I started seeing a new style of phish over the last few weeks at my job where I scour the Internet for these types of threats. It is a slightly more sophisticated fake Google login page designed to steal your credentials. Gizmodo recently published an article about it, reiterating a Symantec blog post, but they may have slightly overstated the threat while missing some helpful hints to avoid falling for the scam.
For the average person, this new phish is a little more graphically convincing and tricky in the URL. But, it is essentially the same as those that came before it. Don't worry; just keep in mind two things that apply to all phish.
1) WHO. A link to the fraudulent page is usually sent in a lure email. The Gizmodo article makes a good point: if someone you don't know unexpectedly sends you a link, it's probably not legit.
The email may say you need to log in to your account to change settings, or to view a shared document (as in the case of the Google phish), or something along those lines. The sender's email address may appear legit because they spoofed it, but they were probably too lazy for that, I've noticed, so it's probably something dumb like accountverify@yahoo.com. (Most of the scammers who make these pages and stuff seem super lazy and sloppy; it's probably why they do what they do.)
Sometimes a company may actually use third-party services for shared documents, so you may need to verify with that company. This is rare, especially if you weren't expecting it.
One variation is that, instead of receiving an email, you may find links to login pages from other pages, pages where you wouldn't expect to find a link like that. Usually, these are just blogs trying to get traffic by offering links to legit login pages in a post on how to log in to your bank. While they are perhaps less-than-honorable sites, in that they offer no real value and muddy search engine results for ad revenue ("content farms"), they are not criminal. But, they could be, which leads us to the next point.
2) WHERE. Does the link go where it should? Just because the text you click looks legit, doesn't mean it actually goes to that address. Look at the URL.
The URL may be long and unclear on first glance, and it may contain the name of your bank or relevant key words somewhere in it. That can be sneaky, but it's a tip-off once you're savvy. Your bank's login page is not going to be at www.alpacasoncrack.com/herephishyphishyphishy/fake-login/secure.yourbank.com.php, nor will it be at login.yourbank.com.hobbitlovers.org. (The domains alpacasoncrack.com and hobbitlovers.org are surprisingly available at the time of this writing.)
If you hover over a link before clicking it, the real URL it points to will appear in the bottom of your screen. (Most, if not all, browsers will show the URL like this, but if your browser doesn't do this for you, get a new browser, or change your settings, or update it, or get an add-on or something.) If you do happen to click on it (which is a low risk if you have an antivirus program, so no worries, but do clear your cookies afterward), look in the address bar at the URL where you ended up. Some browsers will make it easier to spot the domain name by making its text black while the rest of the URL is greyed out in the address bar up top.
Also, the domain may even be your-bank.com, whereas your bank's domain is yourbank.com, but those variations have probably already been bought or blocked by your bank. UK banks actually use the hyphens on legit domains sometimes. I digress.
In the case of this newish Google phish (aka "parasite," depending on whom you ask and how you are lured to it), the fake login URL looks legit. Since it is actually a public document on Google docs, it is on docs.google.com. However, your Google account login is on accounts.google.com. That's a little trickier, but it still follows the same principle: the login page is not in the right place on the Internet.
If you're still unsure about whether you're on the right page, here is the simplest and only trick you really need: go find the real login page. Make sure it's on the same hostname (e.g. login.yourbank.com). Just for fun, you could enter fake credentials and see if it accepts, but remember that rejection is not proof it's legit.
There are all kinds of other things to check, such as where the form sends your login info, checking the whois etc. But, a lot of that stuff is mainly to help put together a case for taking the page down. If all you are concerned about is avoiding a scam, just remember what I told you. Do you trust the source? Is the login page where it should be? (Where is the login page?)
If you think you have found a fraudulent login page or email, alert the company it poses as (e.g. your bank). Forward the actual email to them with the full headers (see how here). Chances are they have hired a team dedicated to taking care of this sort of thing, like the awesome team I'm on: shameless IID plug.
No comments:
Post a Comment
Respect.