www.аpple.com is not the same as www.apple.com. The difference is down to the letter “a”. The real www.apple.com uses a Cyrillic “a”, while an identical-in-your-browser ASCII “a” (U+0061) is used in the other. Scary, right? Learn more here.
If an email from an Apple address shows up in your inbox, recommending you “visit www.apple.com/support, as there’s been a data breach and you need to change your password”, it wouldn’t seem crazy to follow that link. You input your username, old password, and then your “new password” in a seemingly legitimate Apple webpage and the deed is done. We’re not dealing with poorly written emails or low quality, fake webpages anymore. Just a few months ago, I probably would’ve clicked. Would you?
Some phishing attacks are targeted; aimed at people expecting certain interactions. Small companies looking to hire people will be expecting emails that contain attachments named “My CV”. Someone in HR will open the attachment (understandably), and fall victim to the latest scam. The training says, “don’t open attachments from unsolicited emails”. Well, was this not solicited?
Phishing attacks can be one more link in a chain, like an email coming from a friend who’s already taken the bait. Attackers look for conversations in his inbox, and then “continue” the conversation, but this time include a link or attachment that appears relevant, and suddenly, you’re the next domino to fall. “Don’t open emails from people you don’t know”, they say.
It’s scary how simple, but effective a phishing attack can be. Hilary Clinton’s emails were leaked using a low cost, targeted phishing attack, claiming to be Google and recommending a password change. This is known as spear-phishing. This is what all these attacks are. They are not mass emails sent to millions of people, poorly written, and promising large amounts of money if you help get gold out of Nigeria. They appear legitimate, many times solicited, and can actually come from people we know and trust. What does the manual say about this?
If it has spelling mistakes and poor grammar, delete it; if it’s unsolicited, ignore it; don’t open attachments from people you don’t know. Phishing, like most hacking, has adapted to the environment. Can we really trust ourselves to identify dangerous, yet seemingly legitimate emails with attachments from people we know? My concern is we’ll become paralysed by fear.
There are the obvious recommendations such as “don’t open .exe files in attachments, only accept PDFs” and “your bank will never ask for your PIN code or password”. Others more recently suggest you simply “never click on a link in an email”, especially those that claim to bring you to major online services such as Amazon, Apple, Facebook, or Google – type in the URL yourself, even if it’s a bit inconvenient. These are all fairly easy steps to follow, but they’re not enough anymore.
More and more sites are moving to two factor authentication (2FA), and true 2FA is currently the best bet to defend against spear-phishing. Even if a malicious attachment from a seemingly legitimate source installs malware and starts logging keystrokes, good 2FA will mean all they’ll get is your user name; the rest of the authentication being carried out on another device, like your phone.
Malware that installs ransomware or enslaves your machine, making it part of a botnet, or using it for cryptomining, are other threats that can often make their way in using phished passwords. To defend against this and stolen identities, 2FA should be our first line of defence, meaning that whatever our would-be hacker gleans from social engineering is never enough to do damage. Training is good, but training alone is no longer sufficient to avoid getting caught on that ever-dangling hook.
Written by Max van de Poll