An Update on New Phishing Techniques

Category: Data Security , Cyberbytes
Author: Josh Isley

Phishing scams are relentless in the pursuit of stealing your data. This means that even though more people are aware of potential scams in their email, criminals are finding new ways to target people. It’s important to recognize that phishing techniques are always changing, evolving, and transforming into new forms every day. Gone are the days of easily detecting a scam from the Nigerian Prince. The avenues for a malicious cyber attack are countless in today’s digital world. Let’s take a look at some new phishing techniques from 2019 and how they can be prevented moving into 2020.

 

Pharming

Deemed “phishing without a lure” pharming is a scam in which malicious code is installed on a personal computer or server. Users are misdirected to fraudulent websites without their knowledge or consent. Compromised computers with malicious code will access fake websites even if the user types in the correct URL. These fraudulent websites can inconspicuously request information such as credit card numbers, bank account numbers, or passwords by making the user feel like they are on a legitimate site.

A strong defense against pharming starts with secure browser navigating. Be wary of any attachments or links that require using your default browser. Be sure to check the security settings and privacy policies of your default browser. Also, be wary of websites that have an address that starts with “http” instead of “https” or websites with multiple spelling errors. These are both key indicators of corrupt sites.

 

Content injection

Hackers are finding ways to manipulate credible sites. A method in which they are able to do this is called content injection or content spoofing. This form of phishing changes a portion of page content on a reliable website. If the user clicks on the content, they are then redirected to a malicious page and asked for personal information.

Some safety measures to consider are to avoid constructing or sending error messages via request parameters. Also, avoid passing HTML content via from request parameters.

 

Loyalty points phishing

Everyone loves saving money. That’s what makes loyalty points programs so attractive for consumers. However, these programs are also attractive for hackers due to large majority of programs lacking proper security. Many of these accounts only require a username and password with no other form of security. With many consumers forgetting about their account until they want to use it, fraudsters have ample time to access loyalty points and redeem them for flights, hotel rooms, gift cards, and merchandise. Fraudsters are able to gain access to these accounts through strategic phishing campaigns. These campaigns involve fake rewards program emails asking customers to update their information. From there, the phishing scam can likely gain access to credit card information as well.

They best way to control this scam is to always monitor subscription or rewards accounts. Control what is being sent to your email, don’t insert new information based on an email request. Contact the merchant that controls the rewards program and let them know of any suspicious email activity. Also ask the merchant what is being done to protect your personal information.

 

CyberAttacks Webinar Recording - Watch Now!

 

Display name spoofing

Have you ever received an email from someone you know that just didn’t quite sound like them? Be wary of these emails. The likelihood of the email being a phish is extremely high. In previous years, phishing attempts were easy to sniff out due to misspellings and unidentified email addresses. Now scammers are able to use display name spoofing to disguise the name associated with the email to impersonate a regular contact of the target. This tactical approach makes these attacks much harder to detect.

While the display name resembles a credible source, the email address itself reveals the actual source of the email. An important practice with any email received is to check the address to make sure it aligns with the display name. Many email servers also have a security setting to detect when an email comes from an external source instead of from within the company network.

 

File-hosting application scams

Sharing applications such as Dropbox and Google Drive are extremely useful tools for collaboration efforts. Recently though, hackers have taken advantage of these applications by sharing malicious URLs through the file-host. Victims receive these links and believe they are safe since they come from a credible source. Once the link is clicked, it immediately begins downloading malware onto the computer.

The best preventative method with these attacks is to heighten an overall sense of cyber awareness. Before clicking something, check directly with the source to know if they intended to share a specific link or file with you. Be mindful of URLs and look for indicators that might point to danger.

 

Conclusion

The main answer to these attacks is cyber education. Frequent training through phishing simulations and refining your ability to spot spear phishing attempts can be the boost you need to secure your data. Cybercriminals will continue to seek new ways to craft scams in 2020. Strong cyber awareness can be the difference in securing your information or becoming the next statistic.

January 13, 2020
Back
Share this post on social media