SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Gone Phishing

Posted on May 18, 2017
  • Phishing comes in many different forms.
  • Phishing attacks are growing in sophistication.
  • How do you know if you’ve been phished or hacked?
  • Steps to take when you discover a phishing attempt.
  • Ways to protect yourself against phishing.

Have you ever stopped to think about how much “secret” information you send to websites? From your private passwords to credit card details and even your Social Security number, we plug all kinds of information into web forms without a second thought. If we trust the site, everything is okay, right?

Unfortunately, as always, there are bad guys out there who want to trick you into giving them this sensitive information. “Phishing,” as this practice of impersonation is known, is nothing new. With so much money flowing through Internet commerce and so much personal data available, this deceitful practice continues to rise.

Today on The Checklist, our focus will be on phishing, especially with regards to social media. What phishing schemes are out there, and what can you do if you fall for one? We’ll dive into these questions and more while providing you with some helpful advice. So, let’s begin by thinking about the most common types of phishing attempts out there today.

Phishing comes in many different forms.

Originally, the easiest way to trick someone into volunteering sensitive information was to send an email to them that looked perfectly legitimate but lead them to a fake website. This method is still widespread and common; new phishing email scams appear all the time. They make various claims to grab your attention. For example, they may tell you that your bank account has been compromised and you must change your password. In other cases, it might be an attempt to extract personal information, such as your social security number, from you instead.

Email phishing attacks are sometimes targeted at very specific persons or groups. This form of attack is known as “spear phishing.” An attacker, in this case, knows about their specific target. Such attacks often carry an additional air of legitimacy as the perpetrator appears more official or to have a personal connection to the victim. A recently highlighted spear phishing attack involved an email allegedly from a CEO sent to his CFO requesting specific financial action be taken. While you may not be a likely target of a spear phishing attack, it’s a good reason to view all unknown emails with some suspicion.

Spam filters have improved to the point where many of the most common phishing emails are filtered out, but it’s still worth remembering that the threat exists. Simply avoid clicking strange or unfamiliar links in emails, especially from untrusted email addresses. If you’re just not sure, don’t be afraid to contact the person who the email claims to be from and ask if they sent it. Not only will this confirm the validity of the email, it is also a good practice; by doing this you’re sharing that best practice with others, and increasing the security of your personal community!

In the social media age, email phishing is too basic for some digital thieves. Instead, they try to exploit the way social media users think to gain access to your personal information. One of the more prominent forms of this is through profile-viewing apps. Have you ever seen an ad or a post shared by a friend for an application that will tell you who has viewed your profile? Websites and software making claims about who visits and views your profile has been appearing since the days of early social network MySpace.

So, what happens if you use one of these apps? Usually, the first thing that happens is a prompt for your username and password. Whether it’s Twitter, Facebook, or another site, the app will try to pretend it is legitimate by emulating the look of social media website. After you enter your information, it goes straight to the server of the individuals controlling the app. The software itself doesn’t work, of course — although, it might read your friends list and randomly display some users to make it look like it is performing its function.

Some apps may even offer to sell you advanced services or more powerful tools to take control of your social media profile. After all, why settle for stealing just your credentials when they could phish financial information, too? Not only do you risk the potential charges of the in-app purchases, but the hackers will now have access to your credit card number and perhaps even billing address.

Have you ever looked at a popular Facebook post only to see people commenting with a link to a supposedly sensational or shocking video? Perhaps they claim to have earned a steep discount on a popular service. Following these links usually leads to another fake login form or an attempt to extract payment for a product that doesn’t exist. Online surveys, especially those that claim to give away gift cards as a reward, are another popular method for phishing.

Phishers also commonly rely on the most basic user error, the typo, as a way to reach potential victims. When manually entering a web address in your browser, it’s all too easy to mistype the address by one or two characters. We’ve all done it at some point. In some cases, a malicious party could register the domain and use it to spoof the site you expect, hoping to gain important login information. Check where you’re landing on the web – it can be tough to spot these typos. Since the phishing practice of using domain name typos has became widespread, many major websites have taken the initiative and registered these variations themselves. There’s no guarantee you’ll always land on the authentic domain, however, so be alert.

These are most of the common phishing methods out there today. New efforts to obtain your personal information constantly appear, though. As efforts to fight phishing improve, the attacks turn to novel and sometimes extensive methods.

Phishing attacks are growing in sophistication.

The money people can make off of your information inspires phishers to look for new ways to fool you. More and more frequently, phishing now also uses malvertising to serve up bogus links. The common web spoofing attack we were just talking about has taken on new forms. Cloud services like Dropbox and Google Drive also have potential problems of their own.

To highlight the level of sophistication that can be used, let’s look at a vulnerability that might let a phisher exploit a flaw in the way browsers render non-English characters into ASCII text. ASCII is the most common way to show text on computers. It contains the English alphabet, numbers, punctuation, and some special symbols. However, we need a way to display foreign characters, too. For that, we have Unicode, which contains many thousands of characters across many languages.

To allow browsers to display Unicode characters in ASCII-based domain names, we have what is called Punycode, which uses ASCII characters to signal to a browser to display a URL that contains Unicode characters. So where does the phishing aspect come into the picture?

Some foreign characters, such as letters in the Cyrillic alphabet, look remarkably similar to letters in the Roman alphabet. Theoretically, a phisher could create a link to a website using Punycode that renders in your browser as a URL you know and recognize, like Apple.com. Instead of Apple, though, some characters – like the capital “A” – aren’t actually what they appear. You could then land on a spoofed website where, as before, the phisher can attempt to steal your credentials.

What about the issues with cloud services we mentioned? It is possible for a phisher to use these services to set up a page that mimics a legitimate login page. Both Dropbox and Google Drive have experienced this issue in recent years. Phishers construct a duplicate login page that sends information back to them. They then host it as a public file on a Dropbox (or Drive) account.

They often then send emails – or perhaps messages on social media – with a pretext to click the link to this fake page. Users who aren’t very careful can be fooled because accessing the file through the site means it appears over a secure SSL connection. With the appearance of legitimacy, it’s easy to trick unsuspecting users.

How do you know if you’ve been phished or hacked?

We’ll discuss what steps to take if you become a victim of phishing in a moment. How can you even tell if that’s happened, though? Be aware of what’s out there. Familiarize yourself with the methods we just discussed. You can even keep an eye on the news — phishing scams that become widespread often make headlines, especially in the security sector. “Knowledge is power” might be a tired cliché, but it’s also true in this case. Avoiding phishing scams is sometimes as easy as spotting suspicious misspellings or recognizing that you’ve landed on an incorrect domain.

Next, watch out for suspicious activity on your accounts. If you notice your account posting content you didn’t approve or create, or sending messages to your contacts, it’s a sure bet that your account has been compromised. In the worst cases, you could even be locked out of the account altogether.

This reminds us why it’s so important to use unique passwords: even if someone discovers one of them, it won’t unlock any of your other vital accounts. Unfortunately, too many people still share passwords with sensitive services like email.

Financial issues can be tougher to detect, but it’s always important to monitor your credit cards for unusual activity. There is another way you might find out, too: sites like Facebook or Google might just tell you. Many services today utilize methods for identifying unauthorized access to your account. They will then lock it down and request that you verify your identity and change your password.

If at any point you realize you’ve fallen victim to a phishing scam, especially right after the fact, it’s time to start acting. You have options, and you can fight back to prevent or mitigate damage.

Steps to take when you discover a phishing attempt.

First things first: if you’re browsing on a desktop or laptop device, check your machine for malware. You can use software like our own MacScan 3 to quickly find and, if necessary, eliminate any malicious software deployed onto your machine. Phishing websites are often havens for malware and may attempt to use a variety of exploits to place a payload on your machine. While not always the case, it’s worth the peace of mind to run a scan and be certain that your system contains no keyloggers or other malware that steals information.

If you’ve provided your credentials for a social media site, change your password immediately. If you’ve used that password anywhere else, change it there as well. If you can, set up two-factor authentication as soon as possible. Hackers won’t have access to your phone, so verifying your identity this way ensure phishers can’t break back into your accounts. 2FA is an excellent security feature available across the web, and it protects users from more than just phishing. More and more sites are implementing it, so check to see if your favorite sites now support it.

If you can’t access your account at all, contact the support team for the website. Many major social networking sites and online retailers keep measures in place for supporting individuals who’ve been phished. Their teams can help you regain access to your account via their own internal methods and identity verification steps.

What if you handed over payment details, like your credit card number? It’s time to call your bank or credit card company. Let them know what happened — these days, customer service agents are aware of “phishing.”Consider closing these accounts and opening new ones; again, your bank can help you do this quickly and easily.

The sooner you initiate these efforts, the less likely you are to suffer financial losses. In serious cases, you can even contact credit reporting agencies to request a fraud alert for your credit profile. This way, you will receive instant notification if suspicious activity occurs with your financial details.

Ways to protect yourself against phishing.

So let’s review a few important ways to protect yourself from these scams. First, beware of social media apps, offers, and posts which appear “too good to be true.” Anything that claims it can offer you a new feature and then asks for your password is likely something you should avoid.

Never download and run suspicious software, as this is one of the primary ways malware authors and phishers can attack Mac users for their information. At the same time, scrutinize links and URLs. Does the domain look strange? Does it say something like “.cc” instead of “.com”? Does it use a long Google link to redirect you to another website? These are all signs that you might be dealing with a phishing site.

If you do end up on a page asking for your information, examine all aspects of the page. Phishing sites often have outdated graphics or logos, broken functionality, spelling and grammar errors, and more. Spotting these problems can tip you off before you type anything into a form. Protecting yourself from attacks that use methods like Punycode is more difficult, but keeping your browser updated is a good first step. For Firefox users, you can install an extension to force the browser to stop rendering Punycode into ASCII. Now you can spot these fake URLs before following them.

Though you may not have encountered a phishing or social media “hack” attempt yet, that doesn’t mean you never will. Remember what we’ve discussed today when it comes to taking action when you realize you’ve been phished. The faster you move, the more damage you can mitigate.

While hackers and other bad actors will continue looking for new deceptive ways to steal your information online, vigilance will help protect you. As always, thanks for joining us for another episode of The Checklist. We’ll be back again next week with more.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at checklist@securemac.com!

Join our mailing list for the latest security news and deals