted or well-known source, such as a bank or retail company.
They will often ask you to click on a link (leading to a fake website) or to download/open an attachment that would install malicious software onto your device.
It is common for phishing emails to create a sense of urgency to distract you and prompt a quick response. Typically, this might be achieved by:
Basic phishing emails will not address you by name. Instead, they will use greetings like “Dear customer” because identical emails will be sent to multiple people. More sophisticated attempts, called ‘spear phishing’, can include personal information in the email such as your name, company, address, telephone numbers etc. to increase the authenticity. Phishers can also target individuals within an organisation, posing as a boss to make requests for data or money transfer.
Modern email services, like Gmail, automatically move emails known to be untrustworthy to your spam folder. However, there might be additional security settings available that you can configure for your personal or company email. For example, here is an article by Google detailing how you can enhance your phishing and malware protection in Gmail: Google Support.
Links to fake sites are typically included within phishing emails. They tend to use legitimate-sounding domain names and can copy the look & feel of real websites to trick you (called ‘spoofing’).
These types of phishing emails will establish a fake scenario and instruct you to click on a supplied link to resolve something. Depending on the scenario, they might take you to a fake login page or a page asking you to confirm credit card information.
The above examples can be easy to spot if you know what the website domain should look like. There is, however, a sneakier way of tricking you into accessing a fake website.
“Homoglyph attacks” use lookalike characters from foreign alphabets to make a fake domain look like its real counterpart. A popular example of this vulnerability was demonstrated in 2017 by Xudong Zheng who used homoglyphs to create a fake Apple website. Here’s the link: https://www.аррӏе.com. Don’t worry, this link is completely safe to use! If you’d like to read more about this vulnerability, you can find a link to Xudong’s blog post when you visit the fake apple site.
If you want to see how easy it is to create lookalike domain names, you can use this homoglyph generator and follow the instructions: Iron Geek.
Here is a fake Amazon URL I created using the generator: www.amаzоn.co.uk. Can you tell that it’s fake?
The latest version of Chrome will convert foreign characters to Punycode. This means that my previous www.amаzоn.co.uk example appears like this in the URL bar:
Firefox on the other hand still displays the homoglyph characters!
When checking if a website is safe or not, a lot of internet users will look for a “Secure” padlock in their address bar or “https” in the URL. This is a sign that the site is encrypted; legitimate websites use this to help protect your confidential information.
Be aware that encryption alone does not ensure that the site you are accessing can be trusted. Fake websites have been able to obtain security certificates in the past! Encryption only means that the information you are entering is being sent securely over the internet. You can still send information securely to a scammer.
At Invotra, our employees are occasionally the target of phishing scams. Having an awareness of the common traits we’ve covered in this blog ensures that we are less likely to get caught out. Here is an example of a real phishing email sent by a scammer posing as our CEO Fintan Galvin. First, they asked for a request to be processed and then followed up by asking the targeted employee to make a payment.
Luckily, this email was automatically marked as spam by Gmail. If we imagine this wasn’t the case, what clue gives away the fact that this is a phishing email? Take a look at the email address that the email was sent from. The sender’s address is “executive.officemail.aol.com” which is not an “example@invotra.com” address we would expect.
To conclude, some companies unfortunately don’t always get things right. In 2017, Equifax were caught tweeting out fake links which they thought were for their own site. They linked to www.securityequifax2017.com, which was an imitation of the real site www.equifaxsecurity2017.com. Oops!
Originally posted here.
Photo credit: Campaign Creators