With the recent deluge of phishing attacks (see 1, 2, 3, 4 and 5) it’s time once again to review some of the more common phishing methods and what you can do to spot and defeat them. Below I go over three you’re likely to see: Phishers getting to know you, complimenting, and befriending you. You’ll notice the tactics used by phishers build on each other. Unfortunately, as users have become more sophisticated, so have phishers.
[Before we go further you might be wondering… What the heck is phishing? Is it fun? Does it go well with lemon and dill? Answer: Phishing is the term used for the attempt at getting usernames/passwords/other credentials out of someone through subterfuge. It is only fun if you do it to your siblings or friends in jest. I wouldn’t recommend lemon near your computer.]
One of the easiest ways (for an attacker) to phish is to send a “reset your password” or ”you need to log in” email. This email includes a URL the user can click on to log in to whichever site is being targeted and may at first glance seem like a caring reminder from the site. However, the URL will lead users to a sign-in form that looks as close to identical to the genuine login screen as possible, but is actually owned by the phisher. When the user enters their credentials on this counterfeit login site they give up their username and password.
This is problematic because many people use the same or very similar usernames and passwords for multiple accounts. Doing so makes things rather easy for the phisher, as hacking one account in many cases allows a phisher access to the others. The phisher now has, in addition to your login information for one site such as Gmail or Twitter, access to possibly your bank statements, your email accounts, and maybe your computer. Having access to your email account is especially convenient because the phisher can now reset other accounts you have that use your email address for verification. Henry Stern recently wrote a more detailed post on this topic. A simple way to protect yourself from a phisher’s malicious links is to type in the address of the website in your browser yourself.
Phishers Think You Look Good
A variation on the above phishing attack method is a more personalized message that happens when the attacker sends a message along the lines of “you look good in this picture… LINK” or “Hey, is this you?… LINK.” The basic premise is that phishers are trying to hook your interest by appealing to your innate curiosity and vanity. The person receiving the email will invariably think “I wonder what picture they’re talking about” or “Hmm, is that me?” if they’re unfamiliar with this method of phishing. This is just another context for getting people to go to a counterfeit login site and give up their credentials.
This has happened on people’s walls on social sites, in emails, and in direct messages in Twitter. Actually, anywhere people gather online this type of attack has probably been tried. I’m actually surprised we haven’t seen more cross-pollination of phishing, such as a worm spreading on Twitter and getting hacked accounts to tweet “Hey, I just updated my facebook page… LINK” but that’s a rant for another post.
Phishers Are Your Friend
Phishers have realized that people are getting savvy about receiving unsolicited vanity messages. So phishers have taken the vanity inquiry one step further and are using your friends against you. Once they have taken over a few user accounts, phishers can send messages from a compromised account to all the victim’s friends. If you receive a message from a friend asking “Is that you in this pic,” you’re more likely to click on it because it comes from someone you trust. In this case you still log in to a fake web page, giving the phisher your password and access to your friends. A simple way to prevent this damage is to contact your friend and ask them if they meant to send you that message. Or just wait a few minutes while all the other people hacked by your friend start to report in.
Phishers Can Be Stymied
There are a few easy ways to protect yourself in general from phishing. The first is to change your password. Do that right now. Go change your passwords, I’ll wait…. In fact, change those passwords you use on multiple accounts to unique passwords. Make these new passwords different enough from each other that someone who has one password isn’t going to be able to easily guess your other passwords. For example, don’t use: Password, P4ssword, passW0rd, etc. Given how the password recovery process on many sites depends on access to your email, your email password in particular should be chosen with care.
If you receive an email that you suspect is a phishing attempt, don’t click on the included link. If you legitimately want to log in to the site, go to their known homepage. If the phishing attempt is from your friend, contact them if you think they don’t already know. And then go change your password again.