Phishing and Pharming are a huge part of the cybercrime world. It all started with “The Nigerian Prince”. An urgent message out of nowhere that claims that some government official or member of a royal family needs help to transfer large amounts of cash, sound familiar? This scam alone has generated BILLIONS OF DOLLARS. Scams like this have been used, washed, rinsed and repeated through the years and they are very successful.
What makes them so effective? Why are we so easily deceive by such bad acting? We have common unspoken knowledge among us that “it can’t happen to me”. We never speak it and rarely even know that it exists, but we all have it to some degree about different things.
Nothing could be farther from the truth though. The scammers rely on this “COMMON KNOWLEDGE” to succeed. In many cases without it, all they have are poorly written scare tactics or sketchy promises of wealth and fame that can easily be seen though.
Our lack of concern and knowledge has opened a floodgate that seemingly can’t be closed. The only way to avoid exploitation and theft is to gain knowledge of the threats so they will be identified and rendered harmless (to you and yours at least). Knowledge is power and ignorance is a weakness…
What is Phishing
Phishing is a strategy to lure people into giving up personal information, credentials and data. Generally these attacks are conducted through emails, text messages or fraudulent websites.
Often, victims are presented with offers that are too good to be true. They use tactics like fake lotteries or raffles, feeding off of the subject’s desire to acquire wealth. After all, who wouldn’t be excited to run into a bag of cash, no strings attached? They get the victim exited, then ask for the person to claim the reward.
Other types of phishing might include a sense of urgency. These will typically use known and trusted businesses, such as banks for example, and inform you that the account will be suspended or that your credentials need to be updated.
Once the attachment or the link has been clicked, there are a couple of different things that could happen. First possibility, you are asked to fill in your personal information directly. Second, they could try to install malware on your system which could gather the information.
Either way, if they get your credentials, they can gain access to anything you could access. Money, healthcare, loans, ect. There have even been cases in which a victims credentials were given to the police adding crimes to their record.
It is very frightening of how easy and common these stolen identities are. Below I am going to go over a couple of these scams and a few things to look out for to stay safe out there.
Sex as a weapon – Caught with your pants down…
This topic is a bit embarrassing. We have all heard horror stories, or even been the heart of one, in which someone walks in during “private time”. This is the height of embarrassment for many. We tend to be very private creatures when it comes to sex, both with and without a partner. (Well, most of us)
I am going to speak here about sextortion. Yes, Sextortion is a real thing and it has even been successfully used against people who have never even watched online porn. These guys do their homework before attacking.
See, before they reach out to potential victims, they will gather personal information about them to gain authority so that the fears of being exploited, either founded or unfounded, becomes very real.
Once attention is undivided, a claim is made that a porn website you visited was infected by malware that will expose you if you don’t pay cash.
Some even claim that the webcam was hacked and split-screen video has been recorded of you watching. Then come threats that your entire contact list is compromised and the video will be sent to everyone.
Viewing habit don’t even play a role in these scams. Whether you have ever or will ever watch porn on your computer does not matter. The only criteria of a target is the attacker having information to use as leverage. Plain and simple.
As I mentioned above, many people have been tricked into paying these people even though they don’t even watch porn online.
Just the thought of people they love thinking of them in that light was enough. They prey on that deep seeded fear of being caught with your pants down, and it appears to work.
Lottery scams – Want to be a millionaire?
Scams about financial gain tend to be a huge part of the industry. People in general are easily blinded due to their desire to gain wealth.
Many people have received messages stating that they have won a substantial amount of money. Some people that have fell for these scams even knew that it could be a scam yet, were overwhelmed with the possibility of it being real.
As soon as real money is mentioned, the mind starts racing. The thoughts of what they will do with the money will defy all reason. If someone thinks they have won money, they usually tell others who will impotently inform them that it is a scam.
Imagination overrides reality and essentially replaces it. Often times people will pay large sums of money to claim their reward.Other times the attacker is after information. With these credentials money can be gained and the victim is left vulnerable to exploitation.
These types of attacks have been around for a long time but keep evolving. They began with letters in the mail and phone calls. As email became more popular, it became the primary target.
Recently this evolution has brought this scam to Facebook. People have been receiving “Official” looking emails from Facebook sharing the exciting news that they have won the Facebook Lottery.
These emails are very convincing and appear to be genuine because they are originating from hacked accounts. These emails ask for the person to claim their reward through a link or attachment.
Others have been finding friend requests. Once these requests are excepted, the game begins. Usually something like, “Hello, I have some amazing news for you. I recently won X amount of cash from Facebook Freedom Promotion and you are next.” By stating that they have won and claimed the cash already gives feeds the illusion that it is for real.
Some of these requests are actually coming from hacked accounts from people the victim really knows to further create trust. They are then directed to a website or sometimes to a phone number (that only accepts texts for some reason), to claim the money. At this point they are asked to give personal details that are used to exploit and steal.
Spear phishing – Localized attacks
Spear phishing refers to targeted attacks on specific subject’s. I think of it as a fisherman using a spear to catch one specific fish rather than casting bait to see what bites. With so much data floating around the internet, it is not very hard for a hacker to find personal and sensitive information.
It is also easy to find a weakness in targets to exploit. Social media has become a treasure for cybercrime. So much information is fed into social media it has opened a door for exploitation on a whole new level.
All of this information can be used to gain trust and to create an opportunity to attack. Our lives have become living breathing entities in the virtual world. And please believe that there are thousands of people who want to find your weakness.
A Big Phish is a high level or wealthy target. Targeting these Big Phish is considered Whale Phishing. For example, a person can be contacted by what appears to be a colleague and asked to give money or data and will do so without the slightest suspicion.
These targeted attacks are often well planned out and very thorough. They are sometimes very sophisticated attacks and can be quite convincing. The damage, in my experience, has already been done by the time the victim even knows that they have been attacked.
Pharming – “Phishing without a lure”
This next method is quite frightening and has much more reach than these targeted attacks. It is also called Phishing without a lure because it doesn’t require a subject to be directly targeted. This method is set in motion when malicious code that s corrupts host files.
These corrupted files strategically redirect the victim to a fraudulent website. The code is installed either on a server or a personal computer. Hackers are able to target massive amounts of people through Pharming. These codes can be sent through Email to infect these files or they can be used to modify DNS servers.
When host files are compromised, they convert the URL so that when browsing, you will be directed to lookalike site instead of the desired site. These fake sites will attempt to steal your login information and other personal details.
DNS poisoning is truly scary. This is when the malicious code infects a Domain Name System. When a search is conducted online, a DNS server will match your search with the corresponding IP address. By these servers being infected, it gives the hackers a huge target audience and the subject’s computer doesn’t even have to be infected.
Everyday millions of requests can handled by these servers! Imagine the impact this could have. Especially since many of these websites are nearly identical to the site being impersonated. It is really scary to think that we are this vulnerable.
Once they have your information (account numbers, passwords, credit card details, ect.) they can get to work stealing and can have access to virtually everything you have access to. Let’s face it, identity theft happens.
Things to look out for
– any communications that ask for credentials should be approached with caution.
– if a bank or any other trusted institution asks for you to update or verify your personal details
– watch for grammatical errors and messages that seem spoken in a second language
– bad sentence structure
– pixelated logos
– urgent request like claims that your account will be closed or is compromised or appears desperate
– emails from unknown or untrusted source with attachments
– ALWAYS look for HTTPS and a padlock on the address bar like the one you see above. This assures you that you have a secure connection
These are a just few things to keep your eye out for but a general rule to follow, if something doesn’t feel or seem right assume that it isn’t. If you feel that you are being contacted by a legit company talk to them in person or find a number to call.
Call the company directly and speak to them about the alleged problem. If you are unsure of a company, it is really easy to do a bit of research. It is hard to recover from Identity theft. Take the time to be sure you are dealing with real people who will do what they say they will.
We are stronger together
If you ever receive any of these emails or are directed to a fraudulent site you should report it right away to the FTC (Federal Trade Commission) and directly to the organization that is being impersonated. If we don’t take action to stop these people and to educate our self and the ones we love this cycle will continue.
These people are only winning because we continue to hand them victory after victory. If you have gained any useful knowledge here please educate your family and the ones you love. Knowledge is power and our ignorance is their greatest weapon.
They have the upper hand because most of us completely disregard our own senses. Even though we know that there are threats online, many of us do little or even nothing to protect our selves online. Blindly walking through the digital world can ruin your physical one.
It is also very important to keep your system clean. Anti-malware/Anti-virus software is essential to your security and safety. It is imperative that you run scans on your systems on a regular basis to assure that your device isn’t infected. And for you Mac lovers, yes, it is wise to scan your machines as well. Here are a couple of articles you might find helpful…
Please comment below if you have found this information useful or if their is anything you would like to add. I am always eager to learn. And if you have any questions or if their is anyway I can help feel free to contact me at the email below. We are in this together and we should stand together.
Best of luck,
founder of tonypcmd.com