Phishing is an incredibly common technique used by cyber-criminals to steal information and money. It’s common because it’s often very easy to do — why bother trying to come up with highly complicated technical exploits to break into computer systems when you can just send a few thousand emails?
The success or failure of a phishing campaign is predicted on the vigilance of its targets. By just following a few tips, you can fortify yourself against just about any kind of phishing.
Know your senders
Phishing emails will often impersonate institutions that you know and trust, such as banks and cryptocurrency exchanges. This impersonation ranges in sophistication from obviously fake emails with lots of spelling errors from clearly dubious senders like email@example.com to perfect replicas of official emails from email addresses that look almost right (for example, firstname.lastname@example.org — see Know your sites below). Depending on the attacker’s aims, these mails could do anything from attempting to trick you into providing credentials, or making a crypto transfer, or infecting your system with malware — this article will largely focus on the first two kinds.
Because of the high degree of sophistication possible in these emails, a good rule of thumb is to minimise your interaction with them as far as is practical.
**Distrust unexpected emails that require something from you. **Most emails from sites that handle your money should be expected — regular newsletters, regular account statements, notifications of logins and transactions that arrive shortly after the login or transaction. Sometimes announcements may come unexpectedly, but these generally won’t ask you to do something immediately. Be very suspicious of an unexpected email from your bank asking you to log in to your account, especially if it’s urgently worded.
Do not provide your user credentials over email. Most financial institutions are always at pains to emphasise that they will never ask you for your password, and this is true. The only time you will ever have to give your password to anyone or anything is when logging into an official system. In order to reduce their own liability, websites will actually take the password you enter, encrypt it with a one-way algorithm that can’t be directly reversed, and use that encrypted (technically “hashed”) version to check that you’ve entered your password correctly. This means that by design, no-one should know your password but you.
Avoid clicking links or following URLs in emails where possible. For example, if your bank sends you an email about your account status and you want to log into internet banking and double check the email’s veracity, you should do this by carefully typing in the URL for your internet banking, or by following a bookmark you’ve previously made, or even by searching for the site using a trusted search engine like Google or DuckDuckGo, rather than by clicking any convenient links in the email.
Exercise caution with the links you do click. Sometimes clicking links in emails is unavoidable. You will often need to click something to verify your account, or to log in to something from a new location. Try to only do this with expected emails, and inspect the link carefully. Which brings us to the next section…
Know your sites
Should you click a link in a phishing email, it will probably take you to a fake version of the login page for a high-value site you use, such as a crypto exchange or an email service. Attackers can design fake login pages to exactly resemble the real thing, and sometimes will even redirect you to the real site’s login page after they’ve captured your credentials.
This fake site will be hosted on a domain set up to resemble that of the legitimate site, but the sophistication of this varies. The fake site will most likely also be configured to use HTTPS, i.e. the green padlock. HTTPS on its own is not a signifier that a site is trusted — it just means that your connection to the site is encrypted and can’t be intercepted.
So you can catch out some phishing sites, such as the one in the screenshot above, by checking the domain name in the URL. Bittrex’s legitimate domain is bittrex.com, whereas this phishing site is hosted at bittrex.asset2fa-exchange.com. It’s easy to see how the latter could be mistaken for the former, but a bit of careful inspection shows the trick. Some browsers even help you determine whether you’re on this kind of phishing site or not by graying out secondary parts of the URL.
But before we get too comfortable with our ability to determine phishing from a quick glance at the URL bar, let’s remember that this is a low effort, low sophistication attack — our attacker didn’t even buy a new domain to target Bittrex users with, they just used a subdomain of something else!
An unintended consequence of the generic top-level domain expansion that began in 2013 is that phishers now have many more choices when registering fake domains. Want to phish users of Poloniex.com? Why not register Poloniex.online, or Poloniex.website, or Poloniex.xyz? There are hundreds of options to choose from. And while domain registrars do have dispute processes, and larger corporations with deeper pockets (such as Google) make an effort to buy up all or most alternative domains on these gTLDs, phishing sites can slip through the cracks for long enough to cause some damage.
Luckily, the generic TLD is an important part of the URL and will be displayed as such by most browsers. If you know the legitimate gTLD of a given site, you should be able to spot fakes pretty easily.
This was also possible to a lesser extent before the release of these new gTLDs — for example, a phisher could register bittrex.org.
An alternative to using a different gTLD is the practice of typo-squatting — buying up domains one or two letters off from popular websites: for example, facbook.com or gooogle.com. What if our attacker had done this with Bittrex?
These two URLs look remarkably similar, but you’re probably still able to tell which is the real one because you have them side-by-side for comparison, and because you’ve just read a paragraph about typo-squatting and are primed to notice it. But you won’t always be in such a heightened state of vigilance. Consider the image below:
Noticed what’s wrong with it yet? Probably not, right? Here’s what you missed: in each of the triangles, the last word on the second line is repeated at the beginning of the third. “Once upon a a time”, “John loves to to dance”, “Summer in in the city”.
It is incredibly easy to miss simple typos and repeated letters or words in common words, sentences, and, yes, domain names that we look at all the time.
But even if you rigorously inspect every domain name of every website you visit, even if you go letter by letter to sniff out typos, you could still be fooled, because there’s a level of sophistication in these attacks that make them nearly undetectable by the human eye: IDN homograph attacks, in which characters in a domain name are substituted with other, similar looking characters. This can be as simple as replacing a lowercase i with an uppercase I, or it could be more complex, using letters with diacritic marks, or ones from non-English alphabets, such as Cyrillic. Take a look at these:
Sure, if you’re eagle-eyed and keep a clean screen, you might notice those diacritics. But can you see which of these urls is legit?
If we convert these addresses in Punycode, the answer becomes clear:
xn — mythrwllt-5yh4ccf.com
But before we did that, the URLs were essentially indistinguishable.
Depending on your browser and the language it’s set to, you may have some built-in protection against these kinds of attacks, but the phishing domain landscape is constantly evolving, and the above techniques are but a subset of what’s possible and what’s been used successfully. To really ensure that you’re visiting safe and trusted sites, you need to rely on more than just your eyes.
Phishfort’s Protect browser plugin, available for Chrome and Firefox (source code here), allows you to take a proactive approach to defending yourself and the internet community at large from phishing. After you install the extension, it will glow blue on known good sites, red on known bad sites, and grey if the site’s safety is unknown. Because it’s a cold, logical collection of code, it won’t be fooled by tricky subdomains, typos, or homographs. It also allows you to report bad sites, putting your careful domain analysis skills to use not only for yourself, but for all users of the extension.
Of course, no browser extension can be a full replacement for vigilance and care. It’s still a bad idea to login to high-value sites from links in cold emails, or to do your banking on public Wi-Fi. Even though the human eye isn’t always effective, it’s better to make sure of the sites you’re visiting and using than not.
Phishing Site Summary
Phishing sites can be identified through inspection of their URLs, with closer inspection required for more sophisticated techniques. This inspection should focus on the site’s domain name, i.e. the section of the URL not greyed out in most browsers.
Know your crypto-scams
Phishing is used for all sorts of criminal activity, targeting both individuals and companies, because it’s effective and, even at a sophisticated level, relatively simple to pull off in comparison to other forms of cyberattack. But in the crypto space, it’s even more powerful. If you fall victim to a phishing attack that targets your bank account, you may have some recourse with your bank or the law to get back the money that was stolen from you. But in crypto, once money leaves your wallet, it’s gone. By design, there is no central authority to appeal to.
Cryptocurrency is a radical new approach to the whole concept of money, and a lot of people have become very rich by getting in on ICOs and undervalued coins at the right time. Scammers play into this by offering deals that, in any other market, would seem obviously too good to be true, but because of crypto’s newness and the very real astronomical gains that a lucky few have seen, can appear plausible, especially if you want to believe it.
To protect yourself against this, you need to be a bit cynical. If it sounds too good to be true — even in crypto — it probably is. Always ask yourself how the person offering you an amazing deal benefits from your participation, and if the answer to that is unclear, stay away.
Common scams in the crypto space include:
Fake ICOs, in which scammers may impersonate a well-known and hyped up new project, or just invent a fake coin of their own using any and all of the techniques described above — fake domains, fake emails and fake websites — but with the goal of getting you to transfer money into their wallet(s) rather than reveal your username and password.
Giveaway scams, where scammers will ask for a small payment to a certain address in return for a larger payment back to you at a later date. This is just a crypto variation of the classic Nigerian Prince 419 scam. If it sounds too good to be true, it probably is.
To guard against falling for this sort of thing, keep in mind the advice above about dealing with phishing emails and phishing websites. If you get an email about a hot new ICO, don’t click on the giant, enticing “INVEST NOW” link in the middle — rather do a bit of research about the ICO on the web and social media, and find out for yourself whether it’s a legitimate project and where its actual website is. While it’s theoretically possible to get a fake phishing website for a legitimate project to the top of the search results (and above the project’s real website), doing so is significantly more difficult than registering a homograph domain.
Cryptocurrency scams aren’t limited to email phishing, but also appear on social networks like Twitter, so it’s important to exercise the same level of vigilance outside your inbox as you do in it.
Knowledge and vigilance are your best defences against phishing and other cyber-attacks. By knowing a bit about how these attacks work, you can spot them for yourself. And by taking a few sensible precautions and arming yourself with tools like PhishFort Protect, you can avoid becoming a victim, and even proactively take a stand against the attackers and protect others.