Do not be surprised by clear and simple messages! – Bare Security

0

We’re sure you’ve heard of the KISS principle: Keep it simple and direct.

In cybersecurity, KISS cuts in two ways.

KISS improved security when your IT team avoids jargon and makes complex but important tasks easier to understand, but it reduced safety when scammers avoid mistakes that would otherwise betray their game.

For example, most phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.

Incorrect logos, incomprehensible grammar, outright ignorance of our online identity, weird misspellings, nonsensical punctuation!!!!, or bizarre scenarios (no, your surveillance spyware certainly did do not capture live video through the black electrical tape we taped to our webcam)…

… all this leads us instantly and infallibly to the [Delete] button.

If you don’t know our name, don’t know our bank, don’t know what languages ​​we speak, don’t know our operating system, don’t know how to spell “reply immediately”, heck, if you don’t know If you don’t realize that Riyadh is not a city in Austria, you’re not going to make us click.

It’s not so much because you’d stand out as a scammer, but simply because your email would show up as “clearly doesn’t belong here”, or “obviously sent to the wrong person”, and we’ll get it. wouldn’t even know if you were a legitimate business. (After that, we’d probably block all your emails anyway, given your attitude toward accuracy, but that’s a problem for another day.)

Indeed, as we’ve repeatedly emphasized on Naked Security, if spammers, scammers, phishers, or other cybercriminals make the kind of mistake that betrays the game, be sure to spot their mistakes and make them aware of them. pay for their mistake by deleting their post at once.

KISS, pure and simple

Sometimes, however, we receive phishing tricks that we have to grudgingly admit are better than average.

While we hope you’ll spot them easily, they might still have a good chance of catching your eye as they’re quite believable, like this one from earlier today:

At 10.49 a.m. [2] new e-mails have been returned to the sender.

Click below to get a failure message.

https://sophos.com/message/failed_report/[email protected]

Thank you for using sophos.com

domain manager sophos.com

OK, so the English grammar and usage isn’t quite right, and our IT team would know who they are, so they wouldn’t be signing as company.name Domain Manager

…but if we were a small business and had outsourced our IT and email services, this type of message might not be so out of place.

Also, these scammers used the simple and effective trick of creating a clickable link in which the link text itself looks like a URLlike it was your email software automatically converting a plain text-only URL into a clickable element.

Of course, the email is not plain text; it’s HTML, so the offending link is actually encoded like this…

https://sophos.com/nothereatall

…in the same way, but much more convincingly, than an email link such as…

Click here to see the message.

The link doesn’t take you to a real site, of course; it is diverted to a server that has either been configured for this specific scam or hacked by the crooks to serve as a temporary portal for collecting their data:

Luckily, at this point, the scam adheres a little too fiercely to the KISS principle, relying on a web form so stripped down that it’s unusual, yet it still has no obvious errors other than the unexpected server name in it. ‘address. bar.

Amusingly, since the hosting company used by the criminals is based in Japan, disabling JavaScript results in an error message that we assume the crooks didn’t care about (or perhaps couldn’t change ), giving you a JavaScript warning in Japanese:

Ironically, the web form works just fine without JavaScript, so if you were to fill out the form and click [Login]scammers would harvest your username and password anyway.

As we often see, the scam page perfectly avoids having to fake a believable login by simply presenting you with an error message, until you give up, contact your IT team, or both:

What to do?

  • Don’t click on “useful” links in emails or other messages. Learn ahead of time to find error messages and other email delivery information in your webmail service via the webmail interface itself, so you can just log in as usual and then go directly to the necessary pages. Do the same for the social networks and content delivery sites you use. If you already know the correct URL to use, you never need to rely on links in emails, whether those emails are real or fake.
  • Think before you click. The email above isn’t obviously fake, so you might be inclined to click on the link, especially if you’re in a hurry (but see point 1 for how to avoid the clicks in the first place). But if you click by mistake, take a few seconds to stop and recheck the site details, which would clearly indicate that you were in the wrong place.
  • Use a password manager if you can. Password managers prevent you from putting the right password on the wrong site because they can’t suggest a password for a site they haven’t seen before.
  • Report suspicious emails to your own IT team. Even if you are a small business, make sure all your staff know where to submit suspicious email samples (eg. [email protected]). Scammers rarely send a single phishing email to a single employee, and they rarely give up if their first attempt fails. The sooner someone sounds the alarm, the sooner you can warn everyone.

When it comes to personal data, whether it’s your username, password, home address, phone number, or anything else you like to keep to yourself, remember follow this simple rule: If in doubt, don’t give it away.


Share.

Comments are closed.