Category Archives: Phishing

Spear phishing

The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.

But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.

In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.

Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.

Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.

“Mailbox full” phishing attacks

When you get an email message telling you that your mailbox is full, or that your “quota has been exceeded,” it’s a good idea to double-check before you respond in any way. It might be a phishing attack designed to harvest your login credentials, infect your computer with malware, or both.

Most email service providers have a limit to how much space incoming messages can take up on the server. The size of this limit often depends on whether or not (and how much) the user is paying for the service (free providers give you less than ones you pay for).

If you leave hundreds and thousands of messages unread because you never check your mail, or don’t set up your email program to remove messages from the server after reading, you can reach this limit and new messages won’t get through.

That said, if you get a “mailbox full” message, chances are it’s not from your email service provider at all, and clicking on any links could lead to trouble. Here are a couple things to look for.

Bad spelling/bad grammar: these days, large internet service companies hire people who know how to spell and write to compose official messages. Strange grammatical constructions or misspelled words are an immediate tip-off that the email isn’t legitimate.

Who is it from? If you were really looking at an official message about your iCloud email account, you would think the sender’s address would be “[username]@icloud.com.” Same with att.net, hotmail.com, gmail.com or any of the others. Yet in a majority of cases, phishing emails appear to come from an address that has nothing to do with the service provider. Keep this in mind, though: some more sophisticated and/or targeted attacks might not have this flaw.

Where do the links go? You can see where a link takes you without clicking on it by hovering your mouse over the link and waiting for the little popup window to display the address. On a mobile device, you can hold your finger down on the link (instead of tapping) and a window will pop up showing the address. Again, if it’s from your actual email provider, that link is going to lead somewhere related to the business (and related to the sender’s address). A message about your Gmail account is going to point to something hosted at google.com, for example. Beware of lookalike addresses, though; the architects of these attacks will sometimes set up websites with addresses like “att.net-verification.com.br” where at first glance it appears to point to an att.net site, but the actual address is “net-verification.com.br.”

The best practice is to never interact directly with this type of message in the first place. If you think there might be a real issue with your email account, go directly to the provider’s website to find out if there really is a problem and how to correct it. If you did click on a suspicious link, run a virus scan to make sure you haven’t been infected with malware, and change any affected account passwords immediately.

Defeat phishing attacks with bookmarks

Email phishing attacks are improving.

I mean the attackers are improving. They’re wising up to the fact that actual financial institutions and social networks send emails that are (at least mostly) intelligible, and adjusting their approach accordingly.

You still see plenty of phishing emails with atrocious spelling and weird grammar bordering on word salad, but there is a growing trend toward messages that could be mistaken for legitimate communications, even by someone who is well-informed. As potential victims become more sophisticated, so do the criminals.

One way to defeat phishing attacks is to set yourself up to never use links at all. For every single site you log into – financial institutions, credit cards, social networks, online shopping – create a bookmark in your web browser, and get in the habit of always using that link to log into the website.

That way, if you get an email that looks like it might be real, instead of clicking on a link (or even spending time wondering if you should or not), simply open your web browser and use your already-created bookmark to log into the website of whomever the email purported to come from. If there’s a real message or problem, you’ll find out about it there.

The ‘Can You Hear Me?’ Scam (Or Maybe Not)

I’ve seen a few recent warnings about something many are referring to as the “Can You Hear Me?” Scam. Basically, someone will call, ask if you can hear them, wait for you to say “yes,” then hang up. Later, they make unauthorized charges to your credit card, and use the recording of you saying “yes” in court to “prove” you agreed to the charges.

Now, any reminder to NOT talk to strangers who call you on the phone or to engage with robocalls in any way is a good reminder, but if you’re like me, you might find a few holes in this specific warning.

For example, unless you have the weirdest credit card in the world and its number is “YES” for some reason, simply saying the word doesn’t automatically give the caller your card information. Despite the existence of Peanut Butter M&M’s, Gus’s World Famous Fried Chicken and the first Doc Watson album, magic isn’t actually real, and nobody can pull your credit card number out of your wallet simply by getting you to say “yes” one time. The scammer would have to already have this information before calling you.

Then, if they’ve already got your card information, why would they bother calling to trick you into appearing to agree to charges? In a vast majority of the cases I’ve seen, scammers aren’t interested in making their schemes complicated. They’re not going to use a recording of you saying “yes” in court because they’re never going to end up in court. If they have your card information, they’re just going to use it. They don’t need to track down a phone number associated with the card in order to get a “yes” they’re never going to need.

So this leaves us with…what, exactly? Is this a real scam? There do not appear to be any documented cases of “said yes/card was charged/disputed the charge/recording ‘proved’ I authorized the charge/no recourse.” But the calls appear to be actually happening, and you have to wonder: what are they up to?

It doesn’t matter. If you get a call and someone just says, “Can you hear me?” hang up. No matter what their intent, it’s not something you want to get involved in.

Even better, stop answering the phone every time it rings. Almost every phone scammer needs you to pick up the phone. If you don’t, you’ve already ruined their scheme. If you recognize a number, go ahead and pick it up, but let everyone else leave a message.

This may be just one of those stories that gets passed around on a better safe than sorry basis, but I like accuracy, and the story being shared by various online sources doesn’t add up. If you do get a call like this, just hang up. But consider letting all unfamiliar calls go to voicemail. It’s the safest method.

Sources:

  1. The Consumerist: If A Telemarketer Or Robocall Asks “Can You Hear Me?” Just Hang Up; It’s A Scam
  2. Snopes: ‘Can You Hear Me?’ Scam Warning

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

Beware LinkedIn phishing emails

Here’s a screenshot of an email message I got the other day (click to enlarge):2012-10-17-fpu-01

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):

2012-10-17-fpu-031

I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:

2012-10-17-fpu-02

Unless you know who the message is from and what it contains, never click on that box.

FPU Noir: The Lost Messages on Facebook

BigComboTrailerNote: for maximum atmosphere, first scroll to the bottom of this post and play the YouTube video, and listen to the music while you read.

The night meowed at the window of the dingy third-floor office on the wrong side of town like a housecat left out in the rain, trying to draw my gaze from the hand of solitaire laid out on the desk between half-empty cups of cold coffee, old newspapers and an ashtray spilling over with stale butts. I glanced at the window and shuddered for some reason, then wondered who left all the spent Chesterfields there, seeing as how I don’t smoke. They made a good prop, though, so I returned to my cards. If I could just find the other red queen, I was set.

It was the kind of night that slithers through the gutters and alleyways, around garbage cans and dumpsters, up fire escapes and into the ventilation. It always finds a way in, always creeps up behind you, always gets you in the end. There was a knock at the door, and a woman entered.

She was one sad-luck dame by the look of her, all switchblade sadness and razor gloom, whatever that means. She was carrying a laptop computer (which seemed anachronistic given the setting, but this was the Fraud Prevention Unit, and these newfangled bean-counters were the rule these days).

She just stood there for a minute and looked unsure. “Are…are you the one they call ‘Sledge?'”

“That’s me,” I said. “Hank Sledge, Private Fraud Investigator.”

“Oh. I…oh.” She swayed on the spot, as if trying to decide something.

“C’mon, spill it, sister,” I spat.

“Well, it’s just…I got this email the other day and I don’t know what to do.”

I looked at the gray computer tucked under her arm. “And you figure some mug’s got you pegged as an easy mark? Toss that mill up here on the table. Let’s see what we got.”

She placed the laptop on the desk and hit the power button. It took a minute to start up, and the awkwardness hung in the air like burnt toast. “So…um…read any good books lately?” I started to say, but the machine was ready.

“This one right here,” she said, and I read the email.

The message said it was from Facebook, and if it was a ringer it was a darn good one. It went like this:

From: Facebook <notification+tnejvqakyz@notifierfacebook.com>
Subject: You have 3 lost messages on Facebook…

Facebook sent you a notification

You have 3 lost messages on Facebook, to recover a messages please follow the link below: http://www.facebook.com/profile.php?recover.messages=563f03b5d6f9

How to get back your lost messages on Facebook

At the bottom was a green button that said “Frequently Asked Questions.”

“Did you click on anything in this mess?” I said.

“No, I don’t think so.”

“You can’t think so. You either clicked or you didn’t. Think hard.”

“No, I didn’t. Jeez. Jerk.”

“Sorry ma’am. Hardboiled crime fiction. I have to talk to everybody that way.”

“Oh.'”

“Anyway,” I continued, “it’s good you didn’t click. This is a swindle through and through. See this?” I showed her the message header. “If it was from Facebook, it wouldn’t be coming from some ‘notifierfacebook.com’ domain.”

“And check this out.” I moused over the link. “It says ‘facebook.com,’ but it’s disguised. Every link in the message takes you to this weird ‘winesofworld.org’ website. Classic phishing message. These punks either want to infect your computer with malware or steal your password. There’s also the crummy English; see where it says, ‘to recover a messages?’ Makes no sense. Finally, there’s no such thing as ‘lost’ messages on Facebook.”

Her eyes were dinner plates. “So what do I do with it?”

“If I was you, lady, I’d drill it with my heater,” I spat.

“What?”

“Just delete it.”

“Oh,” she said, and snapped the laptop shut. “Okay, cool. Thanks. Nice hat, by the way.”

I nodded thanks as she disappeared out the door and went back to my game. Black eight to red nine. The card underneath was the queen of diamonds. “There’s my lady,” I murmured over the lonesome wail of a siren echoing across the night.

Craigslist phishing

I got this lovely message just the other day:

From: notice@craigslist.org
Subject: Confirmation for Posting ID #981651681

Confirmation for Posting ID #981651681

Your ad, titled “SONY PLAYSTATION 3 METAL GEAR SOLID 4 PS3 80GB BUNDLE!”, has been posted as follows:

http://singapore.craigslist.org/ele/981651681.html (electronics)

Posts will appear in the list of postings and in search results in about 15 minutes. If you are trouble finding them,
please check our help page at http://www.craigslist.org/about/help/where.html

Please login into your account if you need to edit of delete your posting:
http://accounts.craigslist.org/login

If you did not post this ad please change your account password asap:
http://accounts.craigslist.org/login/chgpwd

For your protection please check our list of common scams: htttp://www.craigslist.org/about/scams.html

Thanks for using craigslist!

The only problem is, all the links are disguised; they actually lead to a site hosted at cen.thegigabit.com. I guess you’re supposed to go, “Whoa! I’m not selling a Playstation! I gotta fix this now!” and start clicking.

Here’s the thing I don’t get: why are they trying to steal Craigslist passwords? To my knowledge, Craigslist isn’t like eBay where you pay through the site itself; don’t Craigslist buyers just contact the seller and arrange for payments on their own? Is it that difficult to just create a fake Craigslist account from which to run your cashier’s check and wire transfer scams?

I just don’t get it. Somebody fill me in if I’m wrong about this; I don’t use online classifieds at all, so I don’t know firsthand how it works.

Dumb Spam Time: Deactivation of Your Email Address

Here’s a message I got just the other day. It’s pretty goofy.

From: Tom Lavigne
To:  [blank]
Date: Wednesday, June 08, 2011 9:27:37 AM 
Subject: Deactivation of Your Email Address

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent automatically by the computer. If you are receiving this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code:505)receiving from this email address. Click here and fill out the required field to resolve this problem Note: Failure to reset your email by ignoring this message or inputting wrong information will result to instant deactivation of this email address

Normally I include the email address when I paste these, but apparently Tom is a real person whose email address has been used without his authorization. I don’t want to make it look like some YMCA in Massachusetts is running a phishing scheme.

Anyway, let’s poke holes in it!

  1. Execrable grammar and usage. It used to be that tech people weren’t always the best writers (see also: any software manual written between 1980 and 1995 or so), but “will result to instant deactivation?” No.
  2. “Click here” links to a TinyURL site. Yeah, no.
  3. “This message is sent automatically by the computer.” Yeah. THE COMPUTER. Really? Really? No technical support team would ever use that sentence, because it makes zero sense.
  4. “Reset your email” also makes no sense. How do you reset an email? (You can, however, declare email bankruptcy).
  5. It’s asking you to click a hidden link and provide personal information. It might as well said, “Hi. This is a phishing attack. Can we have your password?”