Phishing via Misspelling

July 25, 2018
Phishing Prevention

Phishing via Misspelling

Phishing, no matter what form it takes is now considered to be the #1 security threat affecting users and their devices. While most phishing techniques have remained a stable cyber-attack over the years, affecting users on computers for as long as the internet has been around, hackers have learned to take advantage of one unsuspecting element, the users.

Several technological researches suggest that a user is 3x more likely to fall victim to a phishing attack on their own devices (Mobile or PC). There are a number of reasons as to why this is the case; one example is the lack of screen real-estate mobile devices provide, and when browsing, it’s easy to simply navigate to a specific URL without realizing it’s a phishing site.

Users simply don’t expect these things to happen on their PC or mobile devices, which they essentially trust, of course.

To show an example, we have considered a few major brands that are popular to most users.

  • Google
  • Apple
  • Paypal
  • Microsoft
  • Facebook

These brands are explicitly “trusted” by their users because of their reputation. And they have their

own online platforms that users interact with at a regular basis, regardless if it’s via PC or mobile.

Cyber-attackers, of course, know how to take advantage of this trust. They generate domains or webpages that contain these brand names to increase the probability of users providing these fake sites with their personal information. And the unfortunate thing is, users are falling for it.

For example, imagine the domain name: www.facebook.photos.login. This can easily be a malicious domain. Keep in mind, this is not the same domain as www.facebook/photos/login. The full stops mean this is in fact a subdomain, one that in all probability is not owned by Facebook.

This subdomain can therefore be registered by any user, making it an appealing target for cyber-attackers looking to exploit victims. With limited screen real estate for mobile devices, it’s especially difficult to gauge the difference between a legitimate domain and a spoofed subdomain.

Users are more than likely to mistake a familiar looking phishing link for a legitimate one, especially with the advanced phishing techniques cyber-attackers are using today. This simply goes to show that regardless of the brand name, keyword or channel used, even the most legitimate looking links cannot be trusted.

In this case, hackers are placing their bets on you casually neglecting the subtle irregularities in their malicious URLs. This is much easier to do than you might first anticipate. Think about the numerous

times you’ve misspelled a domain when you’ve typed it into your browser, especially when you’ve entered it on your phone (with a small keyboard and even smaller font).

So when you look at:

www.amazon.com/home….

www.amazo.com/home…

There really isn’t much of a difference unless you’re looking very, very closely.

It’s always good to arm yourself with knowledge and understand the fact that regardless of the apparent authenticity of a message or URL, it’s always important to double, triple and quadruple analyze not only the domain itself, but the source of the message and the logic behind it.

 

About the author

Leave a Reply