Just when we thought we knew what email attachments we can or cannot open… even if it is from your boss!
With so many warnings, advisories and training sessions about the need to be aware of unsolicited emails, business email compromise attacks and not opening any email attachment unless we are completely sure that the sender is legitimate, many people now think they are immune to online scams and phishing.
However, every now and then, people either get careless, or the attackers get creative. For example, after emerging from a row with someone, we may not be in a calm state of mind when we check our emails. Oh, you are being offered a three-month trial of Netflix! Ok, the email came from “netflİx.com” and that is legit. Ok, count you in. Bang! Your laptop has been compromised!
Notice how the email domain is malformed. It is not “netflix.com” but “netflİx.com”.
The trick with homoglyphs
After all that cyber-awareness training in office or via video conferencing sessions, if you do not already know by now, homoglyphs are the homonyms of alphabetical characters. In the above example, the ‘i’ in the netflix domain has been substituted by the homoglyph “İ”.
Many letters of the alphabet have homoglyphs, and the latter can be used to fool your eyes. Imagine a not-so-suspicious email from pαypal.com warning you to click on a link to log into your personal account because the website had noticed a suspicious login attempt. Would this have tricked you to use the provided login link? What if the sender’s domain was paypaІ.com? Nope, still a malformed domain! (clue: the letter ‘l’ in this was a homoglyph).
Imagine trusting an email supposedly from your boss but one of the letters of his name has been spoofed!
And then there are the link shortener services such as bit.ly. When a scammer or hacker embeds a link in the phishing email, you will not be see www.darkwebphishingserver.com” but bit.ly/1irhfwHu. When we have found the rest of the email to seem legitimate, we may sometimes be less cautious with shortened links that do not contain visually-alarming word fragments such as “darkweb” in the URL.
Other tricks using homoglyphs, non-latin characters, alphabetical letters with accent marks and diacritics are those that look like this: ‘é’ to replace the letter ‘e’, ‘Ţ’ to replace the letter ‘T’, ‘ņ’ to replace ‘n’, and ‘ω’ to replace ‘w’.
To foil such URL spoofing attempts, look out for any homoglyphs in the sender’s domain, and to be really sure, copy the sender’s domain and paste it into a browser and see if it really takes you to the expected website.
The clever RTL trick
Many people who have gone enough computer training may get complacent and say “oh, that’s just a .txt file, I can open it safely since malware cannot be hidden in just plain text!”. The same can apply to ‘harmless’ PDF or animated .gif files embedded in emails.
Well, guess what? A unicode character called RLO (right-to-left overide) has ever been used to turn a link such as “youarecompromisedexe.txt” into the link “youarecompromised.exe”!
In fact, using a series of RLO characters, hackers can make the system ignore the last few characters in a filename. Before this vulnerability in web browsers and email email-scanning antivirus products was patched, many harmful attached documents managed to escape detection.
Although this vulnerability has been addressed in most modern browsers and software, we should treat the filenames of attached documents with an abundance of caution! Hackers have a way of detecting unpatched vulnerabilities to the RLO bug in any type of online apps and web applications now and in the future.
When you think you know every trick
So we know that emails that create a sense of urgency could be fraudulent. Also emails with malformed sender domain URLs and those with shortened links that help us go directly to the log-in page of the service that is contacting us.
Empowered with knowledge of the tricks of the hackers, we can really become complacent and thereby be less vigilant depending on various psychological factors and online situations. For example, when we have just spent an hour waiting for the office network to overcome some glitch, the first thing we do when we finally get access to our inbox is to rush through the flood of unread emails. Perfect setup for carelessless.
In a more targeted scenario where we have already been earmarked by hackers (in what is called spear phishing) for our login credentials, a slate of social engineering tactics may have already singled out some weakness or penchant we have. For example, take a new mother who has posted numerous details of her baby or childbirth experiences on Facebook. Hackers would have found out just enough of what triggers her to click on an online ad about baby products, or an innocent unsolicited email about some wonderful branded baby cot, or even a top 5 search result in a search engine.
Problem is, hackers have been known to hit their targets with omnichannel attacks (similar to multi-stage fraud) by building up a profile of their online habits, proclivities and social circles. Then the weak links in this profile falls are first attacked, and if they are compromised, the hackers can impersonate the weak link to win a high level of trust (or low level of vigilance) from the actual target when they impersonate that weak link.
Bottom line: When online (and even after that), trust no one, not even yourself, and use a potent combination of cybersecurity software, strict cyber/password hygiene to protect yourself. No clickable object, URL, log-in page or payment information page, is to be trusted, EVER, until proven and double-proven to be legitimate!