The Weakest Link on the Chain, Discovered By Phishing
Do you remember those African Prince emails? Well, the new technics used by an attacker are not as easy to identify anymore. One of the differences between those emails and the latest ways used by attackers is that the newest attacks do not involve the need to interact personally with the victim, all that is needed is to send them a convincing email with an enticing link. Email phishing or spear phishing technics are one of the vectors used to deliver those “hyperlinks” on what is called social engineering attacks.
Experts identify these types of attacks as one of the most effective ways to compromise personal and commercial networks. First, let me explain the difference between Phishing and Spear phishing.
- Email phishing – Just like when you go fishing in the lake, you take a bait (a link) hook it in the line (the email) and wait for the fish (You) to bite.
- Spear Phising – Back in the lake, now you want to get a specific type of fish, so you wait until the right fish comes along and then you release the spear (Targeted Email).
Hyperlinks, or as we usually call them “Links” are a way to teleport to another location by clicking, tapping or hovering a specified area in a webpage or document. Links can be made to look and say anything; they are a convenient way to shorten an address from something like this (https://cyber4norms.com///the-weakest-link-in-the-chain/) to this (Back to this article). Did you see what just happened there? The link said that it was taking you back to this article but took you to a different location. That is why you have to be careful when clicking links on emails, websites, and documents. Next, let see how this relates to you.
Real case scenario
The Bait
You receive an email from your Apple account asking you to verify a recent transaction on your account or that your account is in danger. Most of us will select the link or open the attachment to get more details or to challenge the charges. Because the link is conveniently included in the email, our instinct is to trust it.
After you Click
The link takes you to a login page that looks just like the original so that you can enter your username and password. Two things can happen after:
-
- You will be presented with the login again because the attacker routed you to the real login page after it recorded your credentials, or
-
- You will be logged in through the attacker’s system. Either way, your credentials have been compromised.
As you can see in the picture, the email could include an “Important” attachment. When you open the document it installs malware on your system and, being that it is from a trusted entity, you press “yes” in the pop-up that asks you to install something before you can log in. Now that the system is compromised, the attacker can use it for whatever they want.
Why should I care?
No matter how much money or time you spend securing your network from unauthorized access, anyone authorized in the network can undermine everything. Your kids, your older family members and, even that visitor using your WiFi, clicking on the wrong link can create a hole right through your security wall.
Things I can do to protect myself:
-
- Enable Two-Factor authentication in your accounts, if available
-
- Do not select links or open attachments from unsolicited emails
-
- Verify that the link in the email is legit:
-
-
- Right Click the link and select “copy hyperlink” or “copy link”
-
-
-
-
- Paste the copied link into notepad or word
-
-
-
-
-
- For short links, you can use Check Short Url website to expand the link
-
-
-
-
-
- Check that is the right domain (apple.com, microsoft.com
, etc.)
- Check that is the right domain (apple.com, microsoft.com
-
-
-
- If not 100% sure this is real, open the browser, go to the official website (Not from any links in the email), log in and verify your account
-
- Call the company directly (Do not use any phone numbers provided in the email)
-
- If you have some experience, you can look at the email’s raw information and there you will find the real address from where the email came from.
-
- If you identify the email as a fake, forward email to spam@uce.gov – Federal Trade Commission (FTC), reportphishing@apwg.org Anti-Phishing Working Group and the company impersonated in the email. (Apple’s notice about fake emails – https://support.apple.com/en-us/HT204759)
