Earlier this week the tech community had a nasty surprise arrive in their inbox.
The surprise was a very convincing phishing attack that appeared to be a simple request to edit a document in Google Docs. What made the phishing attack so convincing is that the website wasn’t a traditional phish but rather one which leveraged Google’s OAuth authentication interface. OAuth is used by a number of sites to allow users to use their Google account as a login by granting the website certain permissions.
This vector allowed the attacker to present users with a legitimate looking website which prompted them to grant access to an app called Google Docs. Note the app was simply called Google Docs and wasn’t actually Google Docs.
The app requested permission to view and manage your email and view and manage files in your Google Drive. Simply put, unbridled access to your Google account.
Google was able to close off the app’s OAuth access before too much harm was done but this attack shows us something incredibly worrying – cybercriminals are getting smarter by the day.
For that reason it’s important to know how to spot a fake website that could be trying to execute a phishing attack.
My name is URL
The first port of call for anybody trying to spot a phishing attack is to check the URL. Often a phishing website will look like a legitimate website but the URL is either a variation of the proper one or a different URL altogether.
For instance www.website.co.za is legitimate but www.w.website.za isn’t even though they look incredibly similar.
There are of course variations on this such as mail.google.com and it’s up to you to become familiar with the URLs of the websites you visit most often.
Now while phishing often relies on you keying in credentials as we saw with the Google Docs attack sometimes just clicking a link can cause trouble. For that reason Denis Makrushin a senior security researcher at Kaspersky Lab offers another way to spot a potentially malicious URL before you click it.
“Always check the link before clicking on it to access the site. Hover over it to preview the URL, and look carefully for any sort of misspelling or other irregularities in the name,” Makrushin tells us.
One of these things is not like the others
The security researcher goes on to tell us that should you accidentally click a phishing link there are ways to tell if the website is legitimate or not.
“Some cybercriminals do not have the funds available to imitate/create websites that are very similar to original websites so they create a number of generic sites at once and upload them online with any domain name that they think would get picked up,” says Makrushin.
For this reason you should give the site a once over looking for oddities such as the font being different or other peculiarities. Should you come across a website that is copying a legitimate one be sure to contact the legitimate website to inform the webmaster.
Be a password chameleon
Another way to thwart would-be cybercriminals is to regularly change your passwords.
The security researcher suggests changing your password at least once per quarter and making sure that they’re secure.
We suggest using a password manager such as LastPass which allows you to store and manage your passwords (including changing them at a click of a button) while only needing to remember one master password.
There are a number of password managers available so we suggest shopping around and finding one that suits you. A number of us here at htxt.africa use LastPass which is why we suggest it.
A healthy dose of suspicion
Unfortunately prevention is better than cure and preventing yourself from being a victim of phishing means being suspicious.
This doesn’t mean you need to treat every email from colleagues as suspicous but you should take some precautions. For one, should you receive an email from a third-party that contains links be sure to hover over the link to check the target URL.
“Do not open links and attachments in emails received from a third party, even if they seem to be from employees of well-known organisations. If necessary, to make sure that an email is really from the organisation it claims, you should double-check that all of the links in the email are affiliated with the organisation,” warns Makrushin.
Finally where possible two-factor authentication should be enabled.
The most important thing to remember when trying to be safer online is that as long as you are aware of your surroundings you should be fine.
That having been said there is no way to insure that you are 100% safe from cybercriminals but you can make the job of ruining your day just a bit harder.
[Image – CC BY ND 2.0 Ilkka Jukarainen]