The Most Common Way People Get Hacked & How to Avoid It
The One Foolproof Method to Spotting Phishing Attacks: Understanding URL/Link Syntax
Saudi Journalist Jamal Khashoggi, Chairman of Hilary Clinton’s 2016 presidential campaign John Podesta and the Ukrainian power grid. What do all of these have in common? The answer: they were all victims of computer phishing attacks.
These attacks delivered malware that took over their device, resulting in Khashoggi’s eventual murder, the leaking of John Podesta’s emails disrupting the 2016 US election and the Ukrainian power grid being temporarily disabled.
Despite the cited examples being quite high-profile, that doesn’t mean phishing attacks are only used against high-value targets. Quite the contrary, they are the most common form of cyber-attack used today. In 2020, the FBI’s Internet Crime Complaint Centre recorded over twice as many incidents of phishing compared to any other form of computer crime.
So what is phishing, and how can we defend ourselves against it?
What is Phishing
Phishing is when a hacker pretends to be a trustworthy entity such as a friend or a financial institution in order to fraudulently obtain sensitive information.
The ‘fishing’ metaphor refers to the idea of getting you on the hook and then reeling you in.
Phishing attacks most commonly originate from emails or instant messaging. The attacker will use a variety of ways to obtain the desired information. Here are some common examples.
- Sending the victim to a fake website to collect confidential information. E.g. Paypal scams, fake reset your password alerts.
- Sending you attachments that contain malware or getting you to download malware via links.
How to Protect Yourself
To not get phished, you need to spot when you are being baited. You need to be able to spot when you are being directed to a fake website.
There are many heuristics or indicators that we can use to spot fake emails.
- Emotional motivators.
- Spelling errors and unusual/unprofessional formatting.
- Unfamiliar sender — the sender and origin email address can be faked.
- Not addressing you by name — note that hackers can find your name in data breaches or social media.
- https secure connection (the padlock that shows in your browser ) — all this means is the connection to the website is encrypted. That’s like saying, your connection to the hacker is secure.
- Unsolicited/unexpected attachments — especially if they are an executable file format: iso, exe, msi, dmg, docm, xlsm, pptm etc
- Checking and evaluating links.
I will be focusing on perhaps the most common and most difficult indicator to spot: malicious links.
Unfortunately, spotting fake links doesn’t really make intuitive sense. For example, drive-google.com. Why isn’t this the legitimate Google Drive URL? Read on…
Learning web address, link or URL structure
A web link consists of one or more parts (technically known as labels). Each part is separated by a full stop.
The right-most label conveys the top-level domain; for example, the domain name google.com belongs to the top-level domain (TLD) of com. Other examples of TLD’s are net, gov and org etc.
Country specific TLD’s also exist, like au, uk, de, tw etc.
The hierarchy of domains descends from the right to the left label in the name; each label to the left specifies a subdivision, or subdomain of the domain to the right. For example: for en.wikipedia.com, wikipedia is a subdomain of com. en is a subdomain of wikipedia.
Subdomains have many uses. In the above example, the en subdomain is the English version of Wikipedia. But to take another example: maps.google.com — maps is used to designate that maps is a service that Google offers.
The important thing to know is we are looking for the main domain, which is always slung after the TLD. Why? Because the owner of the main domain can attach whatever subdomain they want under their main domain.
Learning to Spot Malicious Links
Example 1 — Malicious subdomain
With that in mind, let’s look at an example. Imagine you got an email that looked like it was from Google saying a document had been shared with you. When you check the link, it directs you to drive.google.com.xyz.com
At first glance, this may appear real. But the main domain here is xyz. The trick here is the owner of the domain added subdomains that makes it look like it’s a Google Drive link.
Example 2 — Malicious main domain
Let’s revisit our drive-google.com example from earlier. The problem with this link is drive is not a subdomain here, because drive is not separated from the main domain via a full stop. So the main domain is not google, it’s drive-google, a totally different website that anyone can buy.
Example 3 — URL Shortening/redirection services
This was the email that was sent to the aforementioned 2016 Democratic campaign chair John Podesta.
This phishing email used a different technique: a URL shortening/redirection service. Common examples of these services are tinyurl and bit.ly. What these services allow you to do is create a short link that when opened, redirects you to another link.
The thing to remember is if you click one of these links, it can redirect you to anything.
In the above email, the Change Password link is a bitly link. When Podesta opened the link, he was redirected to the malicious website which resulted in the hacking of his email account. The rest is history.
Never open links unless you can verify the link’s main domain is genuine.
If you want to verify a shortened URL, you can expand it via CheckShortURL.
If in doubt, just Google or DuckDuckGo the company and use the link of the search engine instead of clicking the email or text messages link.
You can also phone the company or individual to confirm if the message is legitimate.
Finally, practice! I’d recommend trying Google’s Phishing Quiz.
Disclaimer: I have no affiliation with this website. Good luck!