A campaign recently reported by Farsight Security involved an internationalized domain name (IDN) “homograph-based” phishing website that tricked mobile users into inputting their personal information. The suspected phishing websites presented as commercial airline carriers – specifically Delta Airlines, easyJet and Ryanair – and offered free tickets, fooling users with the age-old bait-and-switch technique.
Users were asked to respond to a series of seemingly innocent questions and then share the free offer with 15 of their WhatsApp contacts before being directed to the URL where they could access the free tickets. After Farsight discovered the first suspected Delta phishing site, it immediately informed the company. According to Farsight researchers, the websites were optimized for mobile and failed to work smoothly on desktop, leaving mobile users as prime targets.
It’s not unusual for phishing scams to use spoofed sites and homograph domains to fool unsuspecting users with trusted brand names. “Users, especially on smaller mobile screens, may not be paying close attention to the URLs or domain names of sites to verify their legitimacy,” said Dirk Morris, chief product officer at Untangle.
Despite having been around for a while, these types of attacks remain largely successful. “Studies have shown that 95% of web-based attacks use social engineering to trick users,” said Atif Mushtaq, CEO at SlashNext.
“These types of contest phishing scams have become increasingly sophisticated, in large part because people are getting trained by their organizations to recognize fake emails, giveaway scams or imposter websites asking for credit card or login details.”
Being duped by sophisticated phishing scams is not uncommon, but there are common signs to look for in phishing scams. What users need to remember is that nothing is ever really free, explained Ajay Menendez, executive director, HUNT Program at SecureSet.
“Check the ‘from’ email address for any signs that it might not be legitimate, and look for numbers instead of letters or common misspellings or letters that are inverted or missing. Poor spelling and grammar can be giveaways in the body of the email,” Menendez said.
“Your bank and other legitimate accounts will never ask for your social security number in an email. If you receive an email asking for this information, call your bank (and any other company who may be requesting this) to confirm. Never provide email, account information or passwords via email.”
“Many phishing scams will look very legitimate, he said, “so even if the email looks like it comes from your cable company, be extra cautious. This is an instance where an ounce of prevention is worth a pound of cure.”