About the author.

Welcome to The blog of whall

Come on in and stay a while… laugh a little. Maybe even think. Read more...

Hi, This is Wayne. This is my site, my stuff, my blog, blahblahblah. The site itself is powered by WordPress and the Scary Little theme. I thought it was cool, and I still do.

Hello and welcome once again to our International Phishing Awards show. 

I’m your host, the Amazingly Attractive and Ever So Humble whall, and today we’ll take a closer look at one of the best phishing scams we’ve ever seen.

But first, a look back at the history of phishing.  Please allow me to enjoy a tasty breakfast taco while the narrator caresses your ears with the background and nostalgia appropriate to this section of the show.

[cue memory-inducing music]

Phishing, one of those new-fangled computer terms that describes some new-fangled way of doing things while borrowing meanings or close-enough spellings of old-fashioned terms (see: virus, trojan), is an ever-growing concern for today’s connected public. 

Everyday tasks that people perform in the normal course of using a computer have become potential traps.  Simple actions such as changing a password, verifying a new account at a website, or being forced to accept supposed “new privacy policies” at your bank now require a higher sense of inspection just to be safe. 

These tasks usually involve three steps:

  1. You initiate some action on the server (ie, “forgot my password” link), or the server initiates an action on your behalf (ie, you need to read and accept new privacy policy).
  2. The server sends you an email to verify this action.
  3. You click on a link in the email to indicate you agree or complete the action.

Most phishing scams concentrate on steps 2 and 3 — they want you to think that some action was initiated by you or some official entity and then send you an official-looking email so that you will think it’s safe to click on the link.  But in reality, the links embedded in the email direct you to a malicious site instead of where you expect. 

[end music]

Mmmmm, MM!   That was one good taco. 

Just imagine what some nefarious people could do with your email and password.  Since so many people use the same password for gmail, paypal, 401K, twitter, facebook, etc… all it takes is getting one of those passwords and then going to town with your wallet.

To illustrate this, take a look at a XKCD comic.  While you do that, I’m going to enjoy my second breakfast taco.

XKCD Password Reuse Comic

[mmrph-mm-gulp] Oh, you read fast.  Let me finish this taco real quick.

Ok, I’m back.

Many of the attempts are so bad it’s laughable.  Mispellings, IP addresses in the links instead of names, or foreign characters are all easy give-aways as to the malicious nature of the email.   Many email clients (Outlook, Mac Mail, Thunderbird) try to do their part in warning and protecting you, and the email servers themselves can do a decent job in removing unwanted or dangerous emails.

The scary ones are the ones that get past the automated checks and look real to the human eye.  And that’s the point of this whole show! (seen Mondays on WBN 6/7c)

Today’s winner is the Lifelike Gmail Account Reset Email, seen here

What’s scary about this is that it looks almost exactly like the notice you get when you DO try to go through password reset recovery w ith Gmail. 

I gotta tell you, I was THIS CLOSE to clicking the link “to remove your email address from this account” because since I have a short “vanity” gmail name, a LOT of people try to take it or think it’s theirs.   So I’m used to getting this email every few weeks.

Then when I hovered over the reset link, I saw the real URL:

This is the second reason why this phishing attempt wins — the URL embedded in the email isn’t just an IP address or messed up URL, which would be easy to spot.  This part is actually designed to look real as well.  Many people will hover over the link and take a quick glance at it.  That cursory review will only expose the accounts-google.servicelogin part but might not keep looking to the actual end of the server portion of the url. 

This is where the gold is — “accountns.net”.  Many won’t notice the mispelling at the end and will just click the link.  A lot of people don’t realize that it’s what’s between the http:// and the first slash / that matters, and in particular, the END of that section.  The “accounts-google.servicelogin” is put there to make you think it’s legit.  I can make bankofamerica.verification.whall.org if I want, and it has nothing to do with bankofamerica.  It only goes to whall.org, and the servers at whall.org decides what to do with it via DNS records.

I can see that the domain was just registered last month, another sign that it’s not legit, especially not for gmail.

I haven’t checked out that site (nor will I), and I don’t know what their intent is.  It could be they want to know what IP address you’re coming from, to stage an automated attack later on.  Maybe they have a “password reset” page that looks like Gmail and some people will type in their password. 

On a related note, I’ve noticed a strong uptick in AI-looking spam attempts on my blog.  I happened to notice this while enjoying a very stuffed breakfast taco.  These spam comments are getting past Akismet (wordpress comment spam preventer) somehow, and they don’t look like they’re made by a human.  Or maybe they’re using Google Translator or something.

Here’s an example:

When I say “strong uptick” I mean 5-15 a day, just starting in the last week or so.  Before that, maybe 1-2 would get through per week.  Of course, it could easily be explained by the skyrocketing success of my blog, and this is just a consequence of that.  I’m ok with that explanation.

But sure enough, when I look at the past few months (and dream of more breakfast tacos), I see a marked increase in both spam as well as “missed spam” which is where a comment got past the spam detection servers at Akismet and I had to manually mark them after an email about the moderation interrupted my enjoyment of a breakfast taco.

General Spam Increase (caught)

Spam Increase (missed)

So there you have it.  Word to the wise: clicking on the “Ham” tab, will not, I REPEAT, will NOT provide you any extra ham for your breakfast taco.

This show is about education, safety, awareness and breakfast tacos.  At a minimum, I hope to educate you on how to be safe with your awareness of breakfast taco enjoyment.  As we all know, if you’re going to enjoy a tasty breakfast taco, you want to be safe while doing it.

BE SAFE and BE CAREFUL, and watch out for those emails coming in.  Very few of them will result in free breakfast tacos.

Tips:

  1. Use different passwords at different sites.  In particular, make sure your banking and financial sites all use different passwords from your email, twitter, facebook or image hosting sites. 
  2. Your password should NOT be “breakfasttaco”.  Use something more like “Buh^rakefastt^co”
  3. Use Roboform or some other password manager.  It can create random, strong passwords and store them for you.
  4. Eat a Rudy’s breakfast taco (http://rudys.com) when in Texas.  I recommend the Egg, Cheese, Bacon, Sausage, Potato taco.
And lo, the people did comment thus:

4 Comments

  1. martymankins says:

    Besides wanting a breakfast taco now, the deep links inside a phishing email are very stealth. I get some for my AOL account (which I use the email for a few items). All but one of the links is a legit link on the surface, but when clicked, it goes to a bad site (which is the one link in the email that’s not a legit AOL link).

    Didn’t realize that Gmail has the same type of phishers, but I guess it’s to be expected given how popular Gmail is.

    Very details report, including your ingestion of breakfast tacos.

  2. kapgar says:

    I actually love mousing over the e-mail links provided in phishing e-mails to see where they go. Cracks me up. I only wish I could teach others to do so regularly.

    I really need to check into my spam comment blocker stats. I haven’t done that in a couple years. Might be interesting to see what they’ve filtered out. I think only three or four have made it through in the last year. I’m very impressed with their system. Yay, Typepad!

  3. Avitable says:

    How did you know that breakfasttaco was my password??

  4. Sybil Law says:

    I ALWAYS hover over the link- even if it seems like something fishy from my friends. I’m just paranoid that way, I guess.

Want to Reply to Sybil Law?

Hey, we all want to share our voice. And I particularly love comments, especially if you took the time to read my blog entry. I'll take the time to read your comment, I swear! But due to spammers, robots, and the fact that I want my blog to be PG rated, I need to approve the comments. This should be same day, but please don't get mad if it takes me a while to approve the comment.







Comment:


PLEASE help keep this blog family-friendly by refraining from profanity and vulgarity.


CommentLuv badge


Admin
tsk tsk

Ajax CommentLuv Enabled 336ad6ab990e8080f1c0ad1f892428a0