Phishing & Co.

If you don’t know what it is (cause maybe you lived last 30 years on a mountain alone and nothing else), let me explain: Phishing is a type of attack often used to steal user data like credential to a specific service and/or credit card details.

The attacker masquerade himself as a trusted identity (your bank, your local post office, as facebook…).

Their objective is to make you open a link to wich respond a web site that is a clone of a service you use.

In very well made phishing attack, for example, the only difference between the website of your bank and what you see is only in the url.

Misreading, my best ally

One of my favourite is this:

https://wwwpaypal.com/  https://www.paypaI.com/  https://www.paypaI.com/

Of the above 3 links only 1 is legit.

Nowdays, luckily, is very hard to find a URL (link) situation like this. The attackers are in a fine line between getting sloppy and abusing victim intellect. I know, nobody likes being called out stupid or similar. But the word to choose are not much when you receive a message from “BANK A” that you know his web address is www.banka.com and the link clearly (cause you can read it) point to www.evil-random-shit.com.

But, i repeat, i am not calling anyone stupid or anything. I realized that people, in most cases, put their trust in the wrong things and never assume for the worst (and many phishing campaign were actually amazing on a technical point of view). Said so, im gonna cover in this article how to not fall victim of this attacks.

Spear Phishing & Whailing

Well, two nice names. The only difference ? Spear Phishing are phishing campaign tailored on a specific individual. Whailing is when this individual is some sort of VIP or C-Level (CEO, CDO, CTO…).

The mechanics of the attack is completely the same as per normal phishing attack. The difference is, as said earlier, is that in this case the attacker pays much more attention to the details of the message he sent.

Note that i’ve explicitly used the phrase “the message sent” not for being vague but because the deliver of those attacks can come not only via e-mail but also via sms, whatsapp and lately also via phone call (thank you AI !)

Method of delivery for the attack

As said 2 lines above you can receive phishing attack via:
– E-Mail (Phishing Campaign)
– SMS (Smishing)
– Phone Call (Vishing)
– QRCode (Quishing)

And now…..drum roll please….how to not fall victim of those assholes ?

How to not become another victim

There aren’t many things to check when comes to recognize a Phishing attack (luckily). Let’s see wich are:

The content of the message
Usually in massive phishing campaign attack the message presents few anomalies, like:

• An old logo
• Grammar is correct but there are few improper words (by improper i mean word that actually have the correct meaning in that context but that are never used in general)
• Wrong grammar
• the general look is a bit off-set respect to what we are used to see (in case of mail from netflix or amazon for example)

Invite to open a link
Yes, legitimate business may invite you to open a link (in very very rare occasion) but still…they would redirect to their official web site, so avoid to open proposed links that are behind a url shortner (like bit.ly and many others) or when the url is clearly different from the business name you are receiving it.

Now, you can receive those stuff via e-mail or sms. When it’s an SMS it cannot be masked. Same cannot be said when comes to mail. If you have the most basic knowledge of the HTML language (and 99% of the e-mail you read are cotains html) you know how to construct a link using the <a> tag. Hence you can show something to the user like
CLICK HERE
that you click and take you (in this case) to Cyanide & Happiness websites.
But, attackers may create something like
https://www.totally-legit-cyanide-and-happiness.com
And redirect you to another website (in this case jehova witness websites).

Now, imagine, just for one second, if instead of https://www.totally-legit-cyanide-and-happiness.com there was https://www.name-of-your-bank.com

If you receive this on your phone (most likely) when clicking the link please CHECK THE URL on your phone
If you are checking this from a computer just put your mouse cursor on the link and check the bottom left of your browser, it will show the real link (or open it anyway and check the url in the url box).

Quishing
QRCode got invented in the year 1994 by a Japanese company for labelling car parts. But only in recent years we got it’s explosions (thanks covid?).

There are today mainly two types of QR Code: static and dinamic.

I wont bother you with the detail (since the web is filled with info about it), so i’m gonna give you just the gist:
Quishing works by using a QR Code that let the user visit a malicious website or invite him to download a most surely infected app/document.

Satan, is that you ?

No, is not photoshop
No, is not fake…at all.
I was setting up a contact center and stumbled upon a funny function ( i will not get into detail of this) and then i decided to prank a friend that luckily made the screenshot before replying to me laughing and calling me satan.

Why i decided to show you this ? No, its not to show off my abilities or my immensely fucked up sense of humor.
But rather to show how easily is, for some people, to set an arbitrary caller ID.

Same thing applies to SMS. I personally received (and sent ONLY FOR FUN) a couple of very interesting messages (sms).
One from my post office (my phone even showed the correct sender name).
The sms was also grammatically correct without weird words.
The only thing that didn’t work was the url used (something like preview-domain.com).
The other was apparently from my personal bank. On the phone it showed, also here, the correct sender name.
But also here, 2 things:
– the message was well written except for 1 word (that in this case was wrong)
– the URL was all messed up (referred to crapid.com as main domain).

Hope you enjoyed this article. As always

Stay Safe !