I’m at a coffee shop working with a friend on our computers. He says to me, “Doesn’t this email look suspicious?”
The email’s subject reads, “Your iCloud Storage is Full”. It has the Apple logo, and the classic clean Apple fonts. It is very neatly laid out with lots of white space. It is classically Apple short, one page, with only a few sentences. It says, “Your iCloud storage Is full, photos, videos and iCloud drive are no longer updating.” My first thought was, “his iCloud storage probably is full,” because that just is the kind of person he is. But I keep that in the bubble.
My second thought is, “That is definitely a phishing attack.” I consider myself an expert. I’ve worked in cybersecurity for years, and like everyone, I’ve received plenty of those kinds of attacks. They are based around getting you to click on a link in the email, entering some information on the web page they take you to, and then… they have your information. Perhaps you typed in your username and password for some online account you have. Perhaps they got you all the way to typing in your credit card number.
But, like all of you, I’ve seen it all before. I said I’d take a look and he handed me his laptop. I thought I’d really check it out thoroughly, point out all the things wrong with it to help him spot this in the future.
There are all kinds of things to look for. This blog has a nice summary: https://cybird.net/blog/how-to-tell-if-a-website-is-safe-to-visit-a-comprehensive-guide/
This one wasn’t even close. Childs play! The email is from “posse@pfcseo.de”. That isn’t Apple. .de is the domain for Germany, although anyone can buy a domain with that at the end. “Click for more information and to upgrade your storage” says the email. I look at where that hotlink would actually take you. It goes to “apple-grx-support-online (dot) com”. While it has Apple in the name, that is not the real Apple either. I confidently tell him that the message is a scam.
I’m picking up the computer to hand it back to him when my finger hits the touchpad, entering a click. Not a problem, I’m not on the “Click here” button. But then I see it – a window is opening. These bandits had made all the text a hotlink. I’ve fallen prey by accident!
The thought that this isn’t even my computer, and he isn’t the type to have anti-virus software goes through my mind. I close the page without entering any information. How much danger are we in?
First, I wanted to see if the link is known to be evil. I entered it on my computer. I’m using Cybird.net’s cyber security system. Sure enough, Cybrid blocks connection to that site entirely, good for me, but a bad sign for my friend. On my Cybird dashboard, it reports “Blocked Phishing”. I double-checked using virustotal.com, and the web address is listed as Malicious and Phishing.
So how much risk have I exposed my friend to just by going to the site, even if we didn’t enter any information? While not as damaging as entering passwords or credit card numbers, it isn’t good. Just by going to the website, the attackers can get all of the following:
- Your IP address: In some circumstances your IP address may remain constant over a period of time, allowing the attacker to track your device. It can also be used to identify your internet service provider, and sometimes identify details about your device.
- Your physical location: When you connect to the phishing site, your IP address and the route your messages have taken can be used to find your approximate physical location.
- Information about your Device: Phishing websites may employ techniques to collect information about your device, including what operating system and version you are using. Other details they can glean include your browser version, screen resolution, installed plugins, and fonts. This information can be used to create a unique “fingerprint” of your device, which can then be used for tracking purposes or targeted attacks.
- Referrer Information: When you click on a link to a phishing website, the referrer information (i.e., the URL of the page that referred you to the phishing site, or the email the link was in) is often passed along. This can reveal the websites you’ve recently visited or emails you were reading, potentially exposing sensitive information about your interests, activities, or accounts you’ve accessed.
- Access to cookies: The phishing websites can place cookies onto your device, and read cookies that they have previously placed on your device. Depending on your browser settings, they may be able to read cookies from other websites (third-party cookies). The Google Chrome browser allows this by default. Phishing websites may utilize cookies to track your browsing activity and preferences. This information can be used for targeted advertising and identity theft. The phishing site can even potentially gain unauthorized access to your accounts if you’re logged into them during the visit to the phishing site, and who isn’t logged into a handful of websites at any given time? The phishing sites accomplish this through Cross-Site Scripting (XSS) attacks stealing session cookies from other open sessions, Cross-Site Request Forgery (CSRF) in which they make unauthorized requests to other sites you are logged into, and keylogging attacks, in which they may be able to run a script that observes your keystrokes, stealing credentials from other sites you connect to while the phishing site is open.
- A chance to exploit vulnerabilities: Phishing websites may attempt to exploit vulnerabilities in your browser or plugins to install malware or execute malicious scripts on your device. Even if you don’t input any information, simply loading the page could trigger these exploits, compromising the security of your device and data.
And don’t minimize the importance of the “soft” information they gather when you go to their website, even if you don’t enter any information:
- Confirmation that there is a live person on the other end of that email address
- The knowledge that the topic was of some interest to you
- The ability to craft even more sophisticated phishing attempts, customized to you, in the future. If you visit one of their websites, they will be back…
All this was due to a mistaken click when the email was known to be suspicious. How can this be prevented? The key is to cut off the risk right at the start. The appropriate cyber security system, like the one from Cybird I mentioned earlier, can block any attempt to go to malicious websites whether the access was accidental or misguided (intentional), keeping you and your loved ones safe.
Try Cybird’s free trial today to keep your family safe online.
Bill, the former CTO at Plume Design, is renowned for his pivotal role in advancing technology across an impressive 50 million homes. His profound expertise in Wi-Fi and networking is matched by his visionary approach to technology deployment.