Phishing URLs

How many of us inspect a link before we actually click on it? Be honest now, how many hover your mouse over the link and identify the destination in the status bar or popup, before you actually click? If the link is from a trusted site, say in the middle of a CNN article, very likely you don’t. If it’s a link in an email from your colleague, maybe. And even then, how closely do you look?

In many of MicroSolved’s social engineering exercises, alright, authorized phishing campaigns, creating fake links that appear valid is a tried and true method. To make an email look like it’s from John Glenn, a very familiar name recognized as an American hero, it takes 2 minutes to create an email address JohnGlemn@gmail.com. Or BilllyCrystal@gmail.com. Alright, how many of you actually caught the 3 lower case L’s in Billly? And the misspelling of Glemn in the email address?

Same thing with domains. Not to pick on this domain but why is MICRPSOFT.COM registered? Don’t browse to that domain, it gets forwarded to a suspicious link – which proves the point. An internet search for the string “MICRPSOFT” comes up with nothing for that string, all results are for “MICROSOFT.”

It’s a common technique referred to as URL hijacking or Typosquatting. It counts on the user not paying attention to what they’re typing into the browser address bar. Or it counts on the user not noticing the misspelling even if they were hovering the mouse over a link before they clicked.

Many of you have heard of the Equifax breach earlier this year. They registered and set up a domain for the public – equifaxsecurity2017.com. At this site, you could get more information, as well as enter your SSN (last few digits) to find out if your personal data had been part of the breach. However, a security professional registered securityequifax2017.com – and many legitimate sites actually directed traffic to this fake domain instead. Fortunately, it wasn’t anyone malicious, but someone who wanted to prove the point – and did – that these domain names can easily be abused. Equifax itself tweeted the fake domain, thinking it was their own.

So what are we to do? It’s easy to say, just be vigilant, be cautious, be on the lookout. There are tools, browser plugins, background running processes that can check links or clicks. But here’s an anecdote on relying on an “automated” tool that does things for us. I was pulled over at dusk couple weeks ago (wasn’t night yet, could still see the setting sun), driving my wife’s car that did NOT have daytime running lights. My car does. I have so heavily relied on this automated feature that when I was in a different environment that did not have it, I forgot to check the basics – it’s getting dark, are my lights on? Incidentally, the officer just gave me a warning.

Recommendation is, be vigilant, be cautious, be on the lookout. Check those links or email addresses. Check the spelling. Type in the link instead of clicking on it. Copy the link and paste it into the browser address bar, and verify before pressing Enter to navigate to it.

It’s a jungle out there. Be safe…