Wordfence and Graham Cluley have alerted us to a dangerous change in phishing attacks: phishing sites masking domain names. Please read on, and then share this important information with your network, so your friends and family aren’t taken in by new phishing scams.
Phishing sites masking domain names
Simply put, we used to tell people that to avoid a phishing scam, they should check the address bar to make sure they were on the correct site. And now that is no longer a reliable clue, which makes things much more complicated for the less Internet-savvy among us.
What is phishing?
Phishing is when a malicious website pretends to be a legitimate website you would have a reason to be on, and it tries to get you to enter personal information. That can be your username and login for the real site, your credit card number, or all sorts of other information they might use for ill-intentioned purposes.
Most often, you would be led to a phishing site by clicking on a link in an unsolicited email. The email might appear to be from your water company, your Internet service provider or cable company, a store, Google, or any number of other places you might do business with.
How can you avoid being scammed?
In the past, there were three main ways to avoid being taken in by a phishing scam.
- Don’t click on unsolicited and unexpected emails. As an example, if you know you did in fact pay your last cell phone bill, don’t click on the email that says you didn’t, and asks you to click to pay online.
- Type the address yourself into the address bar of your browser.To further our example, if you aren’t sure whether you did pay your bill or not, type your cell phone provider’s URL yourself into your address bar, and go verify your account that way.
- If you did click on a link, verify the URL that appears in your address bar.If you already clicked on the link in question, make sure that the URL is correct – for example, make sure you are on “apple.com” and not “apple.com.fakesite.com” or “apple-com.fakesite.com”.
Don’t let this be you!
What has changed?
For the technical details, you can check out the explanations over on Wordfence or Graham Cluley’s website. In a nutshell, there are ways to use unicode, which is a character encoding system, to make a browser like Firefox or Chrome display those characters as different ones. In Wordfence’s example, they were able to set up a website with this domain: https://xn--e1awd7f.com which displays as https://www.epic.com when you visit it in Chrome or Firefox.
This means that suggestion #3 above is no longer reliable. This is a serious security issue, because malicious people can now effectively create phishing sites that mask their domain names, and trick you into thinking you are on the real website rather than their copy, which they are using to steal your information.
So what can I do to stay safe?
Rules 1 & 2 suggested above still apply:
- Don’t click on unsolicited and unexpected emails.
- Type the address yourself into the address bar of your browser.
You can also follow instructions provided by Wordfence for turning off the Unicode conversion in your Firefox browser, but you might not want to attempt that unless you are a tech-savvy user. Graham Cluley says that Chrome plans to roll out a fix for this issue by the end of April 2017.
He further suggests:
- you can use a password manager that will recognize these Unicode sites and will not enter your password into them automatically. LastPass, 1Password, and Dashlane are good choices here.
- you can copy and paste the URL into the Edge or Safari browsers, which aren’t affected at this time, or
- you can copy the URL from the Chrome address bar and re-paste it into the same location; a Unicode URL should then appear if the domain name has been masked with this method, so you would see that the site is not legitimate after all.
Knowledge is power.
Please share this information with your friends and family so you can help keep them safe from phishing fraud.