Look out! Just when you thought you knew what to click on in your emails, another threat emerges.
We in the cybersecurity community have spent a lot of time and effort on cyber awareness for end users. The whole goal of the bad guy is to get a user to click on a link in an email, go to a web site, and download and run an executable program. We’ve made some (small) strides in heightening alertness to these types of phishing attacks.
Based on our awareness campaigns, users now know to “look for the padlock” in the browser bar, and to “hover over a link” before clicking on it in an email. Those suggestions do help to some extent, but now the bad guys have introduced even more insidious approaches.
Imitation emails and cloned websites
First, the emails have become more enticing. (See the below example of a recent phishing email made to look like it’s coming from Facebook.) Rather than offering a link to a “Great deal” or free sample, the attackers have successfully copied FedEx emails notifying users that their package wasn’t delivered. Even if they aren’t expecting a package, most people tend to click on it anyway. (After all, who doesn’t think they deserve an unexpected gift from a friend or relative?) Once they click on the link, they are taken to an official looking FedEx clone website, built on a Google Drive (drive.google.com). Because the browser authenticates the Google certificate, the familiar padlock shows up in the address bar, and people feel comfortable clicking on the links presented (and therefore downloading the malware).
Fake account registration
Some attackers make the user go through an account registration process with their email address and create a password. That doesn’t sound so bad, but attackers know that many people use the same password in all of their online accounts. As soon as an account is created on the fake site with an email address and password, the attacker then goes to many other websites and tries to log in using those exact credentials (banks, PayPal, etc.). They often work.
Worse, some attackers clone legitimate banking websites and collect credentials. After a user enters their user name and password, the fake site then flashes an official looking error message, and then connects the user to the login page of the real site. Users then log into the real site, not realizing they took a detour and gave credentials to a fake site along the way.
So what can we do?
Cybersecurity professionals should caution not only to hover over links in emails, but also links to the websites they are sent to. If you are told to download a form (PDF), but the file ends in “.exe” it’s probably a trap. Many organizations who handle sensitive data are also blocking access to Google Drive, box.com and other cloud storage sites as a precaution. If you get a login error that looks unusual on a banking or other sensitive website, double-check the URL for a slight misspelling or Google Drive reference. If anything looks fishy, stop and type in the URL from scratch all over again.
Also, if you think you’ve inadvertently input your credentials into a fake site, go to the real site and change your password immediately. It’s an easier mistake to rectify if you haven’t used the same password on all the sites you use.
For more information about how these types of schemes work, Global Knowledge has training courses on end-user awareness, as well as Certified Ethical Hacking and other penetration testing techniques.