The New Face of Phishing—Have You Been Hooked? 

Here’s a quick quiz: What is Phish?

1. A 1980s rock band from Vermont.

2. Obtaining financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one to steal your personal information when you respond to it.

3. A card game. They're all correct, except the card game "Go Fish" is spelled differently. The term "phishing" originated in the mid-90s, but wasn't commonly known until almost 10 years later. Scammers went "fishing" for online users' information, but the "ph" in place of the "f" refers to phreaks—the earliest hackers.

Phishing is when a scammer targets someone by email, telephone, or text message luring them into providing personally identifiable information such as passwords, credit card numbers, or Social Security numbers. This information could be used to access accounts and may result in identity theft and financial loss.

Recent corporate data breaches could cause phishing attacks

Many companies have experienced data breaches in the past few years Yahoo, Equifax, Anthem, eBay, Home Depot, Target, TJX Companies, Inc., and most recently T-Mobile. There have been so many data breaches that many people have begun to ignore them. But even small data breaches shouldn't be ignored; as hackers may have enough information on customers to attempt phishing attacks on those customers.

In the T-Mobile breach, hackers accessed the names, billing zip codes, phone numbers, email addresses, account numbers, and account types of approximately 2 million of T-Mobile's 77 million customers. T-Mobile's breach is much smaller than the 2017 Equifax breach, which compromised the data of 143 million people. And 87 million Facebook users were impacted by the recent Cambridge Analytica scandal. But even though credit card and password information wasn't stolen in the T-Mobile breach, T-Mobile customers should still be on the alert for suspicious emails, and change their passwords. 

What is OAuth?

In a typical phishing attack, users are tricked into keying in their passwords or other sensitive data when they’re directed to fake websites. However, the 2017 Google Docs phishing scam, which imitated the Google Docs online file server and targeted 1 million users, used OAuth, an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon. Users didn’t have to enter any information to give the bad guys access to their email accounts. Google moved quickly to address the scam and stopped the phishing campaign in approximately one hour. It also assured customers that, while contact information was accessed, no other data was exposed.

OAuth allows users to log in to third-party websites using their account with a site such as Google, Facebook, Twitter or Microsoft without disclosing their password for those services to the third-party sites.

Some sites allow you to log in using, for example, your Facebook account. To log in to the site, you are sent to Facebook where you enter your Facebook credentials, if you are not already logged in to Facebook. The third-party site never sees your Facebook password, but Facebook sends a token that lets them know who you are. The third-party site then gives you access. Depending on what permissions you set, you may also choose to give the third-party site access to some of your Facebook data, such as the names of your friends, or allow your Facebook friends to see what you are listening to on Spotify.

What happened in the Google Docs Scam?

OAuth is convenient when you’re dealing with legitimate apps and websites, because you don’t have to remember and enter a lot of passwords. You can use your credentials for a site such as Google or Facebook to log in to another site without revealing your Google or Facebook credentials to the other site.

In the Google Docs phishing scam, a fake app was created that caused users to believe they were dealing with a Google Docs app.

Instead of a legit document, the email link initiated a process to give a phony app masquerading as "Google Docs" access to the user's Google account. If the user was already logged in to Google, the connection routed that app into an OAuth permissions page asking the user to "Allow" access to the user's legitimate Google Drive. It appeared authentic to most users, and there was nothing that would alert security software that the page was not legitimate.

How can users avoid these scams?

Because an attack using OAuth can be especially hard to detect, technology expert Bob Rankin offers the following: “My policy is to avoid OAuth unless I know the party asking to use it is legitimate. I will register the tedious way instead, creating a username and password and providing a throwaway email address if necessary. Under no circumstances would I grant OAuth privileges to any sender of email that I was not expecting, even if it appears to come from a friend or trusted website.”

In February of 2018, scammers targeted Apple’s App, iTunes, and iBook Stores with phony phishing emails asking for customers’ information.

Apple quickly posted a support document so customers could distinguish official emails from phishing attempts. The document explains how scammers and other nefarious actors might use the company's name, logo and other credentials to trick users into handing over sensitive data.

The Apple website also explains steps to take if you receive a phishing email that appears to be from the company. Apple emails about your App Store, iTunes Store, iBooks Store, or Apple Music purchases will never ask you to provide the following information over email: Social Security number, mother’s maiden name, full credit card number, or credit card CCV code.

The Federal Trade Commission (FTC) provides online security tips

Luckily there are many online resources to help you avoid phishing scams. The FTC provides many common-sense tips for avoiding phishing scams like the following:

1. Be cautious about opening attachments or clicking on links in emails.

2. Don’t click on phone number links.

3. Don’t give in to pressure tactics. Make the call if you’re not sure.

4. Turn on two-factor authentication.

5. Back up your files to an external hard drive or cloud storage.

6. Keep your security up to date.

7. Report phishing emails and texts.

You can also report phishing incidents on the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center site. 

Phishing Examples provided courtesy of DigitalGuardian.com