Phishing is a method of obtaining sensitive information whilst disguising as a trustworthy source and can be pulled off with very little coding knowledge. It remains one of the most widely and successfully used scamming methods world wide. In 2016 Australia alone lost nearly $300 million, the ACCC reported in June that only $260,000 had been lost within 2017 although that number is nothing compared to the previous year there still remains those unreported cases.
Most recently 110 million users (and growing) received a Netflix Email scam that’s well designed making use of branding and existing email templates the company sends. The initial destination that the user clicks through to is a fake site, a destination that looks legitimate but built purely to capture the username and password of those who submit the form.
A few weeks back I was sent an SMS from “CommBank” saying my account was locked and requires additional verification. Unfortunately for these scammers I’m not with CommBank and I’ve read about these scams before. Straight away I was able to identify that the link in the SMS wasn’t legitimate due to the domain and lack of “https”, although that could easily redirect to a secure server.
Clicking on the link brought up something I hadn’t seen before, a warning from my ISP that the page contained Malicious Content. I’d seen Google and other companies prevent a user from landing on the destination before but not an Australian ISP. This is great news for those who aren’t aware of the scam or simply suffering from a brain fart. It did make me wonder just how many users clicked on the link before someone reported it to Telstra… then it made me think even more “I wonder if i can scam the tech team at work”.
Orchestrating the scam
The tech team at CarsGuide consists of Developers, DevOps and Testers all worthy opponents for my scam.
First I identified a source that everyone has access to and requires some sort of personal verification to get in, I decided on our internal Wiki. I opened the URL in incognito mode so the login form would be presented and hit CTRL+S saving the site, then opening it on my machine to confirm it viewed correctly.
Next up I needed to change the location that the form posts to so I can capture data. I opened the html file in a text editor and searched for the <form> element then changed the action to point to my own script to record the POST data and redirect to the real location that the user is thinking they’re going to.
I then setup gotcha.php to log only usernames (although logging passwords was tempting) and redirect the user to the actual Wiki page that I wanted them to believe they should be viewing.
Now the files are sorted I need somewhere to host them along with a domain that can aid in tricking. I didn’t go all out here which would of involved buying a similar domain name as the Wiki there were a few other internal blockers preventing me from using the word “wiki” in my domain as well, I settled with an old domain I hadn’t used for a long time that looked nothing like the wiki one “event.cat”.
The final part to the plan is send an enticing email with the URL masked, easy enough to achieve this using a URL Shortener service like bit.ly or goo.gl. This is where I’ll throw most people as it’ll be unexpected that a colleague will be attempting to steal their personal info. I’ll use a previous email I sent about a Wiki entry to piggy-back.
A few hours into it and i’ve got some hits. I had to tell 1 person to keep quiet so my cover wouldn’t be blown as they’d caught onto it being “dodgy”, later I had some more people approach me asking about the weird link and how they didn’t click it.
The mailing list contained 27 people, got 12 clicks on the link and 17 email opens. With a total of 6 people caught within the 5 hours I let it run for.
Note: I asked permission from the higher ups before going ahead with anything.
How to identify the scam
There’s several things to look out for with these emails, SMS’ and sites
- Do you know the originator/source. Does that email address or phone number look familiar?
- Link shorteners are used to help mask the destination of a URL. bit.ly and goog.le are popular ones, both of which have public analytics so you can see the real source and just how many locations the email may of been sent to. https://goo.gl/#analytics/goo.gl/u6yJYW/all_time — https://bitly.com/2mQEBxU+
- While it’s not wise to click a link that looks funny (malware could be on the other end) if you do, does the destination have a secure connection (https)? Check the base domain, commonly these URLs with have bits of the real source in them to help trick you e.g. http://commbank.banking.info
- If you’re finding it originated from a friend, family or people you work with ask the person directly if they sent the email. If they haven’t then it’s a good chance their email has been compromised or spoofing method has been used.
What’s the world doing about phishing?
A huge amount of time and money is invested by email providers, browsers, antivirus and ISPs companies to help prevent these scams. Email providers are certainly on the forefront of prevention and recently Google applied more updates to Gmail for early detection. The best email providers will pick these scams up and move them to your spam inbox as well as label them with warning messages but this isn’t guaranteed to get 100%.
The nature of tech means things are constantly changing, there will always be scams online which makes keeping yourself informed the best defense.
Product and Engineering at Autotrader/Carsguide.