At Hacker9, we always advise our readers to be a vigilant internet user no matter how informed you are and keep up with the new tactics used by hackers to trick their victims.
Until this year, there have been numerous data breaches which mostly outset with a simple phishing attack. Hackers have targeted various financial accounts, looking for sensitive data most of which used office 365 and Google G-suite. Many times, these attacks come in the form of “security alerts” or “warning” messages.
Its 2019 and hackers have already raised their phishing game, coming up with new ingenious phishing attacks. Also, hackers are well aware that internet users are more informed about phishing attacks than ever.
A few days back we had seen how 2-factor authentication codes can be bypassed easily using phishing technique itself and today we are going to cover two new phishing attack trends that even most informed internet users could fall for.
Before that let me list basic security practices we recommend to spot a phishing site.
- Checking if the URL is correct
- Checking if the site is using HTTPS
- Checking if the website domain name is not a homograph
- Checking if the website domain name is not using Punycode
- Using a browser extension to detect phishing URLs
We should always rely upon and follow the above-listed security practices to beat phishing attacks. However, you may still fall victim to 2 newly-discovered creative phishing attacks listed below.
Hiding Phishing URL Behind Google Translate
The modus operandi here is to hide phishing page URL by masking it with the Web address of Google translate service (translate.google.com) so that the users begin to feel that the page is the real one. This increases the chances of users falling for the trap as they see Google Domain at the top and gain confidence.
This trick looks less sophisticated, but sure it is one of those clever tricks used by cybercriminals to hijack Google accounts.
The attack specifically targets Google account holders precisely G-Suite users and is carried out by sending phishing email with a subject line ‘Security Alert’ to a group of users to warn them of the unauthorized sign-in from another device.
The email contains very realistic Google warnings that you normally receive when you sign-in or attempt to sign in to your account from the unauthorized or new device. Along with warning text, there lies a button with a link to the dubious website.
When you hesitantly click on the button, you are taken to the phishing site via “Google translate service”, I.e the “Google translate service” fills up the phishing site URL with random text and displays Google’s legitimate domain.
While on the desktop computer there are enough signals to warn you about the hidden dangers, whereas if the victim happens to be on his mobile device the attack becomes very lethal and is more difficult to spot since the URL is compressed enough to look authentic at first glance.
Signals like, seeing the phishing URL in Google Translate toolbar, hovering over the links inside the page, inspecting the page elements, etc will easily tell you that something is fishy. However, if you are on your cellphone, it is quite difficult to spot the attack unless if you care enough to observe the URL.
Using in-page fake Facebook login popup
Making use of Facebook login option at various social networking websites is totally fine and we have been using this option since its inception as its an easy & effortless way of registering on 3rd party websites. It is needless to say that Facebook is well aware of how and where the Facebook login option is being used.
Generally, when you click “log in with Facebook” option available on any website, you are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information like your email.
Antoine Vincent Jebara, CEO of Myki, says that his team recently spotted a new phishing attack campaign that even the most vigilant users could fall for.
Hackers are distributing links to blogs and services that prompt visitors to first “login using the Facebook account” to read an exclusive article or purchase a discounted product. The catch here is that the “login using Facebook account” option is rigged. Instead of being redirected to real Facebook popup page, the users are being served with a very realistic-looking fake Facebook login prompt after they click the “login using Facebook account” button which has been crafted to capture users credentials, just like any phishing site.
Watch the video demonstration shared by Myki:
As shown in the video, the users can also interact with the fake browser window, drag it here-and-there or exit it in the same way any legitimate window acts. The only thing that they can’t do is, drag the prompt away from or out of the window it is currently displayed in.
And according to Vincent, this is the only signal which tells you that the popup is fake, I.e If dragging the pop-up out of the window it is currently displayed-in fails, it’s a definite sign that the popup is fake. If you are a web developer, you could also inspect the HTML page elements to know the sources of its components.
Hackers are well aware of the fact that more of us are using mobile than ever before, and a more sophisticated hacker could clearly use the limitations of the mobile phone to take advantage. So you need to be very cautious about the websites you visit or maliciously intended emails you may fall for while on your mobile phone.