Congratulations! You have won … a free phishing scam!
Everybody loves to get recognition for their work. Even better if a forum/panel external to your organization is ready to applaud your work publicly by giving an award. There are awards and recognition in every field. There are excellence awards, guild awards, ‘XYZ of the year’ awards and many more. Out in the west, there are prestigious magazines, an honorable mention in which gives automatic merit to your performance (e.g. Time Magazine). Getting on the big lists is an exciting prospect, one which will certainly boost your career. Moreover, it is validation for your hard work.
So, if you receive an email saying you have been nominated for a bigwig award, you ought to jump on the opportunity, right? Wrong.
You must have guessed the dangers by now. Cyber criminals are lurking on the corners, watching you, observing you, waiting to make their move. If they’re so inclined, they may even know a concerning amount of details about you. Are you frustrated at work? Do you feel you are not getting the value you deserve? Or alternatively, are you super pumped about your job? Looking to scale new heights? They know. Whatever the case, it is common knowledge that receiving an award is an impetus many corporate businesses encourage. It is a natural productivity booster. And this is how cybercriminals start reverse-engineering their victim’s mindset and emotional state.
It all begins with a well-timed email. A big name has nominated you for an award! You are excited, your alertness subsides. Two things are possible here. One way a cybercriminal baits a victim is by saying that she/he needs to register for this award. The register link is — no surprises there — a phishing link that can possibly take you to a fraudulent website and trigger some malware onto your system. Another method phishers use is to exploit the pay-for-play nature of some of these awards. Many honourable mentions don’t come for free. The awarder asks for a sizable sum to keep you in the running for an award.
However, with the fake link in the fake email, the victim lands up on a dummy page, with a payment gateway that is connected to the criminal’s own bank account. The victim, thinking she/he is paying for a legitimate award, ends up funnelling money to the scammer, knowing only after it’s too late that the award wasn’t authentic in the first place.
To understand the scenario better, let us take a look at the case of the Webspherepower magazine.
Best of the Rocky Hills Award – A Poorly Executed Scam
A blogger at ZDNet has narrated a case that happened with him personally. In many western countries, there has been a longstanding tradition of publishing a list of Who’s Who of various fields. There are Who’s Who of emerging authors, or medical practitioners or chefs or whichever field you can imagine. Being among those in these lists is a veritable honour. However, the domain or idea of a Who’s who publishing stays in the public domain, meaning that any industry looking to celebrates its top performers can come out with its own listing. Sometimes the award giver announces these lists in public gatherings, while sometimes reputable magazines publish these lists. Knowing this, hackers are always on the prowl, looking to claim as many victims as possible. This case is interesting, because an awareness and presence of mind deterred a cyber-attack that would have costed a lot otherwise.
David Gerwitz, the blogger in question, received an email that his publishing endeavor, the Webspherepower Magazine, had earned him an award for the Best of Rocky Hills 2020 list, in the Media and Entertainment category. David says most of the details in the emails matched true events, as in he really did publish a magazine called as Webspherepower Magazine. The catch? He had left Rocky Hills in California to another residence almost 19 years ago. Also, he had stopped publishing the Webspherepower magazine way back in 2014. So why would a noteworthy listing nominate him for an award so late? He was onto the crooks, and he knew enough not to take it too seriously. However, instead of leaving it at that, he took a few investigative actions that everyone can take.
Firstly, he checked the HTML markup. Often, hackers will hide a malicious URL underneath a harmless looking legitimate URL. Every link tag in HTML comes with the ability of a ‘label’ tag, which is text that shows on top of the URL. In this case, the URLs were not hiding anything underneath.
Next, he ran a lookup on WHOIS, a reverse domain lookup service which provides registry details associated with a domain. The results for his query (using the sender’s address in the email) showed that the criminal had registered his domain a mere 30 days prior. This was suspicious since a panel established enough to hand out awards should have been established for a long time. David says newly established domains are easy giveaways of a phishing scam, and if you encounter one, run.
Safeguarding Yourself: What can you do at a personal level?
Awareness is going to go a long way when dealing with cyber scam. You must have a constant voice at the back of your mind to alert you towards strange emails. Also, knowing how to do a quick lookup of domains (which was truly a commendable thing David did) will be a lot of help. Here is a short video on using WHOIS. If it feels too techy for you, it might be worth handing down to your IT department. Another thing David did was to check for hidden URLs. You can do this yourself by right-clicking on a page and clicking View Page Source. The options might be different depending on your email client. This gives you a complete mark-up of the page and shows you the true URLs behind the labels.
Also, read, read, read! Browse through cybernews, know how you can fortify your organizational security, and keep abreast of the security practices.
Safeguarding Yourself: What can a security partner do for you?
It is a huge weight off your shoulders if you entrust your security concerns to a security service provider. At Logix Infosecurity, we employ our DMARC Monitor tool to expose whether the address in the sender section of an email is invalid. Also, our Email Cloud ATP tool protects you against all new and old email security threats like malware and phishing. To know more about our top-notch security services and get an answer to your questions, feel free to contact us.