Online Shopping and a Phishing Pheeding Phrenzy [3]

Phish Avoidance

Here’s a shortened and updated version of the advice that David Harley and Andrew Lee gave to potential phish victims in an earlier paper.

The infographic isn’t from the paper, but has been used by ESET before, notably in a blog article by Randy Abrams. You may still find it useful, but bear in mind that phishing is by no means restricted to email messages, and that sometimes the real danger is in the attachment, which may be some form of Trojan or contain malicious links that aren’t present in the message.

  • Email sent apparently from a provider you don’t use is obviously suspicious. However, if you receive email apparently from a services provider that you do use but at an address that you do not use when you contact that particular bank or service is always suspicious. One precaution is to create a separate email address (most ISP’s will allow this, but you could also use a service such as Gmail to create extra accounts), with a unique name, e.g. (mybanking.email@thedomain.com), and use that address exclusively for that activity, never publishing it anywhere or using it to send email for other purposes. This will provide an easy way of checking that it was sent to you at a correct address.
  • If you do have an account with the institution apparently sending it to you, but the message isn’t personalized that is, addressed to you using your own name or a specific identifier such as a verifiable account number regard it as highly suspicious. Greetings like Dear Lloyds Bank Customer or Dear eBay User suggest that the sender is trying to catch anyone who happens to receive the mail, and they have no idea who you are or whether you really do have an account or business relationship with Lloyds or eBay. If the identifier is one of your email addresses (e.g. Dear henry056@hotmail. com , that is equally suspicious. It’s trivial to insert the email address into the message, and you should assume that it is not genuine.
  • However, if it does include your real name, that isn’t a guarantee that it’s genuine. There are many ways of obtaining that information. In fact, sometimes it can be harvested from your full email identifier, without any need to find it out from other sources. If you do have an identifier, especially a numeric or alphanumeric identifier and if you don’t have such an identifier, maybe you shouldn’t be using the service you should check it. For instance, it’s common for eBay phishes to include tags like Your registered name is included to show that this message came from eBay, without actually showing the registered name, or it might even use a made-up identifier in the hope that you won’t notice.
  • Reading message headers is a dark art requiring years of study at Hogwarts. Well, not really. But many people are intimidated by it. However, here are a couple of things to watch out for, that don’t require you to read the full headers.

-                               If the mail doesn’t seem to be addressed to anyone, it was blind copied to you and, probably, any number of other people. Don’t trust it.

-                               It may seem to be addressed to someone else, including the apparent sender of the mail, or to a generic name such as customer or clientlist. This is sometimes appropriate for mail sent to many people, especially if the blind copy field is used to preserve their privacy. However, where the message concerns sensitive information such as banking data, it shows an inappropriate lack of personalization.

  • If you receive email apparently from an institution with which you have a business relationship (say eBay, or a tax office) that doesn’t mean that you should accept it unquestioningly. If the message requires you to authenticate yourself to a web site and it’s not the sort of mail you’d expect to get from them, it’s suspicious. Security warnings are actually particularly suspicious: email advising you that your account has been compromised is a common phish type. A telephone notification can also be malicious, but it may be easier to ascertain whether it’s genuine: at any rate, it can’t be purely random, and there are ways of verifying such as calling back a known valid number (for instance, the number found on an account statement).
  • Even if you are reasonably sure that the mail is genuine, do not click on an embedded URL directing you to a login page. If you have a pre-existing relationship with the organization, for instance if you already do e-Banking with them, you should already have a standard login procedure: use that rather than responding to a possibly-random email. If you need to contact them by phone, avoid using phone numbers included in the message. Just as web sites can be spoofed, so can telephone numbers. use the telephone directory or another trustworthy resource such as an account statement.
  • A particularly common trick (but also a clear indication of mischief if you spot it) is an embedded URL that looks legitimate but has been modified to hide the real target. URLs can be obscured in many ways. However, if inspecting the source code for HTML mail or even passing the cursor over the URL shows a mismatch between the apparent site name and the target URL the browser actually sees, this is very suspicious. For example:

-                               Deceptive text inserted between http:// and an @ symbol: this may include the apparent target name, but will be ignored by the browser, which will only interpret the text that follows the @ as the domain name.

-                               The domain name may be expressed as an IP address in one of several formats (dotted-decimal, dword, hexadecimal or octal). The characters forming the URL may also be expressed as hex: there are some examples at http://www.pc-help.Org/obscure.htm.

-                               The URL may be made so long that it cannot be completely displayed in the status bar.

-                               The URL may include a domain name that is not quite the same as the company’s real domain, but is similar enough to evade a cursory glance.

  • One of the weapons in the phisher’s armoury is to present the problem’ that requires you to log in as requiring urgent resolution ( You must log in within 24 hours or your account will be terminated for security reasons. ) This variation on a well-known sales technique ( Offer only lasts till the end of today! ) is intended to panic you into responding.
  • Apart from increasing the pressure on the victim, it also works to the advantage of the phisher, who often needs an urgent response before law enforcement and other countermeasures are put into place.

The kind of crude, text-only phish (usually written in bad English) that we saw a few years ago is far rarer today, but the basic form of the attack hasn’t changed much: only the quality of the social engineering and the far more professional presentation.

However, the attack surface and range of vectors have broadened considerably: whereas most phishing attacks used to be delivered through email, we now see other forms of messaging exploited, such as SMS (texting), social media like Facebook and Twitter, even voicemail. And whereas phishing-related malware is still mostly Windows targeting, attacks that rely purely on social engineering and fake web sites might be delivered by any platform, including smartphones and tablets.

David Harley, ESET Senior Research Fellow
Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

< Back to Part 1 >   < Back to Part 2 >

Author David Harley, ESET

  • Vicki

    Pay Pal claims to be safe, but 3 years ago someone tried to buy a $2,800.00 (US) computer through my Pay Pal checking account.  I called Pay Pal and was put on hold for 45 minutes and once I finally got through, the customer service rep refused to stop the transactions from going through my checking account and he acted like it was no big deal.  Had my paycheck been automatically desposited before the transaction, I would have been out all that money and some thief would have had a very nice computer.  As it was, I got stuck with two NSF fees because Washington Mutual refused to credit all but one of the $27.00 charges.  So, remember folks, Pay Pal is not "bulletproof" and they don't care if you are scammed, or not.  The only thing Pay Pal did was to forewarn me that my account had been compromised and that was it.  I have never used Pay Pal ever again.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

14 articles related to:
Hot Topic
31 Oct 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.