SecurityWatch.--- "We talk about phishing a lot on SecurityWatch. While we regularly warn readers to not fall for phishing scams, it got us thinking: how many people know how to recognize a phishing scam?
Phishing is a serious problem. Statistics from RSA claim there were 445,000 phishing sites in 2012, double what was found in 2011. It is safe to assume that 2013 will show another increase, said Corey Nachreiner, a director of security strategy at WatchGuard. Kaspersky Lab found that scammers pretended to be from major companies such as Apple, Yahoo, Google, Amazon, eBay, Twitter, Instagram, and Skype to trick users into clicking on a malicious link as part of a wide-spread spam campaign in the third quarter.
"Phishing has really blown up," Nachreiner said.
The problem is that it is getting harder and harder to recognize a phishing attack. Ten years ago, most phishing scams were fairly easy to recognize. In most cases, the emails and sites looked fake, or there was something that was just "off." That is no longer the case, as cyber-criminals are paying attention to what the real versions of the emails and sites look like, and making sure their creations closely mimic the original, Nachreiner said. The criminals frequently use the same images and logo as the company they are impersonating and adopt similar language. They also frequently use similar layouts and templates, so that at first glance, these emails and sites look real.
Here are some tips on how to avoid going to such sites in the first place.
Who Is It Sent To?
Check who the email has been sent to. Are lots of other users included in the cc: or to: fields that you don't recognize? Most retailers use applications such as Mailchimp, so you will rarely see who else is on the mailing list. If you do see other addresses, it's worth being a little careful and skeptical.
Perhaps the email has been sent to several people all within the same organization or with the same domain. This should be a red flag, especially if you see addresses for webmaster or administrator. This is an indication that the sender is just trying a whole range of addresses in hopes of getting someone to click on the link. If you see a work-related email (say someone claiming to be a job applicant or a potential client), and the sender also sent it to your company's webmaster address, odds are it's not an email you need to see. Forward it to your IT department.
Never Click on Links
Users should never click on links in their emails, especially if it is an email they didn't request. Don't click on a link from DHL or other shipping delivery services. Don't click on a link claiming to be from Amazon or LinkedIn. "Just manually type the URL to the site you need to go to, and look for the information directly on the site," Nachreiner recommended.
If the email is telling you about a shipment delivered, or even more commonly, an error with a shipment (that you don't know about), go to the shipper's Website directly and enter the tracking information there. If it is a special shopping deal, see if you can find mention of the sale on the site, usually under "New Offers" or something similar.
Hover Over LinksWhat if you have to click on that link? Maybe that email is offering a sales promotion only for people who are on the mailing list and can't be found on the Website. Or it's your favorite buddy on Twitter with something you really need to see. One quick way to check whether it is safe to click is to hover over the link with your mouse. Don't click, just wait to see what the full URL is. A box should appear under the mouse, or at the bottom of your browser or mail application. Criminals can easily type paypal.com on the body of the email, but actually point you to a fakedomain.net address. Hovering over the link lets you look at where the link is actually taking you.
For example, you may think this link is going to http://pcmag.com, but it's actually going to take you to our sister site, Computer Shopper.
If the domain is showing up as an IP address or some other name, that is a big give away, Nachreiner said. "Companies like to use words, not numbers, in their domain names," Nachreiner said.
Read the Domain Carefully
Read the domain name carefully, because many criminals like to use misspelled names, such as paypl.com, ctibank.com, and event factbook.com. At first glance, they look correct, but are just there to trap the unwary.
Another trick scammers use is to create a really long URL, with the name of the company being spoofed somewhere in the link. So something like blah.ru/lots/of/words/andthen/paypal.com may trick users into thinking it is a PayPal-affiliated site. Another variation is to create a subdomain such as ebay.com.blah.com.
Verify LinksPerhaps you've hovered over the links, read the URL, and it still looks legit. Or maybe the URL from Twitter is using a URL shortening service such as bit.ly, t.co, etc, so hovering doesn't help. You can cut-and-paste that link into getlinkinfo.com, a site that follows the link for you and tells you all the redirects. With getlinkinfo.com, you can confirm that yes, this email really is showing you special offers for Amazon customers and is not an attempt to steal your Amazon credentials.
If getlinkinfo.com returns a long list of URLs, "that should up your suspicion meter," Nachreiner said, since that is a sign you are bouncing around multiple sites before you see the actual Website. They may be marketing-related or potentially be trying to serve up malware.
Sucuri offers SiteCheck (http://sitecheck.sucuri.net/scanner/), a free Website malware scanner that checks to make sure the site you are going to is not infected. If you aren't sure about a specific link, you can copy-and-paste the link into the box on the site and click on the "Scan Website" button. It will scan the site and let you know if there's any malware lurking.
If it is a bit.ly link, you can also use the "preview" function. If you type in the shortened bit.ly URL in your browser window and add a "+" at the end, you can see who created the link, what site it is pointing to, and other statistics about the link. It's a nifty way to check these short links.
Think Smart
"In a lot of cases, you are going to know where you are going just by hovering over the link," Nachreiner said. "For other cases, these services can be helpful."
The best way to make sure you don't get phished is to not visit a phishing site at all. If you enter your login credentials or your sensitive information into a site and hit enter, the damage is already done. At that point, you have to change your passwords and contact your banks. The best time to stop a phishing attack is before you even get to the site."
No comments:
Post a Comment