This week we move onto theme three of Cyber Security Month: recognize cyber scams. The important point here is that you do not have to be technical to recognize a cyber security scam. In this blog I’ll cover some simple security practices that will make you cyber savvy in no time.

What should I look out for?

 

1. Domain Infringement

Typo-squats and domain squats use variations or misspellings of a legitimate domain name to target potential victims. Once registered, these domains are used to achieve phishing attacks by sending emails and/or acting as the host location for fake sites.

However, don’t sweat. These attacks often can be easily identified. When looking at a domain name:

  • Spot misspellings. This can include the use of numbers instead of letters – such as “1” instead of “l”
  • Beware of incorrect top-level domains (TLDs). Would your bank really email you using a .biz or .xyz domain?
  • Don’t be fooled by redirects since typo-squats, particularly those used to send emails or capture payment details, may redirect to a legitimate site to trick users into believing the domain is safe.
  • Hover your mouse (without clicking) over links AND images within emails to check whether they lead to a potential domain-squat
  • Use a URL unraveller to expand tinyurl, ly, goo.gl, is.gd, t.co and other short URLs that potentially hide a phishing site or malicious download
  • Manually type out the URL in your browser – especially for important sites. This will prevent you from falling victim to a “punycode” phishing attack, where letters in the Greek, Cyrillic and other alphabets are used to imitate the Roman alphabet in the registration of phishing sites. As these domains look identical to legitimate domains to the naked eye, they are tricky to spot
  • Search for the domain on an open source WHOIS database to see who registered the domain. The use of a personal email address for a supposed corporate domain is often an indicator that it may be illegitimate.

 

Figure 1: WHOIS information for a malicious domain retrieved using Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection). This particular domain has previously been used to host the Trickbot banking trojan.

2. Sub-domains

Though sub-domains (e.g. info.digitalshadows.com) are commonly used by legitimate organizations and are not bad in themselves, they can be used by scammers to distribute malicious file downloads or host phishing sites.

The guidelines listed above for identifying typo-squats all apply to spotting malicious sub-domains. In addition, alongside scrutinizing super long URLs from left to right to identify the main domain, you can also run it through a WHOIS database search. A WHOIS search will remove all the page extensions and “dot” drivel from a URL, revealing the (true) main domain name – tadaaa!

When running a WHOIS search, you may find that the site itself is registered to a legitimate organization even though the sub-domain appears suspect. This could be because attackers have hijacked a legitimate domain as the host site of a malicious sub-domain.

 

3. Phishing emails

Scammers use phishing emails to steal sensitive user data. This may involve social engineering techniques to impersonate a real individual or organization and trick a user into giving confidential information away – such as through a crafted login page to collect passwords or a request to transfer sensitive documents. Alternatively, they may include direct blackmail threats and demand a ransom payment from a potential victim. Do not fear. Scammers who craft these emails are often lazy or make sloppy mistakes that are easy to spot.

Virus protection software and spam filters are good foundational measures for identifying and blocking phishing emails. But, when still in doubt, a useful way to determine whether you have received a phishing email is to pick the email apart with the following questions:

  • Who is the email from? Always expand the pane at the top of an email so you can see the sender’s email address in full. This will enable you to catch any illegitimate sender emails addresses, including those that use typo-squats, or are from an unknown address
  • Who was the email sent to? Expanding the pane at the top of an email also often allows you to see who else the email was sent to. Since untargeted phishing or ransom email campaigns are commonly sent on a mass scale to individuals from multiple organizations, checking who the other recipients of the email are is a good way to identify whether you’re being scammed
  • What is in the email? Poor or incoherent email layout and formatting are great scam giveaways, as are hidden links. Always hover over the images and contents of an email to catch any concealed activity, such as a site URL or malicious download, and lookout for layouts that do not align with an organization’s official branding
  • Does the email include an unusual request? Always be wary of emails that demand payment or personal identifiable information (PII) such as an “update user account” request. Most legitimate organizations will NOT ask you to hand over sensitive information over email
  • How is the email written? Watch out for spelling and grammatical errors in an email – again, these are a tell-tale sign of lazy scammer behaviour. Tone and sentence structures can also be an indicator that something isn’t right; this is one check you can perform to detect a business email compromise (BEC) attack, i.e. when an employee’s email account has been taken over by an attacker and is being used for malicious purposes.

4. Malicious mobile applications

Mobile applications (“apps”) are becoming an increasingly common entry vector used by cybercriminals; this is mostly because apps provide a new attack surface that organizations sometimes struggle to have oversight across. Be wary of:

  • Unauthorized third-party app stores. The iOS and Google Play stores are generally trusted stores that have protocols in place to detect and prevent the spread of malicious apps. However, as seen in recent “bankbot” malware campaigns, attackers are continually finding new ways to bypass Google Play security measures – very annoying, we know. As such, it is best to use the app store download link that is provided by a legitimate organization on their official site (where possible)
  • Apps that request authorization for unusual permissions. For example, question whether an app really needs screen overlay permissions so that it can capture your text messages and other personal activities…
  • Clumsy app descriptions. App descriptions that have spelling and grammar mistakes and are “slapdash” in nature are a hallmark sign of malicious mobile campaigns. The same is true for apps that use incorrect or outdated organizational branding
  • Apps that do not reference a legitimate organization in the developer name. Again, lazy authors of malicious apps often fail to put a legitimate organization down for the developer name – look out for this!

Although the tips listed above do not cover all the different cyber scams, they provide a pretty good foundation for detecting the most prevalent ones out there. And, as important as security best practices may be, gaining a basic understanding of your attack surface and what it is that attackers want, are equally crucial steps in the pre-emption and detection of cyber scams.

 

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.