Tuesday, March 7, 2017
Phishing For Suckers of the Mac User Variety
Phishing For Suckers of the Mac User Variety
--
Over the past couple weeks, there has been an all out effort to phish-for-suckers, especially Mac user suckers. I received one of these phishing emails myself!Here is what it looks like:
From: Customer Support <PhishingRat@PhishingRat.com>
Subject: Update Your Account
Date: March 31, 2014 6:30:20 AM EDT
To: blah@blah.blah
Reply-To: Customer Support <PhishingRat@PhishingRat.com>
Dear Customer,
We have recently updated our website database and new security feature has been added for effective order and shipping. Please Click www.apple.com/upgrade, to update your account information within 24hours.
Thanks
Apple TeamI have altered the source email address ;-) and removed the hidden URL linked to www.apple.com/upgrade.
How To Detect Phishing URLs
Using Apple Mail, the quick and easy way to check if the link in a suspect email his bogus is to hover your Macs cursor over the URL found in the email. The result is that the ACTUAL URL appears on screen. Then you can see if they match. If they dont, you know youre being Phished. Here I have applied this method to the Phishing example above. Click on the image to enlarge it for viewing:
Here you can see the cursor hovering above (not clicking on!) the link in the phishing message. The yellow box appears below your cursor, containing the ACTUAL URL hidden beneath the FAKE URL. In this case I can see that the fake link does NOT go to Apple at all. Instead it goes to some unknown server in another country (.nl refers to the Netherlands). Ive grayed out most of the actual link for your protection.
When you discover a secret URL deviating from and hidden behind a fake URL label, you know youre being phished. Needless to say, DO NOT click the phishing link!
How Are Secret URLs Hidden Behind Fake URLs?
Here is the HTML command being used by the phishing rats:
"<A HREF="URL" TARGET="_blank">TextOfLink</A>"
Ignoring the coding details, there are two important parts of this command:
1) The actual URL. I have placed the word URL above where the actual URL is placed into the command. For Apple, that could be "http://www.apple.com", placed within the quotes.
2) The Text Label For The URL. I have placed the phrase TextOfLink above where the text label is placed into the command. For Apple, that could simply be Apple without quotes.
Where this command becomes dangerous is through the use of a URL as your text label. This is allowed! Its clearly a fault of HTML coding. For example, instead of using Apple as the text label I could use anything I like, such as http://www.CuteLittleSquirrel.com. In this example, someone would think they are going to CuteLittleSquirrel.com but theyre actually being sent to Apple.com.
Here are a couple code examples:
Real:
You can visit Apple by going to http://www.Apple.com!
Phishing:
You can verify your Facebook password by going to http://www.Facebook.com!
The Real link really goes to Apple. But the Phishing link does NOT go to Facebook! In this example, it also goes to Apple. But I could make it go ANYWHERE on the Internet I liked, while still fooling you that it goes to Facebook.
When you arrive at a phishing website, it has been setup to appear to be real. This can be done by stealing all the graphics and design of the original website, such as Facebook, then uploading it to the faked phishing website. It looks like Facebook! But its NOT Facebook. Having suckered you there, the phishing rats can then ask you to LOG IN to your account. You log in, you believe. But they have just stolen your ID and password. Youve been successfully phished.
Phishing websites can ask you ANYTHING. Whats your birthday? Whats your credit card number? Whats your cards secret code? Whats your maiden name? Where do you live? Etc. If you hand them the data, they abuse you. Typically, peoples identities are sold to other rats who want to steal from you or pretend to be you for nefarious purposes. Thats bad.
Further Details About Mac User Phishing
Topher Kessler, formerly of MacFixIt (which CNET has discontinued) has set up a new website for helping Mac users: MacIssues.com. He has an excellent article covering further details of the ongoing phishing of Mac users:
New phishing attempt mimics Apple support
Youll find that Topher uses the same example I provided above, which is helpful for understanding whats going on. He has also provided further illustrations. Thank you Topher!
:-Derek
--
Go to link Download