So phishing has been covered quite a bit. While domain based phishing isn’t new, it still needs to be a method that is talked about since so many people fall for it.
Current Methods
There are multiple reasons domain based phishing is effective.
Using a new top level domain like .app or .co in addition to the name of the company. Think like facebook.co
Spelling the name incorrectly (like adding an extra g or o in Google, or changing an i to an l, or changing a o for a 0.
Using a completely different domain name with exactly the same website layout (hoping you don’t look at the domain name)
Using Greek letters that look like a similar to normal characters to trick even the hawk eyes from noticing the difference (less of a problem as most browsers spell the Greek letters out)
How They Might Trick You
I think most people believe they know what phishing is, but don’t expect it to happen to them. It’s sorta like an accident. You see them on the news, or experience the backup on the roads, but never think it can happen to you. Think of this scenario.
You are tired, its wintertime, and you’re cold. You’re like I’m going to get a new blanket since its time to get warm again.
You go to Amazn[dot]com, and get taken to a site that looks exactly like Amazon but it isn’t (although I think Amazon owns almost all combinations of their names to stop this from happening, but imagine with me).
You put your login information in then the phishing site takes you to the actual website, passing all your login information to Amazon, and you are none the wiser.
Now the phisher has all your information and can quietly watch your purchases, and bide their time to grab as much information as they can from your login. Try that login combo on another website. Try variations of the password on other sites. Bam they have your email. Then they wait. They try to get in as far as possible before you get alerted.
All of a sudden you wake up one morning and you can’t access your email, Amazon, Facebook... Now you have to find the long hard path to claw back all your information.
That’s all it takes. You forgot an o. It’s that simple.
How to protect yourself
Gonna keep this simple because there can be a lot that can be said here.
Here’s some basics:
2 Factor Authentication. Yes its a pain. Do it. Best is a rolling code. Text is OK, but use it on accounts that aren’t that important.
New passwords on EVERY site. Yes EVERY site. No variations. New Passwords.
Password Keepers. Their free. There easy to set up. Don’t use the one supplied by the browser. They can be hacked. Yes, some people say what if the password keeper gets hacked. It’s unlikely.
Watch your typing. Slow down. It only takes a second.
Links. Be careful. It only takes a sec to check the link make sure you’re in the right place before putting your password in. The password keeper also won’t fill it in if its another site, so that helps.
Don’t click a link unless you know what it is. Especially emails. Email addresses can be easily spoofed.
What the future might hold
I think it can be a bright future. As people and technology change, there are several technological features that will help with these attacks:
Artificial Intelligence. It will help with alerting you when you haven’t received an email from that domain, or even when going to a link, alerting you that this isn’t the official site for that shop, or event.
Smart Links. Links to websites are good, but I think there will be some new technology that will make it easier for official sites to become authorized through some entity.
No Email. I think this might be a little more far fetched, but email will probably go to the wayside as an effective way to market to people. This will make links become less prevalent, just like snail mail is no longer an effective way to market to people.
It’s a short list but there you go.
Comments