Modern Phishing Attempts Look More Legal, but the Methods Haven’t Changed Much
You receive a new email that looks like it’s from a friend, company, government official, or even a family member. Everything in this email is a link. You click on it because of course you do. You are taken to a login page where you enter your credentials. This site then turns out to be fake and collects your password. Congratulations, you’ve been phished.
Phishing is a time-honored way of getting your credentials or access to one of your accounts. The idea behind phishing is extremely simple: it is about tricking you into handing over your information, so no actual hacking is required. Historically, this means sending you an email with the hope that you will click on it. This link leads to a phisher-generated site that should look like the login page for the real site. After entering the site, your username and password are saved. This has been happening since the 90s when the Warse community used phishing emails to intercept people’s AOL passwords.
Back then, hackers could easily trick people into clicking on anything because this is how the Internet worked, but nowadays we are more and more vigilant, right?
If yesterday’s phishing in Google Docs is any indication , then no. The premise of yesterday’s phishing attempt was the same as always: you get an email that looks like it’s from a friend and you click on it. In this case, it looked like someone wanted to share a Google document with you. You click on the link and it takes you to the real Google login page . This is a legit Google page, so you are logged in. A phishing attempt then occurs when you grant permissions to what is ultimately a phishing application. This is a clever game on a regular process, even if it’s not entirely new. Here it is in action:
As sophisticated and bizarre as the attempt seemed, there were some indications that it was a fake. googledocs.g-docs.win url is googledocs.g-docs.win , but other than that, you probably already gave Google permission to access your account because it’s Google, so re-issuing that doesn’t make sense … Fortunately, in this particular case, you can at least revoke access to this phishing program .
We’ve seen similar versions of the same thing over the years, but phishing attempts get better and better at replicating login pages on popular sites. One recent attempt used a fake attachment to redirect the Google Docs login page , while another in 2014 did much the same thing as the hack this week, replicating the Google Docs login page . That DNC hack last year? Phishing . Over the years, popular phishing targets have also included PayPal , eBay, and virtually every major bank account .
What makes these modern attempts more sophisticated? Namely, they are getting better at hiding what they are doing, so conventional scanning methods do not work . Phishing attempts get better when copying site login pages like Google or even your bank, they often use tricks to disguise the link’s true url, and they get better at making messages look like they were from the real one. person. In the case of Google Docs, it all came down to living up to expectations of what a phishing attempt looked like, and then using that in conjunction with Google’s OAuth login system to catch you off guard.
So what’s a tech-savvy person to do? Continue not to click on any weird links in your email, no matter who you think sent it. Chances are, your friends won’t just send you an email with a link, and if they do, you should probably ask them to change this weird behavior.
Otherwise, if the link in the email really looks weird, but you just can’t resist clicking on it, don’t click on the link , but go to the relevant site by manually entering the URL and then log in that way. You can usually right-click or hover over the URL if needed to see the true destination , but even this crawl method might not save you these days.
More importantly, if you want to use your phishing vigilance for good and want to help people move forward, the respected SwiftOnSecurity has put together a collection of phishing reporting tools so you can report fragmentary links so other people don’t fall victim to these attempts. …
Just remember, don’t click on questionable links in an email from a company. Don’t follow strange links in emails from friends and family. Do not click links in emails from your bank, Google, or anyone else where you might otherwise simply enter the site to receive the information that the email purportedly contains.