Social Engineering is an art by its way as it manipulates, influences and deceives you in order to gain control over the information in demand. ‘Human being’ being the weakest link in any security system is highly vulnerable and thus forms the gateway to the required information for a hacker. Phishing is one of the popular types of Social Engineering attacks.
Phishing Attacks:
Phishing is a cybercrime which uses legitimate-looking emails, calls or text messages portraying itself to be from authentic sources to persuade individuals into providing sensitive data such as personally identifiable information, financial details or passwords. Emails claiming to be from popular social websites, banks, auction sites, or IT administrators are the common methods adopted to trick public in this regard. Generally, emails sent by a cybercriminal are masked so they appear to be sent by a business whose services are used by the recipient.
At times, the official-looking messages tell recipients that, because of technical problems, billing information or passwords for their accounts must be resubmitted. Con artists recreate pages using information from legitimate websites in hopes of fooling consumers into providing their personal data. It’s a form of criminally fraudulent social engineering. The information is then used to access user’s accounts and can result in identity theft and financial loss.
The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts. Some other forms of phishing are 'vishing' (voice phishing), 'smishing' (SMS Phishing) etc, and cybercriminals constantly come up with several new techniques.
Spear Phishing, is a type of phishing in which a small, focused, targeted attack is conducted via email on a particular person or organisation with the goal to penetrate their defences. The spear phishing attack is done after research on the target and has a specific personalised component designed to make the target do something against their own interest. This mechanism is used in capturing confidential corporate data.
Phishing Mail:
How to identify Phishing Mails?
Check the trustworthiness of the sender address. The notification mails from Facebook is from “@facebookmail.com”.
The lack of a personal greeting, although the presence of personal details is not a guarantee of legitimacy. The genuine mails usually address your name.
Check the links or buttons provided in the mail to perform some actions. The “Go To Facebook” link in the above mail, actually goes to a website that isn’t Facebook.
Spelling mistakes in the email and the presence of an IP Address in the link are both clues that the mail is a phishing attempt.
Phishing Websites:
A phishing website (sometimes called a "spoofed" site) tries to steal your account password or other confidential information by tricking you into believing you're on a legitimate website. Some phishers take advantage of human errors while typing in the URL. The high probability error characters are identified and a corresponding phishing website made. The pages of both original and duped websites may look similar, where in users enter the data as they would do in original site. The fig. 3 is an example of phishing site, where URL mistyping is exploited. The URL of the site is not the original Facebook URL (https://www.facebook.com).
Even if a link has a name you recognise somewhere in it, it doesn't mean it links to the real organisation. Make sure to read URLs from right to left — the real domain is towards the end of the URL. For example, in the above URL (facelook.cixx6.com), “cixx6.com” is the actual domain and “facelook.cixx6.com” is a subdomain of “cixx6.com”. Also, note that websites where it is safe to enter personal information begin with "https" — the "s" stands for secure.
You can see a pad lock on the URL, which stands for secure http, also called https, which means all communications on the sites will be encrypted for confidentiality. The Facebook phishing site shown in the previous figure doesn’t have a pad lock. We can identify the phishing sites by checking the pad lock, to a certain extent. However, the scenario has changed now.
Maybe you were once advised to “look for the padlock” as a means of telling legitimate websites. Unfortunately, new research indicates that half of all phishing scams are now hosted on websites whose Internet address includes the padlock and begins with “https://”. The https:// part of the address (also called “Secure Sockets Layer” or SSL) only signifies that the to-and-fro data transmission between your browser and the site is encrypted and can’t be read by third parties. The presence of padlock does not mean that the site is legitimate, or it has been security-hardened against intrusion from hackers.
Figure 5: Facebook Real vs Fake
In
In Fig. 5, the left half shows the genuine Facebook login page which has the pad lock. Facebook lookalike webpage on the right side also has the pad lock and the URL starts with https://m.facebook.com.---. If you check the complete URL, it is evident that the real domain is not “facebook.com” but something else. If the user is accessing the page through mobile browser, it is very hard to detect the fraud in URL and once you give your credentials in the form, it easily reaches the attackers’ hand. Now a days various tools are available to execute phishing attacks which have the ability to bypass Multi Factor Authentication (MFA) system as well.
Cyber-Criminals are registering their own domain names similar to their intended original ones and create certificates for hosting phishing websites to make it https. These sites also take advantage of internationalised domain names (IDNs) to introduce visual confusion. In a similar case, the “i” in onlinebank.com is rendered as the Vietnamese character “ỉ,” which is extremely difficult to distinguish in a URL address bar.
Defense against Phishing!
The best practice is to check the entire URL along with a padlock check before using the website. Always makes sure that, you are using the genuine URL with real domain name. https://www.virustotal.com is an online application which can be used to check if a URL is a phishing one or not. Fig. 7 shows the phishing URL https://www.facebook.com.sekuritytraining.xyz/ caught by the virus total analysis engine.
Always, Think Before You Click! – Clicking on links that appear in random emails or messages is not a good move. If you doubt the authenticity of a mail or a link, just hover over the link and check where it leads to. A phishing email link claiming to be from a legitimate source may look exactly like the real website. However, they may lack a personal greeting and might start with “Dear Customer”, hence be alert when you see such messages. Also, when in doubt, navigate directly to source by typing in the URL address rather than clicking on a potentially dangerous link.
Double check the site’s Security – Always be alert and a little cautious about supplying sensitive financial information online. Before submitting any information, make sure the site’s URL begins with “https” and there is a closed lock icon near the address bar and the entire URL. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Several phishing web pages tricks users offering low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. Anti-Phishing Toolbars and websites like Virustotal can be used to check the authenticity of the website. Also, keep your web browsers and your knowledge about new phishing attacks up to date.
Verify your Online Accounts Regularly – Make it a habit to visit your online accounts regularly. Checking the monthly statements for your financial accounts regularly can help prevent bank phishing and credit card phishing scams. This also ensures that no fraudulent transactions have been made without your knowledge.
Caution while giving out Confidential/Personal Information – An Internet user should never make confidential entries through the links provided in suspicious emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website for padlock and certificate showing its trustworthiness. A bank will not ask for personal information via email or suspend your account if you do not update your personal details within a certain period of time. Most banks and financial institutions also usually provide an account number or other personal details within the email, which ensures it is coming from a reliable source.
Password Hygiene - As per a study report of SplashData, an internet security firm, the most popular password used in the 2018 is ‘123456’. Interestingly, according to their study this has been the number one choice since the past five years, followed by ‘password’. As is evident, people tend to use the password they can easily remember.
Few best practices to be followed to keep a good level of password hygiene are:
Do not use the same password for multiple accounts, especially for financial ones. The commonly used ones can be house or place or pet’s or company’s name, phone or vehicle number etc. If an attacker is determined to target you at any point, such passwords can be easily guessed by them.
Use strong password which is a combination of digits, uppercase, lowercase, special characters. Using ‘3’ instead of ‘E’, ‘$’ instead of ‘S’, ‘1’ instead of ‘I’ are some tips to improve the strength of password.
Normally advisable length of password is 8 characters. However, most web applications support up to 25 characters in password field. The more the numbers of characters, the more difficult it would become to guess the password by a third party.
Avoid using a word in dictionary. Dictionary attack can be used to easily identify such passwords.
Avoid using default password provided by the application. Change after the first login.
Change your password regularly, like every 30-45 days.
Passwords are characterised into three – something you know (password), something you have (OTP), something you are (biometrics). A combination of any two can make the authentication process hard to bypass. There are provisions for two-factor authentication in applications like Gmail and Facebook. It means along with the password, an OTP sent to your registered mobile number together can be used to login. Even if the password is compromised, there is still another layer of defence to protect your account.
The author is the Deputy Commander – Kerala Police Cyberdome and Head of Information Security - UST Global Inc
The opinions expressed in this article are those of the author's and do not purport to reflect the opinions or views of THE WEEK
