As my Information Technology major in school has a concentration in network security, I have been learning a lot--especially lately--about the variety of tactics that hackers will use to compromise our networks, gain our usernames and passwords, and even steal our digital identities.
Also, as I work at a web design company and am now fluent and certified in HTML and CSS, two basic web programming languages, and have a general understanding of other languages as well, it has inspired me to take a closer look at the scams and "hacks" that we see--and often disregard--on a daily basis.
In this article, I will take a closer look and analyze three types of attacks: A Facebook "hack," a mobile SMS (text message) scam, and the classic email scam.
The Facebook "Hack"
Everyone has seen what is commonly referred to as a "Facebook hack" or scam, and most people have grown wise enough to disregard them without a second thought. These "hacks" can often be easy to recognize, as they are usually mass-distributed messages from your Facebook friends whose accounts have already been compromised, requesting that you visit some obscure URL (web address) to see an "outrageous video" or obtain some sort of special offer.
If these messages are uncharacteristic of the friend, such as a message to check out a viral video of a schoolgirl pole dancing in her dorm room when you know that the friend is devoutly religious and would never post such a thing, it should immediately raise a red flag in your head that the post is not legitimate.
However, sometimes mere curiosity or a cleverly worded scam might fool someone into clicking the link. The screenshot below is of a scam post that was posted one of my friend's wall. The post was published by one of his trusted friends, most definitely without their knowledge.
So, if someone posts something like this on your wall, or you notice it in Facebook's News Feed, how do you know whether or not it is legitimate or if it is indeed a scam? Well, there are a few warning signs to look out for.
First of all, read the message in the screenshot above, and then ask yourself, "Is this how my friend actually talks?" In this case, I don't actually know the person who left the message on my friend's wall, but I can clearly tell by reading it that it sounds more suitable to being spoken by a used car salesman and not somebody whose profile picture is of him on a walk with his daughter.
Second, I see the link to a URL that I don't recognize. If it was a link to YouTube or CNN or another website that I had heard of, I would probably click on it without any question. But if it is a site like the one above, I myself would be a bit skeptical about where it might take me. Now, maybe this is just me being paranoid, but when it comes to Internet security, I live by the motto "better safe than sorry."
If I encounter a website that I wish to visit that could quite possibly be legitimate, I will oftentimes highlight and copy the URL, open an Incognito window if I am in Chrome (which is done by holding down Ctrl+Shift+N) so that it is not in in a browser window that is already logged into my Facebook account, paste the link in the address bar, and then go to the website. Also, since I understand HTML and how to read it, if a site looks suspicious to me, I will first view it in its pure source mode by typing "view-source:" (without the quotes) into Chrome's address bar, followed by the URL. However, this is more of an advanced technique.
The third sign that the post in the above screenshot is suspicious, which is most often a tell-tale sign of a Facebook "hack" is the information next to the timestamp on the post. In the example above, it says "March 23rd at 1:24am via Check It Out!" The mere fact that the post was done via some kind of Facebook app tells me that this individual must have clicked on a link that asked them to install an app on their Facebook account. Before installing an app, you will always receive a notice of what permissions you are giving the app over your account, but most people disregard these warnings and proceed with the installation. But without reading it, you may be opening the door wide open to your Facebook account to a malicious app and saying "Come on in!" The app can then post on others' walls in your behalf, as seen above.
Now let's take a deeper look into what this particular post does. I followed the steps I mentioned in a paragraph above to view the source code of the link, and discovered the following:
The link in the Facebook post actually had a trail of website redirects, meaning that going to that website would simply forward you on to another website, and then another, and then another. Scammers will use this tactic to have several routes to their malicious trap, in case one or more of the web addresses get flagged as spam links and are blocked or present warnings.
Finally, I was able to trace the redirects to an actual website. This website had code written to track a visit to the web page and reported the visit back to the Facebook app, in an attempt to "prove" to Facebook that it was a well-traveled page, attempting to fool its anti-spam filters. After tracking the visit, the website would then promptly redirect the user to the final destination where, in this case, it would offer its free Six Flags passes.
If one were to actually view the website, it would look professional and raise no suspicions in regards to what it offers. Essentially, it would look like any other website. But a closer look at the code behind the page would tell a different story.
The first thing I noticed in the code is that it mentioned a number of tickets left, trying to get the visitor to hastily enter their information so that they could claim their ticket before they ran out. However, the code says differently; the remaining number of tickets is static, meaning that it never changes.
The website would ask the visitor for their information as a way for the ticket to be delivered. In this way the visitor promptly hands over their name, address, phone number(s), email address(es), and other information, which can be then be used to sell to third-party marketers, meaning that you'll be getting a lot more phone calls during dinner. If the scammers are smart, they may also ask you to create a username and password, or what you think is a username and password. Why would they do this? Well, because many people use the same username and password for several accounts online.
Yesterday I had a friend approach me and have me look at an email that she had received, claiming that her Gmail account was going to be deactivated if she didn't click on a link and enter he login credentials. She did so and nothing happened. I looked at the email, and noticed some tell-tale signs that it was a scam email that had somehow made it through the filter (but we'll get to email scams later). After finding out that she had already provided her information to the false website, I asked her if she had another other accounts that used the same login credentials, and she said that her Facebook and even her PayPal account used the same information. I told her to promptly go through the real channels to change those passwords, but what if she hadn't been warned? How long would it have taken before her savings account had been emptied via PayPal?
In the Facebook example that I have been citing, I was actually impressed (for lack of a better word) that the scammers even took legality of their actions into consideration with their scam website, providing official Privacy Policy and Terms and Conditions pages...essentially "covering their bases." This is what I found--in the code--when I viewed the Privacy Policy:
Notice how they blatantly say that they will be selling your information to third-party marketers and that you will be receiving special offers via phone calls, emails, etc. The Terms and Conditions page showed a similar message:
The visitors may say to themselves, however, that "at least there is an unsubscribe button at the button of the page, so I won't receive marketing ploys if I don't want them, right?" Wrong. I viewed the source of the Unsubscribe page, and this is what I found:
Essentially, the unsubscribe page shows a form where they can enter their email address to unsubscribe from the offers, but in this case they are literally just going through the motions, because this form is simply an empty shell. Although it looks like it submits the information, it never actually gets sent anywhere. In other words, there is no unsubscribe option.
So, as you can see, Facebook "hacks" can have dire consequences, but only if you ignore your common sense and click on things that you probably shouldn't.
Text Message Scams
A few weeks ago, I got a text from an unrecognized number that my Google Voice account (which I love, as it's directly integrated with my Sprint phone) told me was from Washington DC. The message told me that I had won a $1000 gift card from Walmart and could obtain it by entering a promo code at a certain website.
As crazy as it sounds, I didn't drop everything I was doing and click on the link while popping open a bottle of champagne when I got the message. In fact, I even showed it to my family, who said that they'd all received the same text message at different times over the past few days. In fact, my mom said that she had heard a story on the news, mentioning a disgruntled ex-employee of Walmart that was sending out a phishing scam. Whether this text is from the same source, I do not know.
I was curious to know what the link actually did so, like with the Facebook hack mentioned above, I used Google Chrome's "view-source" feature to check out the HTML code behind the "offer." What I found was this:
Instead of routing the user through several domains like with the Facebook hack, this pulled up a page at the direct URL. From looking at the HTML, it appears that the page displays a form which asks the visitor to input a variety of information to "claim their prize." This input includes a first name, last name, email address, up to three phone numbers, and even a username and password. The data is then submitted to a PHP file that is a server-side script that I did not have access to view. But let's just assume that it doesn't use the data collected to generate a legitimate Walmart gift card and email it to the customer.
So what would happen if someone were to fall into this trap and fill out their information? Well, first of all, that person would soon become fast friends with Mr. and Mrs. Spam. Not just email spam, but text message spam as well, and possibly even telemarketing calls and/or scams. (Is there a difference?)
If the visitor enters a username and password, they are compromising themselves in many ways, mainly because the majority of computer users tend to use the same username and password for several different accounts, as was the case with my friend mentioned in the previous case.
I would sincerely hope that people wouldn't fall into a trap as obvious as this, but if nobody fell for them, then scammers wouldn't take the time to generate false websites, so it definitely makes me wonder how many people were caught in the Walmart Scammer's net.
Spam Emails
Everyone hates spam email, but thanks to sophisticated filters within web-based email services like Gmail and Hotmail, many of us never have to deal with them unless we decide for some reason to go exploring in the Spam or Junk folder.
Another nice feature that has been incorporated into such web-based mail systems is the validation of emails from particular companies to prove their legitimacy, especially financially-related emails such as from banks and PayPal. Hotmail, for example, will show a green shield next to emails like these.
But phishing scammers still try to catch those that are less vigilant with similar emails. I have always been a fan of web-based email systems--Gmail in particular--and often wonder how well applications such as Microsoft Outlook, Mozilla Thunderbird, and others detect spam messages.
There are many tell-tale signs that can be used to detect whether or not an email is from a legitimate source. Let's take the following email that I found in my own spam folder as an example:
The first warning sign, obviously, is the warning message displayed in red by the email system itself, warning the user that the email appears to be malicious in nature. However, the other signs may be obvious to some yet more subtle to less-experienced users.
The wording of the email itself is at least attempting to sound professional, but for a company as renowned as Chase bank, I would expect something a bit more formal. Also, if the user wasn't already mentally blinded by panic at having his or her account deactivated, it would be hard not to raise an eyebrow when seeing that the email from Chase Bank was supposedly sent from an email address from a very strange domain, being email.discover.com. If it was a legitimate email from Chase, wouldn't it come from an email such as abuse@chase.com or something similar?
On a similar note, it is curious that the web link itself is from a strange domain, being fbren.com, as opposed to Chase's actual website. These are things that I notice in a heartbeat and even laugh about, when others may not even notice in their panicked hurry to reactivate their supposedly canceled account.
Wanting to see where exactly this link would take me, I once again used the "view-source" feature in Chrome to view the HTML behind the so-called "re-activation website."
I noticed that, like the first example in this blog, this website also had an immediate redirect to another website. However, this website was quite clever in its redirect, if it's not too ironic to say so. They used an IP address as the domain, as opposed to an actual registered domain name, and then named the subdirectory of the site in such a way that the visitors would perhaps not notice the actual address and believe in its legitimacy.
Curious to know where the attackers originated, I used a simple WHOIS command in my Linux terminal, which gave me all the information I needed to know about the hackers:
It was interesting to note from the information above that the attack was actually originating from a university in China, meaning that some bored students were performing a scam right under their instructors' noses...and doing so from the school computers.
Knowing that this website was obviously a known phishing/scam website, and being very confident in the security of my computer and firewalls, I decided to take the plunge and click on the link--using the "view-source" feature, of course--to see what would happen. Sure enough, I was immediately presented by a warning sign from Google Chrome, warning me about visiting the website in question.
Viewing the HTML code, it was very clear to me that this was web page that was designed to look identical to a legitimate page provided by Chase, complete with logo and color scheme. However, when the visitor entered their information, it would be submitted to a PHP file called login, which would most likely execute code to capture the visitor's login information and redirect them to the actual home page of Chase Bank, so as to remove any suspicion.
And thus we see exactly how an email phishing scam works.
Conclusion
Having a strong background in Information Technology, especially in Internet security and web development, I look at all of these attacks and laugh to myself, thinking that there is no way that anyone could ever fall for such a thing. Yet, as mentioned previously, hackers wouldn't spend so much time meticulously designing these traps unless they had at least enough people fall into them to make it worth the effort, which is highly alarming.
Kevin Mitnick, one of the world's most renowned hackers and--believe it or not--a personal hero of mine because of his vast well of knowledge of the Internet security world, recently said a quote on his Twitter feed that really makes sense with everything that I have mentioned in this post: "Send a man a phish and he will click on it. Teach a man to phish and 10,000 people will click on it."
It is shocking that, in such a day and age where computers and technology are so prevalent in our lives that so many people are still ignorant to the risks they take each time they click on their web browser. But as long as they are vigilant, they need not fall into the traps that lay waiting.
