Rough seas ahead: what to look out for in the modern world of phishing

Once upon a time, phishing attacks were incredibly unsophisticated. In the early days of the internet, people were new to the online experience and hadn’t really internalized that random requests coming their way should immediately be treated as questionable. If they received an email from someone claiming to be a Nigerian prince trying to move his money to the US and needing their help, they were happy to help the poor man out. In the modern world, people have received some phishing awareness training and learned that everything isn’t as it seems on the Internet. Phishing attacks need to be much more sophisticated to trick the average computer user. Unfortunately, they are.

Here we’ll talk about three tactics used by real-world phishers to trick you into clicking on that link and entering your personal information into their phishing site.

#1. Just a Typo?

One of the most common methods that attackers use to trick you into clicking on malicious URLs is using “typos”. Instead of an l, they’ll use a 1, so example.com becomes examp1e.com. Since these are two completely different websites and you may trust example.com, you probably won’t think twice about clicking on the examp1e.com URL if you see it in an email and aren’t paying attention. Now, you may be saying “I’d never be tricked into mistaking a 1 for an l”. That may be true, but some attackers take things a step further and use different alphabets.

Take a look at this image:

It shows two completely different characters from the perspective of your computer. One is the letter a from the Latin alphabet (used by Romance languages like English) and the other is the letter a from the Cyrillic alphabet (used by Russian and other languages). If you saw a URL using the Cyrillic alphabet to spell paypal.com, it would look pretty convincing, but it’s a completely different website (meaning an attacker can buy the domain and set up a nice phishing page there). And that’s why you should never click on links in emails.

#2. Where Are We Going?

Another tactic used by modern phishers takes advantage of the fact that most people don’t know how URLs actually work. When you look at a URL at the top of your webpage, you see the http:// or https://, followed by some words separated by periods (like www.google.com), potentially followed by a bunch of random stuff that you don’t know or care about. It’s this third section that phishers use to take advantage of you. For example, imagine that you see the URL http://www.goodsite.com?redirect=http://www.badsite.com at the top of your browser window. If you’re on top of your game, you may think “why are there two addresses in this URL?”

You’d be absolutely right to ask, the end result of browsing to that URL is that you end up at badsite.com not goodsite.com. It seems obvious as long as you can see the entire URL. But what if you’re on your cell phone? While you may be able to see the whole example URL on a phone screen, an attacker can just lengthen the first URL to whatever is necessary to fill up the screen. Are you really going to scroll over and check it all?

But say that you ARE that security-focused. Ever hear of URL encoding? URL encoding allows you to replace characters in a URL with an encoded version. For example, www.google.com becomes %77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d. An attacker can replace the ?redirect=http://www.badsite.com with encoded characters and you’d probably just ignore it, right? It decodes once you go there, but most people won’t check the URL again after they’ve checked it once.

#3. Now I Know My ABCs

Recently, a clever phisher devised a new way to bypass email scanners searching for malicious content. Typically, these scanners just check the source code of the email, but the source text isn’t always what the user sees. If an email takes advantage of different fonts, there is a lookup operation where the characters in the source code are matched to the pictures in a “font file” so that you see the specific font that the email uses.

This phisher took advantage of one simple assumption that these emails scanners made: that the font file was alphabetized. There’s no rule that says it has to be alphabetized but most are anyways. By creating a non-alphabetized font file and using it in a phishing email, the attacker was able to slip malicious content right past the email scanners. They would see a jumbled mess of letters (since they assumed alphabetical order) while the target would see the real message (since the font file correctly unscrambled the message). As a result, the malicious content slipped past the scanners and into the target’s inbox.

Protecting Yourself from Phishing

Protecting yourself against phishing attacks is mostly about keeping in mind that email isn’t really trustworthy. Beyond the three tricks described here, there are dozens more used by phishers to trick you into doing something that hurts you – and helps them. Don’t click on links in emails, double-check sending addresses and URLs, and only open attachments that you know are from trusted parties and you should be fine. If you’re not sure if someone sent you an email, give them a call and ask. Better to spend a minute or two on the phone verifying than to spend hours cleaning up malware on your computer.