You've probably already read us saying we prefer browsers over custom apps. And there's a really good reason for it. And today we'll dive into one those reason.
Less than twelve hours of the time that this post is written, waves of articles online warned users that there is a widespread Phishing scam targeting Gmail users. The reality is that it's not only Gmail that is subject to this attack. All emails are. But for the time being, we'll use Gmail as a sample to illustrate a core problem. Yes, you may have guessed it already. People's mindset, misunderstanding technology and its wrong use.
The screenshot above is from a legitimate email with links to sites which the email sender is also sending email for. You can see our cursor on-top (hover) of one of the links (underlined in green) and you can see a User Interface (UI) element suddenly appear at the bottom of the browser (pointed by the green arrow), called the Browser's Status Bar
That UI element (Browser Status Bar) is present to show users where they will be taken once they click the link. Legitimate links will usually bring you to the email sender's "authoritative" website/domain or at the very least will not bring you to any dubious looking web address.
What is "authoritative" website/domain?
It is common practice for website administrators and companies to buy similarly worded domains, url, or web address to ensure that their trademark gets to their official website. For example, a fictional company named BahayKubo will most certainly buy bahaykubo.ph, bahaykubo.com.ph, bahaykubo.com, but will likely not buy kubo.ph, kubo.com, etc.
The importance of this knowledge is to understand that if we are a malicious entity and targeting the BahayKubo company, we can look for similar sounding or looking domains to use for attacking the company. If we own kubo.com or kubo.ph then we can craft a website to look like the legitimate bahaykubo.ph from our kubo.ph domain through bahay.kubo.ph subdomain to borrow legitimacy and perform an attack without immediately getting noticed.
So, to tie this back to authoritative domain, you as users should utilize the browser's status bar to as often as you can to ensure you know which site you're got to be brought to by a link.
Misunderstanding and Misuse of Technology
Let me start in saying that it's not the malicious entity that's wrongly using the technology. It's the users. Technology is technology, people can use it the way they want as technologists/developers/programmers/designers/engineers can only cover as much as what possible standard use is perceivable. Over-engineering a tech product be it hardware or software will only produce a restrictive and unusable product. It is and will always be up-to man to wisely use it.
And so, malicious entities are wisely using the mentality of people to craft for themselves entry points to get to us and our data. That is not and should not come as a surprise. Personally Identifiable Information (PII) is extremely important because it can be used to gain access to most of a person's account in their entire life. In this day and age however, it is extremely foolish to de-value personal information as it affects almost all aspects of our life.
- We misuse technology if we do not even try to understand the reason why certain elements of a program exist.
- We misuse technology if we think all solution to a technological problem is also technology.
- We misuse technology if we think we are powerless over it.
How to Detect Phishing - The Very Important Basic
We've laid out the basic knowledge necessary at how this problem is addressable by filling-in knowledge gap about the User Interface and the mindset problem. With that, it's now time to use our sample.
We took a screenshot of a legitimate image of the "Open in Docs" button element (attached below) when a document is sent or shared through email.
We then drag-and-drop the image above to an email and set a link for it. For demonstration, we purposefully set a dubious and non-existent link to that image - https://iam.dubious.url/do-not-click-on-something-like-this
As you can see though the red circle and arrowhead, it is perfectly able to closely make a look-a-like "document shared" email and could lead people to click on the link thereby lead to a dubious and potentially malicious URL.
It also doesn't help that there is a proliferation of URL shortener services and that companies and Marketing agencies are employing the tactic to better track engagements. This is also another problem that needs to be dealt with soon.
The problem is also compounded along with several other problems. But to write about it here is almost close to teaching completely how to perform a Phishing attack as successful as possible, and so we'll refrain from talking about it.
As a short recap, the elements and practice mentioned above are applicable to any web-based email service and some desktop based email clients. And this method is only one of the basic practice you can adopt to protect yourself from Phishing.
The Basic Solution
The important thing it to always use the Browser's Status Bar whenever possible. This forms part of the reason why we do not advocate using an app for all things you access on the internet. We do not have a status bar in touch screen device, you can have a long press but that already "pre-loads" a link to a browser frame somewhere in the app and already subjected you to that link's capability - malicious or not.
It is extremely important to understand that some User Interface/Interaction (UIX) decisions is too important, should not be removed and that no counterparts have been developed/designed when the shift to desktop/laptop based application transitioned to tablet/phone based softwares happened.
- Lessen your online trust. Yes, you should always validate what anyone writes online. Including us.
- Make an effort to understand the tools that are at your disposal.
- Examine which site you will be brought to when you click a link.
- Always try to make an informed decision rather than blindly following a link.
Be Part of the Solution
If you have any questions or clarification, please feel free to ask them through the comments section below.
If you feel your company will benefit from us giving a company wide talk about safe internet use, feel free to reach out to us as well.
If you feel friend's and families can learn from what we publish, share this article to them.
Comments
Post a Comment