In this article, I am going to illustrate a real life scenario where an attempt to hack my email account was carried by fooling me into giving my user name / password through a fake website that looks like Yahoo! Mail.
Such attacks, where the victim is lured into entering information in what looks like an innocent website, are called “phishing attacks”. Wikipedia defines “phishing” as the following:
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication
In the subsequent sections I will show you how the attack is carried, how you can inspect such emails by yourself and then conclude by giving you some safety guidelines.
A few days ago I received an email to my Yahoo! Mail account with the subject “IP Check!”:
Of course, such a subject is highly unusual and besides when Yahoo! sends emails they are accompanied by a small Yahoo! icon.
I click on the email to see its contents:
As you can see, the content of the email does not make much sense. The attackers could have been more creative so I fall into the scam but even still, I always double check all suspicious emails.
I clicked on the sender’s name, in this case the sender show as: “Y! Notifications” in order to see the email address of the sender.
The sender is “Eugene Bass” who has an AOL.com email account. You should ask yourself: “How come Yahoo sends an email to its users using AOL email”?
After you ask this question you should grin! 🙂
So far, no harm done except for impersonating a sender. I continue examining the contents of the email and I see a link. Now the fun part starts!
The first thing to do is: “DO NOT CLICK”, just move the mouse over the link and observe the status bar (at the bottom of your browser window):
Two things we observe which are common factors of most phishing attacks:
- The link is hidden and looks nice. What you see is a “Click here” and not the full address
- The link takes you to the attacker’s website. In this case, you will be redirected to “http://espanaga.hostingsiteforfree.com” website
These two indicators are enough for me to just delete the email and block the sender.
Going down the rabbit hole
For the sake of educating the readers of this article, I continue the investigation and explain what happens when I click the malicious link and go to the phishing website.
Clicking the link takes us to this page:
Looks like Yahoo! Mail’s website, right? 🙂
In fact, it does look a bit like it. Take a look at the actual Yahoo! Mail website:
The most important thing to observe is the address bar. The phishing site has the address bar’s background colored in red and there is also a red shield icon (and next to it a text saying “Unsafe website”). It is hard to observe the difference between the two websites because the attacker makes sure that the phishing website look as close as possible to the real Yahoo! Mail website.
To further inspect the malicious page, and using Microsoft Internet Explorer 11, I press F12 to trigger the debugger / webpage inspector.
My goal is to see where the information gets submitted to when I press “Sign in”:
After locating the form element in the page, I observed that the “action” of the “form” tag leads to another page on the attacker’s website called “login.php”.
Now let me explain to you in layman’s terms what is actually happening:
- You receive an email
- You get fooled and follow the link from the email
- You land on a site that looks like Yahoo! Mail that is asking you again to enter your user name / password
- You innocently enter the information and press “Sign in”
- The page “login.php” (in this case) which is also hosted on the attacker’s website, will collect the user name / password and store them or email them to the attacker.
- The funny thing is that if you enter any wrong information it does not matter
- The “login.php” does not validate your credentials, it merely log them. Why don’t you type then: “Hello attacker” as user name and “Busted” as password as a way to frustrate the attacker and tell him that you discovered his/her or their game? 🙂
- Voila! Your email is hacked
- The “login.php” page, having collected your credentials, will now redirect you back the the real Yahoo! Mail website. This is an important step so it does not raise your suspicion!
Your web browser can save you
Modern browsers can defend you from phishing attacks. Web browsers such as Microsoft Internet Explorer or Google Chrome have anti-phishing technology built-in. The technology mainly works and identifies a site as a phishing site as soon as it knows about it. For that reason, the phishing website can go undetected for a while until the browsers picks it up and mark it as such.
Microsoft Internet Explorer for instance employs the “SmartScreen” technology to detect such websites and warn you when you visit them. If you had clicked on the link you received via email and your browser already knows about this phishing website, you will be notified like this:
In that case, just click the “Go to my home page instead”. I am tempted to say “click on the links with the green check mark next to them” but that too can be used by scammers to fool you!
The most important fool proof indication is the address bar. If the address bar (where the URL is entered) is red and you see the red shield, this is an indication of something “phishy” 🙂
If the address bar is not visible (and you did not hide it manually), you should be suspicious as well.
Safety notes and conclusion
One can never be more careful these days when surfing the web. To increase your online safety, these are simple steps you can follow:
- Always verify the sender’s email address (not just the name). Click on the name to see what’s the real email address. Untrusted / unknown senders should trigger your suspicion
- Never click on links unless you really have to:
- Verify the link and see if it really point to where it claims to be. In our example above, the link should be related to Yahoo! Mail and not some free hosting provider
- If you click the links, be very suspicious if you are prompted to enter your credentials again
- Never download attachments:
- Attachments can be very deceiving. An EXE file disguised as an innocent PDF file. That can be a malware, a backdoor or a virus.
- Even if it is a real PDF or MS Word Document, be careful. Document processing software can be buggy and a malicious input document can exploit your machine
- In case of doubt, download the document but do not open it. Let your Antivirus scan it first
- Use “Two factor authentication” whenever you can. This is a long topic and requires an article for itself, however know that if your web mail provider offers two factor authentication then opt-in for it. If your password is compromised the other factor is less likely to have been compromised (for example, the second factor can be a challenge code your receive as SMS on your cell-phone)
Please leave your comments and suggestions. If you have a similar insightful phishing story that happened with you or your loved ones please share the story so it enlighten others.