Two new hacking methods developing on mobile, and an old one on the rise
When it comes to trying to infiltrate a network there is only one method that cybercriminals truly care about…the one that works. While new methods are always being devised, sometimes the old methods get just as many results, if not more. Phishing remains one of the most popular infiltration techniques and scammers have access to many tried and true methodologies, yet seem to always develop better versions every year.
Researchers at Proofpoint revealed in the 2019 Domain Fraud Report that the number of fraudulent and malicious domains continues to grow. These websites are often used in conjunction with phishing schemes and will use tactics like creating a legitimate website with a single typo in the URL so that at a glance you would never notice, or will use two letters together like an “r” and “n” so it appears like an “m” at a glance.
You may not realize you are on a fraudulent website and could enter in your credentials giving the hacker access to your real account or login. These types of scams are not new, but the numbers show they continue to be used.
Mobile Site Phishing
A new scam takes these fraudulent websites into account but uses your phone as the point of access. Scammers are coming up with push notifications that will pop up on your phone directing you to a fake website where you may be asked to enter credentials. This new technique was detected by the mobile security company, Lookout, in recent months.
It is still fairly new, but they have discovered examples of this where a Chrome notification pops up alerting them to a missed call or display a logo that leads to a fraudulent site. Researchers have also detected examples where based on the width of the screen it will take you to the real website (if you are on a desktop), but if it is a mobile device it will send you to a fake site. The aim here is to use people’s trust in mobile devices against them, with the rising numbers of mobile users it only makes sense they will start to emphasize mobile as a target more.
Google Calendar Scam
Notifications are not the only mobile threat either. Another instance was identified by Kaspersky Labs in a report from Wired, in which bad actors are taking advantage of a Google Calendar from a setting that allowed anyone place event invites on another person’s calendar. In this scam an event pops up on your calendar and the description will have some sort of offer prompting you to enter in personal information.
While this may draw red flags for some, others may not think as much of it since it is just an event on your calendar, and depending on your settings an alert from your calendar could pop up prompting you to act on it. There are also reports that in the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details – instead infects you with malware. However, users can guard against the attack by changing their Google Calendar privacy settings:
“Open Google Calendar’s settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option ‘No, only show invitations to which I’ve responded.’ Also, under View Options, make sure that ‘Show declined events’ is unchecked, so malicious events don’t haunt you even after you decline them.”
The Common Trend in Every Phishing Attack – Timing
There will always be new gaps for a hacker to exploit simply due to technology evolving, but if you stay aware of techniques and use caution on the web you can protect yourself. SWK offers tips, tricks and other resources that will help you prepare yourself – and your business – for the modern threats in cyberspace.
Visit our blog to get the latest news and updates network security and the rest of the cyberworld.