The United States Computer Emergency Readiness Team (US-CERT) issued a recent advisory warning that cybercriminals will very likely attempt to use the Philippines Typhoon disaster as part of email scams and phishing campaigns.
Phishing attacks attempt to use high-profile events, including natural disasters in their subject line, to get victims to open an email and click on links contained in the message. The goal is to send victims to a web page designed to collect as much information as possible on victims, but increasingly phishing attacks attempt to get people to give up sensitive account credentials. They also can be directed to attack websites containing malware.
As the holiday shopping season begins, security firms say they typically monitor an increase in phishing activity. Here are 10 ways the US-CERT and solution providers said users can spot suspicious phishing messages.
Be wary of unsolicited messages, according to the US-CERT. Rather than clicking on links from banks, retailers and other online merchants, recipients should type in the web address directly into their browser, say security experts. Some messages are designed to appear to come from legitimate senders, but instead contain links to a phony web page masquerading as a legitimate website.
In April, a phishing campaign used the Boston Marathon bombing to lure people into viewing videos, photos and other content related to the incident, according to Symantec. The campaign used an automated toolkit to set up the attack, sending victims to a malicious web-page-hosting, data-stealing malware.
Phishing attacks targeting holiday shoppers will craft messages using trendy electronics and other popular must-have items. Phishing messages are spotted year round and increase significantly when new products are unveiled by Apple, Google, Microsoft, Samsung and other top technology vendors.
But phishing scams peak during the holiday gift-shopping period from Nov. 29 through Dec. 25. The US-CERT said to avoid offers that seem too good to be true. Don’t follow links in unsolicited messages. Visit the retailer site directly to verify the legitimacy of an offer, said McAfee.
Mobile threats have increased significantly in recent years due to rising smartphone adoption and an increase in transactions being conducted on the devices. Security vendor McAfee said this month that Black Friday shoppers that use Android devices could face text message phishing attacks. Phishers can create phony mobile apps posing as holiday bargain-hunter tools, the firm said.
Mobile malware FakeInstaller, which has been a long-standing Android problem, can trick users into thinking it is a legitimate mobile application. Ultimately, FakeInstaller can gain unrestricted access to smartphones and makes attackers money by sending text messages to premium rate numbers.
The easiest way to prevent the SMS scam is to avoid sideloading applications. Stick to official mobile apps from the Google Play store, McAfee said. Mobile antivirus apps also can spot and block FakeInstaller from running.
PayPal is a top spoofed site during the holidays, according to industry studies. The Anti-Phishing Working Group, a coalition of technology companies, law enforcement and government officials, found that online payment and money-transfer provider PayPal was the most targeted institution for phishing attacks. Eighteen percent of all phishing campaigns tracked by the group were directed against PayPal users in the first half of 2013.
PayPal offers its users an email identification tool from Iconix to verify the validity of email messages it sends to users. The company also sells a credit-card size security key that can be used to generate a random security code as an additional authentication measure when making PayPal transactions. This helps reduce the threat of an account hijacking as the result of giving up account credentials in a phishing attack.
Kaspersky Lab researcher Stefan Tanase urges users to make sure they are browsing through a secure connection when visiting a bank website, online retailer or social network. Another way to boost your security and avoid giving up information to cybercriminals is to check the SSL certificate of the website you log into, Tanase said.
Modern browsers, such as Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, also will verify the legitimacy of a website and display a lock and green color in the website address bar to provide validation that the site is using SSL and is legitimate. Clicking on the lock icon will provide additional information, including cookies and certificate information that show how it verified encryption and certificate validation.
Antivirus software that has the latest updates often will provide phishing protection by blocking known phishing sites. Solution providers told CRN that, often, small business owners and individuals fail to keep their antivirus updated regularly, missing critical updates to ongoing attack campaigns that spread quickly. A web security gateway, a next-generation firewall or unified threat management appliance also provide blocking capabilities by detecting and blocking connections to locations that have been identified as malicious.
A common phishing scam that targets user account credentials typically tricks users into giving up their login and password details by luring them into implementing a new “security feature.” The scam uses a major bank brand or merchant name. It is effective because out of the millions of spam messages sent out, a small percentage will be fooled into thinking they’re implementing a new security feature.
Security firm Sophos detected this kind of scam targeting the customers of an Italian prepaid debit card service. Recipients tricked into opening an HTML attachment were prompted for their password. It is then saved and a phishing web page is opened.The presence of the password prompt may actually strengthen the social engineering of the phish, Sophos said.
Another good practice according to Kaspersky Lab’s Tanase is to check the email headers to confirm the source of the email message. This isn’t always foolproof because addresses and source information can be easily spoofed.
Email headers can give the details of a sender. Google and other services provide email header analysis tools that can determine the legitimacy of a sender’s IP address. In addition to the IP address, the header will show the Mail Server used and the details of the sender’s service provider. Phishers can spoof the email headers, but usually telltale signs can provide clues as to whether a message is legitimate. When in doubt, throw it out.
Phishing can be combined with other scams, and the US-CERT recommends that learning to identify fake antivirus could help stop an ongoing attack. Rogue antivirus is difficult to terminate. It causes realistic security warnings that ultimately request credit-card and personal information claiming that it will identify threats and remove them from the system. One recent scam involved a follow-up phone call from an attacker call center requesting access to the infected machine.
The threat of being infected can be reduced significantly by actively maintaining and keeping your antivirus up to date, say security experts. The US-CERT recommends that users visit a vendor website directly when purchasing or renewing software subscriptions.
Messages using the USA Patriot Act have been a common scam in recent years, according to the US-CERT. The email messages have been seen in greater numbers, possibly as the result of the revelations over the National Security Agency surveillance activity. Emails frequently reported to law enforcement use a message purporting to be from the Federal Deposit Insurance Corporation (FDIC). The phony message says the victim’s bank account is no longer insured because of “suspected violations” of the Patriot Act. The phishing email then attempts to steal the victim’s identity by requesting verification through an online form.
Ransomware is a similar scam. Malware locks the user from accessing any other functions of the infected computer. The attack requests payment in the form of a fine to unlock the system. The latest Cryptolocker attacks are a good example of the problem.