In the last installment, we discussed social engineering scams that were more about misleading trusting people than any technical measures. This time we will touch on more technical methods of stealing your money.
1. Phishing
Although the term is plain silly, the activity is anything but. Although there are many variations, this is typically when someone tried to convince you to log into a fake bank web site, etc. through a link in an email.
It's not always banks, though, email accounts, shopping sites, and delivery services are common targets.
I get these all the time for Yamato express and other delivery services and Office 365 and occasionally for Gmail.
The message will usually say something like: Your account will be closed due to non-payment (so log in and update your payment information), your account needs to be re-verified for security reasons (so log in and answer some security questions), etc.
If you click on the link in the email or SMS, it may take you to a page that looks deceptively like the real web site, where you will enter your login information. They can collect this information, and use it to log in as you to the real site. The real site may ask them security questions when it sees you logging in from a new computer, but if they have already collected those from you, then it's not a problem.
Worse yet, things like smart phones and one time password confirmations don't always help if they are attempting to log in with your information in real time. For example, you enter your username and password into the fake site, and it asks you for your OTP. Unsuspecting, you enter your OTP, and if they use it immediately, they can now log into the real site with your username, password, and OTP.
The goals of the attacker can be anything from getting control of your email to use it for spam, buying stuff for themseves (especially gift certificates) from Amazon, redirecting your packages, all the way up to getting control of your bank account.
Not only might they steal your money, but they might use your account to accept money they scammed from other people in an attempt to hide their idenrity.
There are various mitigations, including never clicking links in emails for any kind of shopping or banking site, checking the link URLs carefully, checking the sender name carefully, installing anti-phishing software, etc. - but even the most careful person can get tricked occasionally.
All it takes is one wrong click.
I have some additional suggestions, but we'll go over those in a future entry.
2. Password Re-use
We've all heard the advice to use different passwords for different accounts and services - but why?
The main reason is that if the password for one of your accounts is leaked via a data breach or phishing, then the attacker can try that password with your other accounts.
For example, let's say you have an account with Rakuten Shopping, and their customer database is breached. This information is collected into lists, and bought and sold by crackers on the dark web, and whoever buys these lists will often try to use the same password with high value services such as online shopping and banking accounts.
If the attacker has your username "BabyMonkey2024" and your password "Password123" for Rakuten, they can not only log into your Rakuten account, but they can try the same username/email and password with Amazon, Mitsubishi, SMBC, Citibank, and wherever else they can think of. They will also have scripts to automate this, so they can try hundreds of sites for thousands of users, and focus on the ones where they happened to be able to log in easily.
Obviously using different passwords for each site is best defence here, but of course remembering passwords for every site is perhaps not realistic. There are two ways around this:
a. Use a password hashing tool. These tools will use a shared static password and the site URL to come up with a hash that you use as your password. The advantage here is that you only need to remember one password, the calculated password for each site will be different, and there is nothing to "store". The disadvantages are that in real life, many sites have password restrictions that may not be compatible with the generated password, and many sites require you to change your password periodically.
b. Use a password database. There are cloud tools such as ProtonPass, BitWarden, DashLane, etc., and primarily offline tools such as KeePassXC.
Theoretically the online tools are secure since any reputable service would encrypt your password database with your password (which they don't know). This means that even if they are hacked, the attackers would only get a useless encrypted database.
In reality, if your database password is weak, then it can be cracked. Even if it is strong, there may be some unknown weakness that could be exploited later. For these reasons, I tend to be untrusting of public cloud based password management services for personal use.
Offline tools such as KeePass are safer in that respect, but can be less convenient to use if you have multiple devices, and require you to manage and backup your password database. You can keep an offline backup of your password database using USB drives, etc., or you can keep a cloud backup using services such as DropBox, OneDrive, iCloud, etc. - but be aware that using cloud services to keep backups of your password databases re-introduces some of the risk associated with cloud password management services mentioned above.
As far as the password generation itself goes, many tools have built-in to generate hard to guess complex passwords. These passwords can also be hard to manually enter as well, though, so you might consider using something like: www.correcthorsebatterystaple.net to generate a more human readable password.
3. Account Takeover
This is when someone takes over your email account, via Phishing or password re-use, and then they use the email account to either send emails to your contacts to scam them, reset & verify your shopping and banking accounts, or (usually) send spam.
You'll know this has happened if you start receiving lots of bounce messages from addresses you never sent email to, or if you suddenly get locked out of your account because the attacker changes the password.
Also, if an attacker gets access to your email account, they can see which other services you are signed up for and know where to attack next. For example, if you have emails from Mitsubishi bank or Amazon, they will know you have accounts there, and possibly your username or account number.
It's best to use MFA mechanisms and use different passwords for each account in order to prevent this from happening, but that won't stop all phishing attacks.
4. Typo URLs & Evil SEO
These go hand in hand with Phishing, but is a bit narrower in scope. For people who type a URL directly into the browser, they might mistype the URL. For example, Mitsubishi's online banking URL is https://direct.bk.mufg.jp, but one might mistakenly enter one of the following:
- https://direct.bk.mufj.co.jp
- https://direct.bk.mufg.com
- https://direct.bk.mufg.net
- https://direct.bk.mufj.jp
- https://direct.hk.mufj.jp
An attacker can register these and other likely mistyped URLs, and since they will own the domain, they can set up sites that mimic the look and feel of the real web site.
The victim enters the URL, the site is displayed, and they enter their login information. At that point, an error might be displayed after their login information is logged, or in some cases, they might even redirect the user to the real site so they never know the difference.
Depending on the domain and other factors, it may be possible for the attacker to obtain a valid SSL certificate (since they do own the URL) so the Key icon in the browser will even show up.
There are anti-phishing plugins and browsers that blacklist these types of sites, but the best defense is to keep the known good URL somewhere (like a password database) where you can copy & paste it when needed, or at least store it as a bookmark in your browser.
Another tactic that relies on user laziness and the blurring of the lines between the search box and the URL box in many browsers is that a scammer will set up a fake banking site mimicing a real bank, perhaps using a similar URL (Either a typoURL or a URL that uses obscure Unicode characters to make it look identical to the real domain name while actualy being different), and use systems like AdWords to make sure it appears high in the ranking.
This means that if a user doesn't type in a URL manually or use a bookmark, but simply types "Mitsubishi Direct" and then clicks on a displayed URL, they may be taken to the evil site. Of course search Engines like Yahoo and Google will try to detect this and delete such entries, but there is no guarantee.
The best defence is to never search for an important URL. Where money is involved, you should know the URL for sure and enter it directly. Again this can be through a browser bookmark or copy & pasting it from a password database. There should be no reason you ever need to ask Yahoo or Google where your bank's official web sire is.
0 件のコメント:
コメントを投稿