The Anti-virus Times

Tuesday, September 12, 2023

In our Anti-virus Times issues, we often devote attention to online fraud and talk about the tricks that cybercriminals use to deceive users. Phishing is one of the most common types of online fraud that is based on social-engineering techniques. For example, in this issue, we described another scheme involving a fake marketplace and revealed how users were incrementally deceived.

Why do attackers often use phishing for their personal enrichment? This is because, when it comes to profits, the effort-reward ratio is in their favour. As a rule, no complex technical solutions are involved, and the victims themselves give their money and/or information to the criminals. For this, various but often simple tricks are used, which work thanks to the gullibility and ignorance of users. In addition, the development of the digital environment and the emergence of new communication channels provide network scammers with additional tools and opportunities.

A fake website is integral to classic phishing. This is a cybercriminal-created-and-controlled website that either is directly designed to steal data and money or works as an intermediate link in more complex, deceptive schemes. In this Anti-virus Times issue, we will talk about how to independently determine that you have a phishing site in front of you so that you don’t fall for cybercriminals' tricks.

How did you end up on this site?

Attackers actively use various communication channels for their primary "bait". Mailings, SMS messages, instant messengers, social networks, advertising banners and even paid website promotions in search engines — all these tools are available to scammers for distributing links to their phishing resources. Here is the simplest example: you’ve received an SMS from an unknown number with an attractive offer that would beef up your income and a link to the site. No matter how convincing the text of the message is, there is a 99.99% likelihood that the link will lead you to a phishing resource. All the data that you enter there, whether personal information or card numbers, will end up in criminals' hands. Thus, it is important to be able to identify the deception at the very first stage, and for this, it is enough to follow a simple rule: all links received from unknown recipients should be perceived as suspicious.

Most often, cybercriminals lure potential victims with tempting job offers, ads for trading platforms with low prices, promises of social or other payments allegedly owed to the user, and other similar tricks. A while ago, trivial pop-up banners with messages about cash prizes were popular. However, even such seemingly outdated tricks are still used on the Internet and, oddly enough, they do their job.

On a separate note, in some cases, modern browsers prevent users from visiting phishing resources, but such protection does not always work. As a rule, the browser prohibits users from visiting a site if it lacks a digital certificate for establishing a secure connection, or if that certificate is invalid. But you should remember that attackers easily bypass such security measures and most often install free but valid security certificates on their sites. Therefore, the most reliable way to protect yourself will be to think critically and to independently analyse what brought you to an unknown site.

Of course, a link to a phishing resource can be sent to you not only by unknown recipients but also by people you know. So, let's look at other signs.

Gauging a website's appearance and functionality

Phishing sites can be divided into two large categories: fakes that mimic the resources of well-known companies and copy their design, and sites that, accordingly, do not copy the original and have their own unique appearance but, in any case, imitate legitimate services. The first category includes, for example, a fake authorisation page for a civil service site, and the second, a phishing site for a new payment system that does not actually exist. Also common are hybrids; this is when the logos and corporate design elements of a well-known company are placed on a phishing site, but, in general, the webpages do not completely copy the appearance of the real site. This can be, for example, an allegedly third-party website of a well-known company where raffles are held among the visitors. In fact, in all cases, the above sites are phishing sites, and they are under the full control of intruders and have nothing to do with the companies whose logos may be used there. It should be remembered that the main task of fraudsters is to try to worm their way into a user’s confidence. That is why phishing resources are most often disguised as the webpages of well-known sites and services.

At the same time, almost all fake sites share a common feature — upon close inspection, you can see that they are slapped together. Spelling mistakes, poor-quality layout, and broken buttons and other elements are very common on phishing sites. For attackers, it is important to throw sand in users’ eyes, and for this, they use tempting offers, splash headlines, famous logos, fake reviews, and other tricks. With this approach, high-quality implementation fades into the background — after all, a fraudulent resource needs to be launched as soon as possible. And in our case, this is exactly what you need to pay close attention to. Most often, a phishing site implements only the functionality that is needed to operate a fraudulent scheme. At the same time, if you deviate from the attackers' scenario and start to just explore the site, you will probably quickly find flaws. And the more complex the site is, the more errors it contains.

Looking at the domain name of a website

The domain name of a site that appears in the browser address bar can reveal a lot. Since it is technically impossible to register a site with a name identical to the real one, attackers try to choose a domain in such a way that it resembles the real one as much as possible when creating a fake resource. For example, the domain name of a phishing site that imitates Doctor Web could be drveb.com or doctorweb.com. A favourite trick: replacing certain letters or numbers with visually similar ones or adding arbitrary numbers to the site name. In the article about the fake marketplace, we talked about how cybercriminals chose the domain sheim668 for their fake online store of the famous Shein brand. This is a very clumsy disguise, but victims of the attackers did not pay attention to it and eventually fell for the trick. In any case, if you have the slightest doubt about the security of a site, you should carefully check its domain name.

At the same time, attackers can fake only the so-called second-level domain, in other words, the main domain name of the site. In the domain name system, there are sites with multiple words separated by a dot. For example, the fictional website shop.drweb.com, where "drweb" is a second-level domain and "shop" is a third-level domain, cannot be registered by third parties. But shop.drveb.com will be a fake.

Studying the digital certificate of a site

We’ve already talked about digital certificates in this Anti-virus Times issue. As previously mentioned, attackers take active advantage of free digital certificates to bypass the browser's built-in protection and authentication. So, it is hardly surprising that the connection to the phishing site is carried out using the secure HTTPS protocol. And here we need to note an important nuance.

The most common certification authority that issues free digital certificates is Let's Encrypt. With its help, honest creators can obtain and install a certificate on their personal sites, which increases trust among visitors, browsers, and search engines and allows users to exchange information through a secure channel. But all these benefits can be freely used by intruders. Certificates issued by Let's Encrypt are installed on countless numbers of phishing sites. And at the same time, they are almost never installed on the official websites of large commercial enterprises whose pages are faked by attackers. Thus, if a Let's Encrypt center's certificate is installed on the site of a large online store or bank, this is a serious reason to regard such a site as a phishing one. The good news is that certificate details are easy to verify on your own.

For example, in the Chrome browser, this is done as follows. In the address bar, click on the padlock icon to the left of the site name. In the newly appeared window, select Connection is secure, and then select Certificate is valid. A new window containing information about the certificate will open. We are interested in the section "Issued by". If you see R3 in the Common Name (CN) line and Let's Encrypt in the Organization (O) line, this means that this site uses a digital certificate issued by Let's Encrypt.

There is nothing wrong or malicious about the Let's Encrypt certificate itself. The basic idea is that commercial companies are currently using paid digital certificates. For example, Doctor Web's site uses a certificate issued by GlobalSign. Of course, in most cases, cybercriminals will not receive a paid certificate for a phishing site, which is unlikely to exist more than a few weeks.

Searching for information about a company

To identify a phishing site, sometimes it is useful to study not only its appearance and functionality but also the content itself. The contact section may tell you a great deal. It often happens that a phishing site does not contain a section with feedback and company information. And this is also a reason to think about the legitimacy of such a site. Also, fraudsters can substitute absolutely any data, stolen included, such as the name of the legal entity, the TIN, the phone number and the legal address. If in doubt, these data should be checked separately on the Internet. If it’s a phishing resource, there is a high probability that the contacts specified will contain information about a company that has nothing to do with what the cybercriminals show you. If the search does not bring any results, the site contains obviously incorrect data, which also indicates a fake.

It’s another matter if the phishing site completely copies the original. In this case, the contacts and other data will most likely be copied as well. Then the other signs that we described above will come to the rescue.

Using special services

When checking a site, it can also be a good idea to use special services that help identify fraudulent resources. Let's take a closer look at them.

Whois

Whois is a protocol used to run a service that allows anyone to get open information about registration data using domain names and IP addresses. Whois is not a special service for identifying phishing sites, but it provides data that can be used to identify a fraudulent resource. To check a website, just copy its name and paste it into the Whois webform. As a result, a data block will be displayed, where the Owner and Created will be the most indicative lines.

Here is a simple example. Let's assume that when using the Whois service to check the site of an allegedly large company, you saw that the owner of the domain is a private individual, and the site itself was created a couple of weeks ago. From this, we can firmly conclude that the site has nothing to do with a real company, and, most likely, it is a phishing site. The fact is that the sites of large companies are rarely registered to individuals, and the recent registration of the domain, along with other signs, also indirectly tells us that the site is a fake.

However, it should be remembered that a phishing site can be registered to a fake company, and not to an individual. In this case, we can indirectly focus on the domain’s creation date, but it is better and safer to check the site using special services.

Checking a link using online services

It is easy to check a suspicious link using special online services. For example, Doctor Web has a service that allows users to check a link in the company's internal database, which is updated daily by virus and Internet analysts.

There are other similar services, such as VirusTotal and Phishtank. They work in a similar way — the website's URL is inserted into a special form, after which a search is performed using phishing databases.

For all the convenience of such services, you need to understand that the test result can be both false positive and false negative. For example, a phishing site may simply not have been entered into the database and, as a result, it may be deemed secure. Or, on the contrary, a "clean" site may have been mistakenly entered into the database. Therefore, it is important to take into account all factors so that you don’t fall for cybercriminals' tricks.