Login
Toolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.
It consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to display them on the hosted phishing pages.
Watch the demo video:
Read more about it on my blog: https://breakdev.org/evilqr-phishing
The parameters used by Evil QR are hardcoded into extension and server source code, so it is important to change them to use custom values, before you build and deploy the toolkit.
| parameter | description | default value |
|---|---|---|
| API_TOKEN | API token used to authenticate with REST API endpoints hosted on the server | 00000000-0000-0000-0000-000000000000 |
| QRCODE_ID | QR code ID used to bind the extracted QR code with the one displayed on the phishing page | 11111111-1111-1111-1111-111111111111 |
| BIND_ADDRESS | IP address with port the HTTP server will be listening on | 127.0.0.1:35000 |
| API_URL | External URL pointing to the server, where the phishing page will be hosted | http://127.0.0.1:35000 |
Here are all the places in the source code, where the values should be modified:
You can load the extension in Chrome, through Load unpacked feature: https://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked
Once the extension is installed, make sure to pin its icon in Chrome's extension toolbar, so that the icon is always visible.
Make sure you have Go installed version at least 1.20.
To build go to /server directory and run the command:
Windows:
FreshRSS 
build_run.bat
Linux:
chmod 700 build.sh
./build.sh
Built server binaries will be placed in the ./build/ directory.
./server/build/evilqr-server
https://discord.com/login
https://web.telegram.org/k/
https://whatsapp.com
https://store.steampowered.com/login/
https://accounts.binance.com/en/login
https://www.tiktok.com/login
http://127.0.0.1:35000 (default)Evil QR is made by Kuba Gretzky (@mrgretzky) and it's released under MIT license.
It’s that time of year again: election season! You already know what to expect when you flip on the TV. Get ready for a barrage of commercials, each candidate saying enough to get you to like them but nothing specific enough to which they must stay beholden should they win.
What you might not expect is for sensationalist election “news” to barge in uninvited on your screens. Fake news – or exaggerated or completely falsified articles claiming to be unbiased and factual journalism, often spread via social media – can pop up anytime and anywhere. This election season’s fake news machine will be different than previous years because of the emergence of mainstream artificial intelligence tools.
Here are a few ways desperate zealots may use various AI tools to stir unease and spread misinformation around the upcoming election.
We’ve had time to learn and operate by the adage of “Don’t believe everything you read on the internet.” But now, thanks to deepfake, that lesson must extend to “Don’t believe everything you SEE on the internet.” Deepfake is the digital manipulation of a video or photo. The result often depicts a scene that never happened. At a quick glance, deepfakes can look very real! Some still look real after studying them for a few minutes.
People may use deepfake to paint a candidate in a bad light or to spread sensationalized false news reports. For example, a deepfake could make it look like a candidate flashed a rude hand gesture or show a candidate partying with controversial public figures.
According to McAfee’s Beware the Artificial Imposter report, it only takes three seconds of authentic audio and minimal effort to create a mimicked voice with 85% accuracy. When someone puts their mind to it and takes the time to hone the voice clone, they can achieve a 95% voice match to the real deal.
Well-known politicians have thousands of seconds’ worth of audio clips available to anyone on the internet, giving voice cloners plenty of samples to choose from. Fake news spreaders could employ AI voice generators to add an authentic-sounding talk track to a deepfake video or to fabricate a snappy and sleazy “hot mike” clip to share far and wide online.
Programs like ChatGPT and Bard can make anyone sound intelligent and eloquent. In the hands of rabble-rousers, AI text generation tools can create articles that sound almost professional enough to be real. Plus, AI allows people to churn out content quickly, meaning that people could spread dozens of fake news reports daily. The number of fake articles is only limited by the slight imagination necessary to write a short prompt.
Before you get tricked by a fake news report, here are some ways to spot a malicious use of AI intended to mislead your political leanings:
Is what you’re reading or seeing or hearing too bizarre to be true? That means it probably isn’t. If you’re interested in learning more about a political topic you came across on social media, do a quick search to corroborate a story. Have a list of respected news establishments bookmarked to make it quick and easy to ensure the authenticity of a report.
If you encounter fake news, the best way you can interact with it is to ignore it. Or, in cases where the content is offensive or incendiary, you should report it. Even if the fake news is laughably off-base, it’s still best not to share it with your network, because that’s exactly what the original poster wants: For as many people as possible to see their fabricated stories. All it takes is for someone within your network to look at it too quickly, believe it, and then perpetuate the lies.
It’s great if you’re passionate about politics and the various issues on the ballot. Passion is a powerful driver of change. But this election season, try to focus on what unites us, not what divides us.
The post This Election Season, Be on the Lookout for AI-generated Fake News appeared first on McAfee Blog.
One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.
KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.
The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.
Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.
“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘___fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”
Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.
Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on LinkedIn before forwarding to the phishing webpage.
As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).
The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.
In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.
According to the latest figures from Check Point Software, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.
An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.
If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
The first of August marks the celebration of World Wide Web Day – a day dedicated to the global network that powers our online activity, creating a wealth of knowledge at our fingertips. The World Wide Web (WWW) has revolutionized the way we communicate, learn, and explore, becoming an integral part of our daily lives. With the importance of the internet only growing stronger, it’s only fitting to honor the World Wide Web with a special day of commemoration. But with the internet comes risks, and it’s important to make sure your family is protected from potential threats. Here are some tips and tricks to keep your family safe online.
Phishing scams are a type of fraud that involves sending emails or other messages that appear to be from a legitimate source. The goal of these messages is to trick users into providing personal information such as passwords, credit card numbers, and bank account details. To protect against phishing scams, teach your family to:
Identity theft is a crime in which someone uses another person’s personal information to commit fraud or other crimes. Teach your family to protect against identity theft by:
A virtual private network (VPN) is a type of technology that provides a secure connection to a private network over the internet. A VPN can help protect your family’s online activity by encrypting the data and hiding your online activity from others. To ensure your family’s online safety, teach them to:
Strong passwords are an important part of online security. Teach your family to create strong passwords and to never share them with anyone. Additionally, use a password manager to store and manage your family’s passwords. A password manager can help by:
To conclude, celebrations on World Wide Web Day allow us to give thanks for the incredible world of knowledge, commerce, entertainment, communication, and innovation that the internet has provided, and continues to provide for us all. By following these tips and tricks, your family can stay safe online and enjoy all the benefits of the internet. Happy World Wide Web Day!
The WWW has enabled us to achieve so many things that were simply impossible before. From the ability to catch up with friends and family across the globe to finding information about virtually any topic, the power of the internet is remarkable. In fact, the World Wide Web has significantly enriched our lives in countless ways.
Did you know that the first-ever image posted on the World Wide Web was a photo of Les Horribles Cernettes, a parody pop band founded by employees at CERN? It was uploaded in 1992 by Sir Tim Berners-Lee, who used a NeXT computer as the first-ever web server. And although we use the term “surfing the net” regularly, do you know who actually coined the phrase? A librarian by the name of Jean Armour Polly wrote an article titled “Surfing the Internet” in the Wilson Library Bulletin at the University of Minnesota in 1992.
There are many other remarkable facts about the World Wide Web, including its growth over the years. By the start of the year 1993, there were only 50 servers worldwide, but that number had grown to over 500 by October of the same year. Advances in data compression enabled media streaming to happen over the web, which was previously impractical due to high bandwidth requirements for uncompressed media. Although the number of websites online was still small in comparison to today’s figure, notable sites such as Yahoo! Directory and Yahoo! Search were launched in 1994 and 1995, respectively, marking the beginning of web commerce.
On World Wide Web Day, you can celebrate by exploring the capabilities of the internet and discovering how it has changed over the years. Many organizations worldwide host events featuring conversations and interviews with technology leaders, entrepreneurs, and creators. There are also different talks, activities, and discussions online that you can join, allowing you to delve deeper into the history and potential of the World Wide Web. You could even consider running an event at your local business to market the day and celebrate what WWW has done for us all!
The post World Wide Web Day: How to Protect Your Family Online appeared first on McAfee Blog.
The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.
In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
The recent letter from UPS about SMS phishers harvesting shipment details and phone numbers from its website.
“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”
The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”
As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.
In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to mydeliveryfee-ups[.]info and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.
“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”
Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.
“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”
Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia [91.215.85-166] with nearly two dozen other smishing related domains, including upsdelivery[.]info, legodelivery[.]info, adidascanadaltd[.]com, crocscanadafee[.]info, refw0234apple[.]info, vista-printcanada[.]info and telus-ca[.]info.
The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.
Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.
A smishing website targeting Canadians who recently purchased from Adidas online. The site would only load in a mobile browser.
In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of Airpods directly from Apple’s website.
What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.
“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”
Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.
Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.
“It wasn’t like I put the order through [on Apple.ca] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if [the phishers] were being notified the order existed.”
The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.
In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.
“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.
“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”
Social engineering. It’s a con game. And a con game by any other name stings just as badly.
Like any form of con, social engineering dupes their victims by playing on their emotions. Fear, excitement, and surprise. And they prey on human nature as well. The desire to help others, recognizing authority, and even the dream of hitting it big in the lottery. All of this comes into play in social engineering.
By design, the scammers who employ social engineering do so in an attempt to bilk people out of their personal information, their money, or both. More broadly, they’re designed to give scammers access—to a credit card, bank account, proprietary company information, and even physical access to a building or restricted space in the case of tailgating attacks. In this way, social engineering is an attack technique rather than a specific type of attack.
Several types of attacks employ social engineering:
The list goes on. Yet those are among the top attacks that use social engineering as a means of hoodwinking their victims. It’s a scammer’s secret weapon. Time and time again, we’ve seen just how effective it can be.
So while many bad actors turn to social engineering tricks to do their dirty work, they share several common characteristics. That makes them easy to spot. If you know what you’re looking for.
An overexcited or aggressive tone in an email, text, DM, or any kind of message you receive should put up a big red flag. Scammers use these scare tactics to get you to act without thinking things through first.
Common examples include imposter scams. The scammer will send a text or email that looks like it comes from someone you know. And they’ll say they’re in a jam of some sort, like their car has broken down in the middle of nowhere, or that they have a medical emergency and to go to urgent care. In many of these cases, scammers will quickly ask for money.
Another classic is the tax scam, where a scammer poses as a tax agent or representative. From there, they bully money out of their victims with threats of legal action or even arrest. Dealing with an actual tax issue might be uncomfortable, but a legitimate tax agent won’t threaten you like that.
You’ve won a sweepstakes! (That you never entered.) Get a great deal on this hard-to-find item! (That will never ship after you’ve paid for it.) Scammers will concoct all kinds of stories to separate you from your personal information.
The scammers behind bogus prizes and sweepstakes will ask you for banking information or sometimes even your tax ID number to pay out your winnings. Winnings you’ll never receive, of course. The scammer wants that information to raid your accounts and commit all kinds of identity theft.
Those great deals? The scammers might not ship them at all. They’ll drain your credit or debit card instead and leave you tapping your foot by your mailbox. Sometimes, the scammers might indeed ship you something after all—a knock-off item. One possibly made with child labor.
Scammers will often pose as people you know. That can include friends, family members, co-workers, bosses, vendors or clients at work, and so on. And when they do, something about the message you get will seem a bit strange.
For starters, the message might not sound like it came from them. What they say and how they say it seems off or out of character. It might include links or attachments you didn’t expect to get. Or the message might come to you via a DM sent from a “new” account they set up. In the workplace, you might get a message from your boss instructing you to pay someone a large sum from the company account.
These are all signs that something scammy might be afoot. You’ll want to follow up with these people in person or with a quick phone call just to confirm. Reach them in any way other than by replying to the message you received. Even if it looks like a legitimate account. There’s the chance their account was hacked.
How do scammers know how to reach you in the first place? And how do they seem to know just enough about you to cook up a convincing story? Clever scammers have resources, and they’ll do their homework. You can give them far less to work with by taking the following steps.
Online data brokers hoard all kinds of personal information about individuals. And they’ll sell it to anyone. That includes scammers. Data brokers gather it from multiple sources, such as public records and third parties that have further information like browsing histories and shopping histories (think your supermarket club card). With that information, a scammer can sound quite convincing—like they know you in some way or where your interests lie. You can get this information removed so scammers can’t get their hands on it. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites and with select products, it can even manage the removal for you.
Needless to say, social media says a lot about you and what you’re into. You already know that because you put a part of yourself out there with each post—not to mention a record of the groups, pages, and things that you follow or like. All this provides yet more grist for a scammer’s mill when it comes time for them to concoct their stories. Setting your accounts to private takes your posts out of the public eye, and the eye of potential scammers too. This can help reduce your risk of getting conned.
Scammers throw all kinds of bogus links at people in the hope they’ll click and wind up on their scammy websites. They’ll also send attachments loaded with malware—a payload that contains ransomware, spyware, or viruses. If you get a message about one of your accounts, a shipment, or anything that involves your personal or financial info, confirm the sender. Did the message come from a legitimate address or account? Or was the address spoofed or the account a fake? For example, some scammers create social media accounts to pose as the U.S. Internal Revenue Service (IRS). The IRS doesn’t contact people through social media. If you have a concern about a message or account, visit the site in question by typing it in directly instead of clicking on the link in the message. Access your information from there or call their customer service line.
The combination of these two things makes it tough for scammers to crack your accounts. Even if they somehow get hold of your password, they can’t get into your account without the multifactor authentication number (usually sent to your phone in some form). A password manager as part of comprehensive online protection software can help you create and securely store those strong, unique passwords. Also, never give your authentication number to anyone after you receive it. Another common scammer trick is to masquerade as a customer service rep and ask you to send that number to them.
This is the one piece of advice scammers don’t want you to have, let alone follow. They count on you getting caught up in the moment—the emotion of it all. Once again, emotions, urgency, and human nature are all key components in any social engineering con. The moment you stop and think about the message, what it’s asking of you, and the way it’s asking you for it, will often quickly let you know that something is not quite right. Follow up. A quick phone call or face-to-face chat can help you from getting conned.
The post Social Engineering—The Scammer’s Secret Weapon appeared first on McAfee Blog.
With the number of cyber threats and breaches dominating the headlines, it can seem like a Herculean task to cover all your cybersecurity bases. We’re aware that there are ten sections on this cybersecurity awareness checklist, but it won’t take hours and hours to tick every box. In fact, some of these areas only require you to check a box on your device or invest in the cybersecurity tools that will handle the rest for you. Also, you may already be doing some of these things!
It’s easy to be cyber smart. Here are the cybersecurity awareness basics to instantly boost your safety and confidence in your online presence.
Software update notifications always seem to ping on the outskirts of your desktop and mobile device at the most inconvenient times. What’s more inconvenient though is having your device hacked. One easy tip to improve your cybersecurity is to update your device software whenever upgrades are available. Most software updates include security patches that smart teams have created to foil cybercriminals. The more outdated your apps or operating system is, the more time criminals have had to work out ways to infiltrate them.
Enabling automatic updates on all your devices only takes a few clicks or taps. Many major updates occur in the early hours of the morning, meaning that you’ll never know your devices were offline. You’ll just wake up to new, secure software!
Just because social media personalities document their entire days literally from the moment they wake up, doesn’t mean you should do the same. It’s best to leave some details about your life a mystery from the internet for various reasons.
The best way to avoid all of the above is to set your online profiles to private and edit your list of followers to only people you have met in real life and trust. Also, you may want to consider revising what you post about and how often.
If you genuinely love sharing moments from your daily life, consider sending a newsletter to a curated group of close friends and family. Aspiring influencers who still wants to capture and publish every aspect of their daily lives should be extremely careful about keeping sensitive details about themselves private, such as blurring their house number, not revealing their hometown, turning off location services, and going by a nickname instead of their full legal name.
Most sites won’t even let you proceed with creating an account if you don’t have a strong enough password. A strong password is one with a mix of capital and lowercase letters, numbers, and special characters. What also makes for an excellent password is one that’s unique. Reusing passwords can be just as risky as using “password123” or your pet’s name plus your birthday as a password. A reused password can put all your online accounts at risk, due to a practice called credential stuffing. Credential stuffing is a tactic where a cybercriminal attempts to input a stolen username and password combination in dozens of random websites to see which doors it opens.
Remembering a different password for each of your online accounts is almost an impossible task. Luckily, password managers make it so you only have to remember one password ever again! Password managers safeguard all your passwords in one secure desktop extension or smartphone app that you can use anywhere.
It’s best to create passwords or passphrases that have a secret meaning that only you know. Stay away from using significant dates, names, or places, because those are easier to guess. You can also leave it up to your password manager to randomly generate a password for you. The resulting unintelligible jumble of numbers, letters, and symbols is virtually impossible for anyone to guess.
Not all corners of the internet are safe to visit. Some dark crevices hide malware that can then sneak onto your device without you knowing. There are various types of malware, but the motive behind all of them is the same: To steal your personally identifiable information (PII) or your device’s power for a cybercriminal’s own financial gain.
Sites that claim to have free downloads of TV shows, movies, and games are notorious for harboring malware. Practice safe downloading habits, such as ensuring the site is secure, checking to see that it looks professional, and inspecting the URLs for suspicious file extensions.
Additionally, not all internet connections are free from prying eyes. Public Wi-Fi networks – like those in cafes, libraries, hotels, and transportation hubs – are especially prone. Because anyone can connect to a public network without needing a password, cybercriminals can digitally eavesdrop on other people on the same network. It’s unsafe to do your online banking, shopping, and other activities that deal with your financial or sensitive personal information while on public Wi-Fi.
However, there is one way to do so safely, and that’s with a virtual private network (VPN). A VPN is a type of software you can use on your smartphone, tablet, laptop, or desktop. It encrypts all your outgoing data, making it nearly impossible for a cybercriminal to snoop on your internet session.
You’ve likely already experienced a phishing attempt, whether you were aware of it or not. Phishing is a common tactic used to eke personal details from unsuspecting or trusting people. Phishers often initiate contact through texts, emails, or social media direct messages, and they aim to get enough information to break into your online accounts or to impersonate you.
AI text generator tools are making it more difficult to pinpoint a phisher, as messages can seem very humanlike. Typos and nonsensical sentences used to be the main indicator of a phishing attempt, but text generators generally use correct spelling and grammar. Here are a few tell-tale signs of a phishing attempt:
Never engage with a phishing attempt. Do not forward the message or respond to them and never click on any links included in their message. The links could direct to malicious sites that could infect your device with malware or spyware.
Before you delete the message, block the sender, mark the message as junk, and report the phisher. Reporting can go a long way toward hopefully preventing the phisher from targeting someone else.
When a security breach occurs, you can be sure that the news will report it. Plus, it’s the law for companies to notify the Federal Trade Commission of a breach. Keep a keen eye on the news and your inbox for notifications about recent breaches. Quick action is necessary to protect your personal and financial information, which is why you should be aware of current events.
The moment you hear about a breach on the news or see an email from a company to its customers about an incident, change your account’s password and double check your account’s recent activity to ensure nothing is amiss. Then await further action communicated through official company correspondences and official channels.
Cybercriminals aren’t above adding insult to injury and further scamming customers affected in breaches. Phishers may spam inboxes impersonating the company and sending malware-laden links they claim will reset your password. Continue to scrutinize your messages and keep an eye on the company’s official company website and verified social media accounts to ensure you’re getting company-approved advice.
One great mantra to guide your cybersecurity habits is: If you connect it, protect it. This means that any device that links to the internet should have security measures in place to shield it from cybercriminals. Yes, this includes your smart TV, smart refrigerator, smart thermostat, and smart lightbulbs!
Compose a list of the smart home devices you own. (You probably have more than you thought!) Then, make sure that every device is using a password you created, instead of the default password the device came with. Default passwords can be reused across an entire line of appliances. So, if a cybercriminal cracks the code on someone else’s smart washing machine, that could mean they could weasel their way into yours with the same password.
Another way to secure your connected home devices is by enabling two-factor authentication (2FA). This usually means enrolling your phone number or email address with the device and inputting one-time codes periodically to log into the connected device. 2FA is an excellent way to frustrate a cybercriminal, as it’s extremely difficult for them to bypass this security measure. It may add an extra 15 seconds to your login process, but the peace of mind is worth the minor inconvenience.
Finally, encase your entire home network with a secure router, or the device that connects your home Wi-Fi network to the internet. Again, change the password from the factory setting. And if you decide to rename the network, have fun with it but leave your name and address out of the new name.
When flip phones arrived on the scene in the 1990s and early 2000s, the worst that happened when they went missing was that you lost a cache of your stored text messages and call history. Now, when you misplace or have your smartphone stolen, it can seem like your whole online life vanished. Mobile devices store a lot of our sensitive information, so that’s why it’s key to not only safeguard your accounts but the devices that house them.
The best way to lock your device against anyone but yourself is to set up face or fingerprint ID. This makes it virtually impossible for a criminal to open your device. Also, passcode- or password-protect all your devices. It may seem like an inconvenience now, but your fingers will soon be able to glide across the keyboard or number pad fluently in just a few days, adding maybe an extra second to opening your device.
Another way to safeguard your device and the important information within it is to disable your favorite internet browser from auto-filling your passwords and credit card information. In the hands of a criminal, these details could lead to significant losses. A password manager here comes in handy for quick and secure password and username inputting.
Credit experts recommend checking your credit at least once yearly, but there’s no harm in checking your credit score more often. It’s only hard inquiries (or credit checks initiated by lenders) that may lower your credit score. Consider making it a habit to check your credit once every quarter. The first signs of identity theft often appear in a drastically lower credit score, which means that someone may be opening lines of credit in your name.
Also, if you’re not planning to apply for a new credit card or a loan anytime soon, why not lock your credit so no one can access it? A credit freeze makes it so that no one (yourself included) can touch it, thus keeping it out of the hands of thieves.
Picking up the pieces after a thief steals your identity is expensive, tedious, and time-consuming. Identity remediation includes reaching out to all three credit bureaus, filing reports, and spending hours tracking down your PII that’s now strewn across the internet.
Identity protection services can guard your identity so you hopefully avoid this entire scenario altogether. McAfee identity monitoring tracks the dark web for you and alerts you, on average, ten months sooner that something is amiss when compared to similar services. And if something does happen to your identity, McAfee identity restoration services offers $1 million in identity restoration and lends its support to help you get your identity and credit back in order.
The best complement to your newfound excellent cyber habits is a toolbelt of excellent services to patch any holes in your defense. McAfee+ includes all the services you need to boost your peace of mind about your online identity and privacy. You can surf public Wi-Fi safely with its secure VPN, protect your device with antivirus software, freeze your credit with security freeze, keep tabs on your identity, and more!
The post 10 Easy Things You Can Do Today to Improve Your Cybersecurity appeared first on McAfee Blog.
Ping, it’s a scammer!
The sound of an incoming email, text, or direct message has a way of getting your attention, so you take a look and see what’s up. It happens umpteen times a week, to the extent that it feels like the flow of your day. And scammers want to tap into that with sneaky phishing attacks that catch you off guard, all with the aim of stealing your personal information or bilking you out of your money.
Phishing attacks take several forms, where scammers masquerade as a legitimate company, financial institution, government agency, or even as someone you know. And they’ll come after you with messages that follow suit:
You can see why phishing attacks can be so effective. Messages like these have an urgency to them, and they seem like they’re legit, or they at least seem like they might deal with something you might care about. But of course they’re just a ruse. And some of them can look and sound rather convincing. Or at least convincing enough that you’ll not only give them a look, but that you’ll also give them a click too.
And that’s where the troubles start. Clicking the links or attachments sent in a phishing attack can lead to several potentially nasty things, such as:
However, plenty of phishing attacks are preventable. A mix of knowing what to look for and putting a few security steps in place can help you keep scammers at bay.
How you end up with one has a lot to do with it.
There’s a good chance you’ve already seen your share of phishing attempts on your phone. A text comes through with a brief message that one of your accounts needs attention, from an entirely unknown number. Along with it is a link that you can tap to follow up, which will send you to a malicious site. In some cases, the sender may skip the link and attempt to start a conversation with the aim of getting you to share your personal information or possibly fork over some payment with a gift card, money order, rechargeable debit card, or other form of payment that is difficult to trace and recover.
In the case of social media, you can expect that the attack will come from an imposter account that’s doing its best to pose as one of those legitimate businesses or organizations we talked about, or perhaps as a stranger or even someone you know. And the name and profile pic will do its best to play the part. If you click on the account that sent it, you may see that it was created only recently and that it has few to no followers, both of which are red flags. The attack is typically conversational, much like described above where the scammer attempts to pump you for personal info or money.
Attacks that come by direct messaging apps will work much in the same way. The scammer will set up a phony account, and where the app allows, a phony name and a phony profile pic to go along with it.
Email gets a little more complicated because emails can range anywhere from a few simple lines of text to a fully designed piece complete with images, formatting, and embedded links—much like a miniature web page.
In the past, email phishing attacks looked rather unsophisticated, rife with poor spelling and grammar, along with sloppy-looking layouts and images. That’s still sometimes the case today. Yet not always. Some phishing emails look like the real thing. Or nearly so.
Case in point, here’s a look at a phishing email masquerading as a McAfee email:
There’s a lot going on here. The scammers try to mimic the McAfee brand, yet don’t quite pull it off. Still, they do several things to try and be convincing.
Note the use of photography and the box shot of our software, paired with a prominent “act now” headline. It’s not the style of photography we use. Not that people would generally know this. However, some might have a passing thought like, “Huh. That doesn’t really look right for some reason.”
Beyond that, there are a few capitalization errors, some misplaced punctuation, plus the “order now” and “60% off” icons look rather slapped on. Also note the little dash of fear it throws in at the top of the email with mention of “There are (42) viruses on your computer.”
Taken all together, you can spot many email scams by taking a closer look, seeing what doesn’t feel right, and then trusting you gut. But that asks you to slow down, take a moment, and eyeball the email critically. Which people don’t always do. And that’s what scammers count on.
Similar ploys see scammers pose as legitimate companies and retailers, where they either ask you to log into a bogus account page to check statement or the status of an order. Some scammers offer links to “discount codes” that are instead links to landing pages designed steal your account login information as well. Similarly, they may simply send a malicious email attachment with the hope that you’ll click it.
In other forms of email phishing attacks, scammers may pose as a co-worker, business associate, vendor, or partner to get the victim to click a malicious link or download malicious software. These may include a link to a bogus invoice, spreadsheet, notetaking file, or word processing doc—just about anything that looks like it could be a piece of business correspondence. Instead, the link leads to a scam website that asks the victim “log in and download” the document, which steals account info as a result. Scammers may also include attachments to phishing emails that can install malware directly on the device, sometimes by infecting an otherwise everyday document with a malicious payload.
Email scammers may also pose as someone you know, whether by propping up an imposter email account or by outright hijacking an existing account. The attack follows the same playbook, using a link or an attachment to steal personal info, request funds, or install malware.
While you can’t outright stop phishing attacks from making their way to your computer or phone, you can do several things to keep yourself from falling to them. Further, you can do other things that may make it more difficult for scammers to reach you.
The content and the tone of the message can tell you quite a lot. Threatening messages or ones that play on fear are often phishing attacks, such angry messages from a so-called tax agent looking to collect back taxes. Other messages will lean heavy on urgency, like the phony McAfee phishing email above that says your license has expired today and that you have “(42)” viruses. And during the holidays, watch out for loud, overexcited messages about deep discounts on hard-to-find items. Instead of linking you off to a proper ecommerce site, they may link you to a scam shopping site that does nothing but steal your money and the account information you used to pay them. In all, phishing attacks indeed smell fishy. Slow down and review that message with a critical eye. It may tip you off to a scam.
Some phishing attacks can look rather convincing. So much so that you’ll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, don’t click on the link in the message. Go straight to the website of the business or organization in question and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.
When scammers contact you via social media, that in of itself can be a tell-tale sign of a scam. Consider, would an income tax collector contact you over social media? The answer there is no. For example, in the U.S. the Internal Revenue Service (IRS) makes it quite clear that they will never contact taxpayers via social media. (Let alone send angry, threatening messages.) In all, legitimate businesses and organizations don’t use social media as a channel for official communications. They have accepted ways they will, and will not, contact you. If you have any doubts about a communication you received, contact the business or organization in question directly and follow up with one of their customer service representatives.
Some phishing attacks involve attachments packed with malware like the ransomware, viruses, and keyloggers we mentioned earlier. If you receive a message with such an attachment, delete it. Even if you receive an email with an attachment from someone you know, follow up with that person. Particularly if you weren’t expecting an attachment from them. Scammers will often hijack or spoof email accounts of everyday people to spread malware.
On computers and laptops, you can hover your cursor over links without clicking on them to see the web address. Take a close look at the addresses the message is using. If it’s an email, look at the email address. Maybe the address doesn’t match the company or organization at all. Or maybe it looks like it almost does, yet it adds a few letters or words to the name. This marks yet another sign that you may have a phishing attack on your hands. Scammers also use the common tactic of a link shortener, which creates links that almost look like strings of indecipherable text. These shortened links mask the true address, which may indeed be a link to scam site. Delete the message. If possible, report it. Many social media platforms and messaging apps have built-in controls for reporting suspicious accounts and messages.
On social media and messaging platforms, stick to following, friending, and messaging people who you really know. As for those people who contact you out of the blue, be suspicious. Sad to say, they’re often scammers canvassing these platforms for victims. Better yet, where you can, set your profile to private, which makes it more difficult for scammers select and stalk you for an attack.
How’d that scammer get your phone number or email address anyway? Chances are, they pulled that information off a data broker site. Data brokers buy, collect, and sell detailed personal information, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shopper’s cards and mobile apps that share and sell user data. Moreover, they’ll sell it to anyone who pays for it, including people who’ll use that information for scams. You can help reduce those scam texts and calls by removing your information from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.
Online protection software can protect you in several ways. First, it can offer safe browsing features that can identify malicious links and downloads, which can help prevent clicking them. Further, it can steer you away from dangerous websites and block malware and phishing sites if you accidentally click on a malicious link. And overall, strong virus and malware protection can further block any attacks on your devices. Be sure to protect your smartphones in addition to your computers and laptops as well, particularly given all the sensitive things we do on them, like banking, shopping, and booking rides and travel.
Once phishing attacks were largely the domain of bogus emails, yet now they’ve spread to texts, social media, and messaging apps—anywhere a scammer can send a fraudulent message while posing as a reputable source.
Scammers count on you taking the bait, the immediate feelings of fear or concern that there’s a problem with your taxes or one of your accounts. They also prey on scarcity, like during the holidays where people search for great deals on gifts and have plenty of packages on the move. With a critical eye, you can often spot those scams. Sometimes, a pause and a little thought is all it takes. And in the cases where a particularly cagey attack makes its way through, online protection software can warn you that the link you’re about to click is indeed a trap.
Taken all together, you have plenty of ways you can beat scammers at their game.
The post How to Avoid Phishing Attacks on Your Smartphones and Computers appeared first on McAfee Blog.
TLDHunt is a command-line tool designed to help users find available domain names for their online projects or businesses. By providing a keyword and a list of TLD (top-level domain) extensions, TLDHunt checks the availability of domain names that match the given criteria. This tool is particularly useful for those who want to quickly find a domain name that is not already taken, without having to perform a manual search on a domain registrar website.
For red teaming or phishing purposes, this tool can help you to find similar domains with different extensions from the original domain.
This tool is written in Bash and the only dependency required is whois. Therefore, make sure that you have installed whois on your system. In Debian, you can install whois using the following command:
sudo apt install whois -y
To detect whether a domain is registered or not, we search for the words "Name Server" in the output of the WHOIS command, as this is a signature of a registered domain. If you have a better signature or detection method, please feel free to submit a pull request.
You can use your custom tlds.txt list, but make sure that it is formatted like this:
.aero
.asia
.biz
.cat
.com
.coop
.info
.int
.jobs
.mobi
➜ TLDHunt ./tldhunt.sh
_____ _ ___ _ _ _
|_ _| | | \| || |_ _ _ _| |_
| | | |__| |) | __ | || | ' \ _|
|_| |____|___/|_||_|\_,_|_||_\__|
Domain Availability Checker
Keyword is required.
Usage: ./tldhunt.sh -k <keyword> [-e <tld> | -E <exts>] [-x]
Example: ./tldhunt.sh -k linuxsec -E tlds.txt
Example of TLDHunt usage:
./tldhunt.sh -k linuxsec -E tlds.txt
You can add -x flag to print only Not Registered domain. Example:
./tldhunt.sh -k linuxsec -E tlds.txt -x
There are plenty of phish in the sea.
Millions of bogus phishing emails land in millions of inboxes each day with one purpose in mind—to rip off the recipient. Whether they’re out to crack your bank account, steal personal information, or both, you can learn how to spot phishing emails and keep yourself safe.
And some of today’s phishing emails are indeed getting tougher to spot.
They seem like they come from companies you know and trust, like your bank, your credit card company, or services like Netflix, PayPal, and Amazon. And some of them look convincing. The writing and the layout are crisp, and the overall presentation looks professional. Yet still, there’s still something off about them.
And there’s certainly something wrong with that email. It was written by a scammer. Phishing emails employ a bait-and-hook tactic, where an urgent or enticing message is the bait and malware or a link to a phony login page is the hook.
Once the hook gets set, several things might happen. That phony login page may steal account and personal information. Or that malware might install keylogging software that steals information, viruses that open a back door through which data can get hijacked, or ransomware that holds a device and its data hostage until a fee is paid.
Again, you can sidestep these attacks if you know how to spot them. There are signs.
Let’s look at how prolific these attacks are, pick apart a few examples, and then break down the things you should look for.
<h2>Phishing attack statistics—the millions of attempts made each year.
In the U.S. alone, more than 300,000 victims reported a phishing attack to the FBI in 2022. Phishing attacks topped the list of reported complaints, roughly six times greater than the second top offender, personal data breaches. The actual figure is undoubtedly higher, given that not all attacks get reported.
Looking at phishing attacks worldwide, one study suggests that more than 255 million phishing attempts were made in the second half of 2022 alone. That marks a 61% increase over the previous year. Another study concluded that 1 in every 99 mails sent contained a phishing attack.
Yet scammers won’t always cast such a wide net. Statistics point to a rise in targeted spear phishing, where the attacker goes after a specific person. They will often target people at businesses who have the authority to transfer funds or make payments. Other targets include people who have access to sensitive information like passwords, proprietary data, and account information.
As such, the price of these attacks can get costly. In 2022, the FBI received 21,832 complaints from businesses that said they fell victim to a spear phishing attack. The adjusted losses were over $2.7 billion—an average cost of $123,671 per attack.
So while exacting phishing attack statistics remain somewhat elusive, there’s no question that phishing attacks are prolific. And costly.
<h2>What does a phishing attack look like?
Nearly every phishing attack sends an urgent message. One designed to get you to act.
Some examples …
When set within a nice design and paired some official-looking logos, it’s easy to see why plenty of people click the link or attachment that comes with messages like these.
And that’s the tricky thing with phishing attacks. Scammers have leveled up their game in recent years. Their phishing emails can look convincing. Not long ago, you could point to misspellings, lousy grammar, poor design, and logos that looked stretched or that used the wrong colors. Poorly executed phishing attacks like that still make their way into the world. However, it’s increasingly common to see far more sophisticated attacks today. Attacks that appear like a genuine message or notice.
Case in point:
Say you got an email that said your PayPal account had an issue. Would you type your account information here if you found yourself on this page? If so, you would have handed over your information to a scammer.
We took the screenshot above as part of following a phishing attack to its end—without entering any legitimate info, of course. In fact, we entered a garbage email address and password, and it still let us in. That’s because the scammers were after other information, as you’ll soon see.
As we dug into the site more deeply, it looked pretty spot on. The design mirrored PayPal’s style, and the footer links appeared official enough. Yet then we looked more closely.
Note the subtle errors, like “card informations” and “Configuration of my activity.” While companies make grammatical errors on occasion, spotting them in an interface should hoist a big red flag. Plus, the site asks for credit card information very early in the process. All suspicious.
Here’s where the attackers really got bold.
They ask for bank “informations,” which not only includes routing and account numbers, but they ask for the account password too. As said, bold. And entirely bogus.
Taken all together, the subtle errors and the bald-faced grab for exacting account information clearly mark this as a scam.
Let’s take a few steps back, though. Who sent the phishing email that directed us to this malicious site? None other than “paypal at inc dot-com.”
Clearly, that’s a phony email. And typical of a phishing attack where an attacker shoehorns a familiar name into an unassociated email address, in this case “inc dot-com.” Attackers may also gin up phony addresses that mimic official addresses, like “paypalcustsv dot-com.” Anything to trick you.
Likewise, the malicious site that the phishing email sent us to used a spoofed address as well. It had no official association with PayPal at all—which is proof positive of a phishing attack.
Note that companies only send emails from their official domain names, just as their sites only use their official domain names. Several companies and organizations will list those official domains on their websites to help curb phishing attacks.
For example, PayPal has a page that clearly states how it will and will not contact you. At McAfee, we have an entire page dedicated to preventing phishing attacks, which also lists the official email addresses we use.
Not every scammer is so sophisticated, at least in the way that they design their phishing emails. We can point to a few phishing emails that posed as legitimate communication from McAfee as examples.
There’s a lot going on in this first email example. The scammers try to mimic the McAfee brand, yet don’t pull it off. Still, they do several things to try to act convincing.
Note the use of photography and the box shot of our software, paired with a prominent “act now” headline. It’s not the style of photography we use. Not that people would generally know this. However, some might have a passing thought like, “Huh. That doesn’t really look like what McAfee usually sends me.”
Beyond that, there are a few capitalization errors, some misplaced punctuation, and the “order now” and “60% off” icons look rather slapped on. Also note the little dash of fear it throws in with a mention of “There are (42) viruses on your computer …”
Taken all together, someone can readily spot that this is a scam with a closer look.
This next ad falls into the less sophisticated category. It’s practically all text and goes heavy on the red ink. Once again, it hosts plenty of capitalization errors, with a few gaffes in grammar as well. In all, it doesn’t read smoothly. Nor is it easy on the eye, as a proper email about your account should be.
What sets this example apart is the “advertisement” disclaimer below, which tries to lend the attack some legitimacy. Also note the phony “unsubscribe” link, plus the (scratched out) mailing address and phone, which all try to do the same.
This last example doesn’t get our font right, and the trademark symbol is awkwardly placed. The usual grammar and capitalization errors crop up again, yet this piece of phishing takes a slightly different approach.
The scammers placed a little timer at the bottom of the email. That adds a degree of scarcity. They want you to think that you have about half an hour before you are unable to register for protection. That’s bogus, of course.
Seeing any recurring themes? There are a few for sure. With these examples in mind, get into the details—how you can spot phishing attacks and how you can avoid them altogether.
Just as we saw, some phishing attacks indeed appear fishy from the start. Yet sometimes it takes a bit of time and a particularly critical eye to spot.
And that’s what scammers count on. They hope that you’re moving quickly or otherwise a little preoccupied when you’re going through your email or messages. Distracted enough so that you might not pause to think, is this message really legit?
One of the best ways to beat scammers is to take a moment to scrutinize that message while keeping the following in mind …
Fear. That’s a big one. Maybe it’s an angry-sounding email from a government agency saying that you owe back taxes. Or maybe it’s another from a family member asking for money because there’s an emergency. Either way, scammers will lean heavily on fear as a motivator.
If you receive such a message, think twice. Consider if it’s genuine. For instance, consider that tax email example. In the U.S., the Internal Revenue Service (IRS) has specific guidelines as to how and when they will contact you. As a rule, they will likely contact you via physical mail delivered by the U.S. Postal Service. (They won’t call or apply pressure tactics—only scammers do that.) Likewise, other nations will have similar standards as well.
Scammers also love urgency. Phishing attacks begin by stirring up your emotions and getting you to act quickly. Scammers might use threats or overly excitable language to create that sense of urgency, both of which are clear signs of a potential scam.
Granted, legitimate businesses and organizations might reach out to notify you of a late payment or possible illicit activity on one of your accounts. Yet they’ll take a far more professional and even-handed tone than a scammer would. For example, it’s highly unlikely that your local electric utility will angrily shut off your service if you don’t pay your past due bill immediately.
Gift cards, cryptocurrency, money orders—these forms of payment are another sign that you might be looking at a phishing attack. Scammers prefer these methods of payment because they’re difficult to trace. Additionally, consumers have little or no way to recover lost funds from these payment methods.
Legitimate businesses and organizations won’t ask for payments in those forms. If you get a message asking for payment in one of those forms, you can bet it’s a scam.
Here’s another way you can spot a phishing attack. Take a close look at the addresses the message is using. If it’s an email, look at the email address. Maybe the address doesn’t match the company or organization at all. Or maybe it does somewhat, yet it adds a few letters or words to the name. This marks yet another sign that you might have a phishing attack on your hands.
Likewise, if the message contains a web link, closely examine that as well. If the name looks at all unfamiliar or altered from the way you’ve seen it before, that might also mean you’re looking at a phishing attempt.
Online protection software can protect you from phishing attacks in several ways.
For starters, it offers web protection that warns you when links lead to malicious websites, such as the ones used in phishing attacks. In the same way, online protection software can warn you about malicious downloads and email attachments so that you don’t end up with malware on your device. And, if the unfortunate does happen, antivirus can block and remove malware.
Online protection software like ours can also address the root of the problem. Scammers must get your email address from somewhere. Often, they get it from online data brokers, sites that gather and sell personal information to any buyer—scammers included.
Data brokers source this information from public records and third parties alike that they sell in bulk, providing scammers with massive mailing lists that can target thousands of potential victims. You can remove your personal info from some of the riskiest data broker sites with our Personal Data Cleanup, which can lower your exposure to scammers by keeping your email address out of their hands.
In all, phishing emails have telltale signs, some more difficult to see than others. Yet you can spot them when you know what to look for and take the time to look for them. With these attacks so prevalent and on the rise, looking at your email with a critical eye is a must today.
The post How to Spot Phishing Emails and Scams appeared first on McAfee Blog.
Ping, it’s a scammer!
The sound of an incoming email, text, or direct message has a way of getting your attention, so you take a look and see what’s up. It happens umpteen times a week, to the extent that it feels like the flow of your day. And scammers want to tap into that with sneaky phishing attacks that catch you off guard, all with the aim of stealing your personal information or bilking you out of your money.
Phishing attacks take several forms, where scammers masquerade as a legitimate company, financial institution, government agency, or even as someone you know. And they’ll come after you with messages that follow suit:
You can see why phishing attacks can be so effective. Messages like these have an urgency to them, and they seem like they’re legit, or they at least seem like they might deal with something you might care about. But of course they’re just a ruse. And some of them can look and sound rather convincing. Or at least convincing enough that you’ll not only give them a look, but that you’ll also give them a click too.
And that’s where the troubles start. Clicking the links or attachments sent in a phishing attack can lead to several potentially nasty things, such as:
However, plenty of phishing attacks are preventable. A mix of knowing what to look for and putting a few security steps in place can help you keep scammers at bay.
How you end up with one has a lot to do with it.
There’s a good chance you’ve already seen your share of phishing attempts on your phone. A text comes through with a brief message that one of your accounts needs attention, from an entirely unknown number. Along with it is a link that you can tap to follow up, which will send you to a malicious site. In some cases, the sender may skip the link and attempt to start a conversation with the aim of getting you to share your personal information or possibly fork over some payment with a gift card, money order, rechargeable debit card, or other form of payment that is difficult to trace and recover.
In the case of social media, you can expect that the attack will come from an imposter account that’s doing its best to pose as one of those legitimate businesses or organizations we talked about, or perhaps as a stranger or even someone you know. And the name and profile pic will do its best to play the part. If you click on the account that sent it, you may see that it was created only recently and that it has few to no followers, both of which are red flags. The attack is typically conversational, much like described above where the scammer attempts to pump you for personal info or money.
Attacks that come by direct messaging apps will work much in the same way. The scammer will set up a phony account, and where the app allows, a phony name and a phony profile pic to go along with it.
Email gets a little more complicated because emails can range anywhere from a few simple lines of text to a fully designed piece complete with images, formatting, and embedded links—much like a miniature web page.
In the past, email phishing attacks looked rather unsophisticated, rife with poor spelling and grammar, along with sloppy-looking layouts and images. That’s still sometimes the case today. Yet not always. Some phishing emails look like the real thing. Or nearly so.
Case in point, here’s a look at a phishing email masquerading as a McAfee email:
There’s a lot going on here. The scammers try to mimic the McAfee brand, yet don’t quite pull it off. Still, they do several things to try and be convincing.
Note the use of photography and the box shot of our software, paired with a prominent “act now” headline. It’s not the style of photography we use. Not that people would generally know this. However, some might have a passing thought like, “Huh. That doesn’t really look right for some reason.”
Beyond that, there are a few capitalization errors, some misplaced punctuation, plus the “order now” and “60% off” icons look rather slapped on. Also note the little dash of fear it throws in at the top of the email with mention of “There are (42) viruses on your computer.”
Taken all together, you can spot many email scams by taking a closer look, seeing what doesn’t feel right, and then trusting you gut. But that asks you to slow down, take a moment, and eyeball the email critically. Which people don’t always do. And that’s what scammers count on.
Similar ploys see scammers pose as legitimate companies and retailers, where they either ask you to log into a bogus account page to check statement or the status of an order. Some scammers offer links to “discount codes” that are instead links to landing pages designed steal your account login information as well. Similarly, they may simply send a malicious email attachment with the hope that you’ll click it.
In other forms of email phishing attacks, scammers may pose as a co-worker, business associate, vendor, or partner to get the victim to click a malicious link or download malicious software. These may include a link to a bogus invoice, spreadsheet, notetaking file, or word processing doc—just about anything that looks like it could be a piece of business correspondence. Instead, the link leads to a scam website that asks the victim “log in and download” the document, which steals account info as a result. Scammers may also include attachments to phishing emails that can install malware directly on the device, sometimes by infecting an otherwise everyday document with a malicious payload.
Email scammers may also pose as someone you know, whether by propping up an imposter email account or by outright hijacking an existing account. The attack follows the same playbook, using a link or an attachment to steal personal info, request funds, or install malware.
While you can’t outright stop phishing attacks from making their way to your computer or phone, you can do several things to keep yourself from falling to them. Further, you can do other things that may make it more difficult for scammers to reach you.
The content and the tone of the message can tell you quite a lot. Threatening messages or ones that play on fear are often phishing attacks, such angry messages from a so-called tax agent looking to collect back taxes. Other messages will lean heavy on urgency, like the phony McAfee phishing email above that says your license has expired today and that you have “(42)” viruses. And during the holidays, watch out for loud, overexcited messages about deep discounts on hard-to-find items. Instead of linking you off to a proper ecommerce site, they may link you to a scam shopping site that does nothing but steal your money and the account information you used to pay them. In all, phishing attacks indeed smell fishy. Slow down and review that message with a critical eye. It may tip you off to a scam.
Some phishing attacks can look rather convincing. So much so that you’ll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, don’t click on the link in the message. Go straight to the website of the business or organization in question and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.
When scammers contact you via social media, that in of itself can be a tell-tale sign of a scam. Consider, would an income tax collector contact you over social media? The answer there is no. For example, in the U.S. the Internal Revenue Service (IRS) makes it quite clear that they will never contact taxpayers via social media. (Let alone send angry, threatening messages.) In all, legitimate businesses and organizations don’t use social media as a channel for official communications. They have accepted ways they will, and will not, contact you. If you have any doubts about a communication you received, contact the business or organization in question directly and follow up with one of their customer service representatives.
Some phishing attacks involve attachments packed with malware like the ransomware, viruses, and keyloggers we mentioned earlier. If you receive a message with such an attachment, delete it. Even if you receive an email with an attachment from someone you know, follow up with that person. Particularly if you weren’t expecting an attachment from them. Scammers will often hijack or spoof email accounts of everyday people to spread malware.
On computers and laptops, you can hover your cursor over links without clicking on them to see the web address. Take a close look at the addresses the message is using. If it’s an email, look at the email address. Maybe the address doesn’t match the company or organization at all. Or maybe it looks like it almost does, yet it adds a few letters or words to the name. This marks yet another sign that you may have a phishing attack on your hands. Scammers also use the common tactic of a link shortener, which creates links that almost look like strings of indecipherable text. These shortened links mask the true address, which may indeed be a link to scam site. Delete the message. If possible, report it. Many social media platforms and messaging apps have built-in controls for reporting suspicious accounts and messages.
On social media and messaging platforms, stick to following, friending, and messaging people who you really know. As for those people who contact you out of the blue, be suspicious. Sad to say, they’re often scammers canvassing these platforms for victims. Better yet, where you can, set your profile to private, which makes it more difficult for scammers select and stalk you for an attack.
How’d that scammer get your phone number or email address anyway? Chances are, they pulled that information off a data broker site. Data brokers buy, collect, and sell detailed personal information, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shopper’s cards and mobile apps that share and sell user data. Moreover, they’ll sell it to anyone who pays for it, including people who’ll use that information for scams. You can help reduce those scam texts and calls by removing your information from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.
Online protection software can protect you in several ways. First, it can offer safe browsing features that can identify malicious links and downloads, which can help prevent clicking them. Further, it can steer you away from dangerous websites and block malware and phishing sites if you accidentally click on a malicious link. And overall, strong virus and malware protection can further block any attacks on your devices. Be sure to protect your smartphones in addition to your computers and laptops as well, particularly given all the sensitive things we do on them, like banking, shopping, and booking rides and travel.
Once phishing attacks were largely the domain of bogus emails, yet now they’ve spread to texts, social media, and messaging apps—anywhere a scammer can send a fraudulent message while posing as a reputable source.
Scammers count on you taking the bait, the immediate feelings of fear or concern that there’s a problem with your taxes or one of your accounts. They also prey on scarcity, like during the holidays where people search for great deals on gifts and have plenty of packages on the move. With a critical eye, you can often spot those scams. Sometimes, a pause and a little thought is all it takes. You can stay one step ahead of scammers with the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your device or phone. Removing the guessing and it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. And in the cases where a particularly cagey attack makes its way through, online protection software can warn you that the link you’re about to click is indeed a trap.
Taken all together, you have plenty of ways you can beat scammers at their game.
The post How to Protect Yourself From Phishing Scams appeared first on McAfee Blog.
Web hosting giant GoDaddy made headlines this month when it disclosed that a multi-year breach allowed intruders to steal company source code, siphon customer and employee login credentials, and foist malware on customer websites. Media coverage understandably focused on GoDaddy’s admission that it suffered three different cyberattacks over as many years at the hands of the same hacking group. But it’s worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website.
In a filing with the U.S. Securities and Exchange Commission (SEC), GoDaddy said it determined that the same “sophisticated threat actor group” was responsible for three separate intrusions, including:
-March 2020: A spear-phishing attack on a GoDaddy employee compromised the hosting login credentials of approximately 28,000 GoDaddy customers, as well as login credentials for a small number employees;
-November 2021: A compromised GoDaddy password let attackers steal source code and information tied to 1.2 million customers, including website administrator passwords, sFTP credentials, and private SSL keys;
-December 2022: Hackers gained access to and installed malware on GoDaddy’s cPanel hosting servers that “intermittently redirected random customer websites to malicious sites.”
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated in its SEC filing.
What else do we know about the cause of these incidents? We don’t know much about the source of the November 2021 incident, other than GoDaddy’s statement that it involved a compromised password, and that it took about two months for the company to detect the intrusion. GoDaddy has not disclosed the source of the breach in December 2022 that led to malware on some customer websites.
But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee. GoDaddy described the incident at the time in general terms as a social engineering attack, but one of its customers affected by that March 2020 breach actually spoke to one of the hackers involved.
The hackers were able to change the Domain Name System (DNS) records for the transaction brokering site escrow.com so that it pointed to an address in Malaysia that was host to just a few other domains, including the then brand-new phishing domain servicenow-godaddy[.]com.
The general manager of Escrow.com found himself on the phone with one of the GoDaddy hackers, after someone who claimed they worked at GoDaddy called and said they needed him to authorize some changes to the account.
In reality, the caller had just tricked a GoDaddy employee into giving away their credentials, and he could see from the employee’s account that Escrow.com required a specific security procedure to complete a domain transfer.
The general manager of Escrow.com said he suspected the call was a scam, but decided to play along for about an hour — all the while recording the call and coaxing information out of the scammer.
“This guy had access to the notes, and knew the number to call,” to make changes to the account, the CEO of Escrow.com told KrebsOnSecurity. “He was literally reading off the tickets to the notes of the admin panel inside GoDaddy.”
About halfway through this conversation — after being called out by the general manager as an imposter — the hacker admitted that he was not a GoDaddy employee, and that he was in fact part of a group that enjoyed repeated success with social engineering employees at targeted companies over the phone.
Absent from GoDaddy’s SEC statement is another spate of attacks in November 2020, in which unknown intruders redirected email and web traffic for multiple cryptocurrency services that used GoDaddy in some capacity.
It is possible this incident was not mentioned because it was the work of yet another group of intruders. But in response to questions from KrebsOnSecurity at the time, GoDaddy said that incident also stemmed from a “limited” number of GoDaddy employees falling for a sophisticated social engineering scam.
“As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks,” GoDaddy said in a written statement back in 2020.
Voice phishing or “vishing” attacks typically target employees who work remotely. The phishers will usually claim that they’re calling from the employer’s IT department, supposedly to help troubleshoot some issue. The goal is to convince the target to enter their credentials at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.
Experts interviewed for an August 2020 story on a steep rise in successful voice phishing attacks said there are generally at least two people involved in each vishing scam: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page — including multi-factor authentication codes shared by the victim — and quickly uses them to log in to the company’s website.
The attackers are usually careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.
This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This tactic also can stymie efforts by companies that focus on identifying newly-registered phishing domains before they can be used for fraud.
A U2F device made by Yubikey.
GoDaddy’s latest SEC filing indicates the company had nearly 7,000 employees as of December 2022. In addition, GoDaddy contracts with another 3,000 people who work full-time for the company via business process outsourcing companies based primarily in India, the Philippines and Colombia.
Many companies now require employees to supply a one-time password — such as one sent via SMS or produced by a mobile authenticator app — in addition to their username and password when logging in to company assets online. But both SMS and app-based codes can be undermined by phishing attacks that simply request this information in addition to the user’s password.
One multifactor option — physical security keys — appears to be immune to these advanced scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.
In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.
Written by James Schmidt
Editor’s Note: We often speak of online scams in our blogs, ones that cost victims hundreds if not thousands of dollars. This account puts a face on one of those scams—along with the personal, financial, and emotional pain that they can leave in their wake. This is the story of “Meredith,” whose aunt “Leslie” fell victim to an emerging form on online elder fraud. Our thanks to James for bringing it forward and to “Meredith’s” family for sharing it, all so others can prevent such scams from happening to them.
“Embarrassing. Simply embarrassing.” She shook her head. “It’s too raw. I can’t talk about it right now. I need time.”
Her aunt had been scammed. To the tune of $100,000 dollars. My colleague—we both work in the security industry—felt a peculiar sense of loss.
“I work in this industry. I thought I’d done everything right. I’ve passed on enough warnings to my family and friends to ensure they’d avoid the fate of the scammed. Simply because I’m in this industry does not imply my circle is always aware of all the threats to them, even if I do my best to teach them.”
“My mental state, recently, borders on shame; this feeling, you know? How could someone working in my industry have something like this happen to a family member?”
I told her many people working in other industries cannot control what happens to people in their families even if people in that industry had knowledge that could have helped them or otherwise avoided a problem altogether.
“I know, but this simply should never have happened! My aunt is one of the smartest, most conscientious people I know, and she fell for this. It’s crazy and I can’t wrap my head around it.”
My colleague, let’s call her Meredith (not her real name as she’s a bit ashamed to know this happened to a family member), told me the beginnings.
Let’s call her aunt Leslie.
Her story unfolds, the overall picture a pastiche of millions of people in the United States today. Her aunt is retired, bored, lonely, and isolated. She feels adrift without something to occupy her time; she was looking for companionship, connections, someone (anyone) to talk to. Her feelings intensified during the pandemic. She morphed into perfect prey for scammers of what is now known as the “Pig Butchering Scam.”
The term “Pig Butchering” has a visceral and raw feel to it, which falls right in line with how brutal this scam can be. It’s a long con game, where the scammer befriends the victim and encourages them to make small investments through the scammer, which get bigger and bigger over time. The scammer builds trust early with what appear to be small investment wins. None of it is legit. The money goes right into the scammer’s pocket, even as the scammer shows the victim phony financial statements and dashboards to show off the bogus returns. Confidence grows. The scammer wrings even larger sums out of the victim. And then disappears.
It was a targeted attack that started innocuously enough with a “fake wrong number”. An SMS arrives. A text conversation starts. The scammer then apologizes but tells Leslie someone gave them the number to initiate the text.
The scammer then uses emotional and psychological techniques to keep Leslie hooked. “How are you, are you having a nice day?” Leslie, being bored and interested, engages willingly.
The scammer asks to talk directly, not via text: and a phone conversation ensues. The scammer proceeds to describe—in very soothing detail—what they are doing, helping people, like Leslie, invest their “hard-earned money” into something that will make them more money, to help them out in retirement.
Of course, it is too good to be true.
“The craziest part of all of this is my aunt refuses—to this day—to believe she’s been scammed!”
She still thinks this scammer is a “friend” even though the entire family is up in arms over this, all of whom beg her aunt to “open her eyes.”
“My aunt still thinks she’d going to see that money again, or even make some money, which is crazy. The scammers are so good at emotional intelligence; really leveraging heartstrings and psychological makeup of the forlorn in society. My aunt finally agreed to stop sending more money to the scammers, but only after the entire family threatened to cut her off from the rest of the family. It took a lot to get her to stop trusting the scammers.”
Meredith feels this is doubly sad as the aunt in question is not someone they’d ever imagine would in this predicament. She was always the upright one, always the diligent and hardworking and the best with money. She is smart and savvy and we could never imagine her to be taken by these people and taken so easily. It boggles the mind.”
She did start to change in the last few years. And the pandemic created a weird situation. Retirement, loneliness from loss of a partner, and the added burden of the pandemic created a perfect storm for her to open herself up to someone willingly, simply for the sake of connection.
“No one deserves this. It has rocked my family to the core. It is not only about the money, but we’ve found family bonds stretched. She believes these random people, these scammers, more than she believes her own family. Have we been neglectful of our aunt? Does she no longer put her faith in people she knows, rather gives money to complete strangers?”
Being a security professional does not provide magical protection. We are more aware of scams and scammers, and how they work, and what to look for, and we try to do all we can to keep our family aware of scams out there in the big wide world, but we are human. We fall short.
Diligence is action. Awareness is action. Education is action.
We need to be better, all of us, at socializing risky things. We need to consistently educate our family and friends to protect themselves, not only via security software (which everyone should have as default) but by providing tips and tricks and warnings for things we all need to be on the lookout. This is not a one-time thing. The cliché holds true: “If you see something say something.” Repetition helps.
In today’s world, the need for protecting people’s security, identity, and privacy is critical to keeping them safe. Scammers long stopped focusing on attacking only your computer. Now focus more than ever on YOU: your identity, your privacy, your trust. If they get you there, they soon get your money.
As for contributing factors to scammers success with their victims, such as loneliness, isolation, and boredom, they all have remedies. Make connections with your loved ones, especially those easily tagged as vulnerable, those you feel might be at risk. Reach out. It may be hard sometimes due to distance and other factors but make it a point to connect. There is a reason these scammers are succeeding. They are stepping into roles of companions to people who are desperate for connection.
Most people are greatly saddened at seeing other people being “taken.” Let’s work together to help stop the scammers.
Look out for each other, and get your people protected!
Editor’s Closing Note:
If you or someone you know suspects elder fraud, the following resources can help:
For further reading on scams and scam prevention, check out the guides in our McAfee Safety Series, which provide in-depth advice on protecting your identity and privacy—and your family from scams. They’re ready to download and share.
The post A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam appeared first on McAfee Blog.
