Dinner with President Halimah? Phish’s on the menu.
By: Donovan Tan, Cybersecurity Researcher (Singapore)
Nope… there’s no dinner — only a phishing scam. President Halimah urged all Singaporeans to ‘familiarize yourself with tell-tale signs of a phishing email’ — we will show you how.
On the 26th of February 2020, President Halimah took to Facebook, warning Singaporeans of an ongoing email phishing campaign which invited recipients to a dinner with herself, PM Lee and Cabinet Ministers. Recipients were asked to download an invitation letter and enter in their email credentials. Of course, there was no such dinner and the cyber-criminals behind this phishing email wanted to steal their victim’s credentials. This warning was eventually published on the front page of the Straits Times Home section (27th Feb 2020), highlighting the importance and pressing, prevalent issue of phishing scams in Singapore.
What is Phishing?
Phishing is a type of cyber fraud carried out by attackers masquerading as trusted entities. The goal is usually to trick victims into revealing confidential information or to install malware on their devices. Consequences of such attacks include but are not limited to data leaks and identity theft leading to financial losses.
Popular channels to carry out such attacks include email and SMS, where phishing site URLs, forged documents or malware download links are spread, and automated phone calls, where attackers claim to be from trusted authorities and subsequently request for your personal information.
Why you should care about Phishing.
Phishing is common.
Even in Singapore. Some of the commonly impersonated organizations in local phishing scams include DBS Bank, DHL and government-related entities. In November 2018, DBS and the Singapore Police Force (SPF) revealed that more than 50 DBS customers had fallen for SMS phishing scams over the previous 2 months¹. Most of these SMS messages inform users of suspicious activity being detected on their accounts, and request users to enter their banking credentials in the phishing link provided. As seen on DBS’s security alerts page, these phishing scams are still ongoing with different variations appearing frequently.
More recently, the SPF warned the public in January 2020 about a fake police phishing site that accused victims of viewing and spreading illegal material, proceeding to seemingly lock their browser². The fake site then demanded users enter their credit card details to pay a fine in order to have their browsers unlocked.
Phishing works.
According to Verizon’s 2019 annual Data Breach Investigations Report, phishing had the highest success rate out of all threat vectors and was involved in 32% of reported data breaches³. Phishing is a social engineering attack, and like all such attacks, exploits human emotion and manipulates the human mind. The exploitation of something inherent in all of us is what makes it relatively non-technical to implement yet effective and dangerous. Vulnerabilities in systems can be patched to prevent exploitation, but human emotion cannot. To increase their rate of success, cybercriminals utilize social engineering tactics such as exploiting human greed or creating a false sense of urgency and invoking fear in victims like those seen in the DBS and SPF phishing campaigns.
Phishing has costly repercussions.
Financial losses could be incurred when personal data such as banking credentials are compromised. Statistics from scamalert.sg reveal that SGD$21.1M has been lost through impersonation scams⁴. With phishing often being an entry point to larger scale data breaches and cyber-attacks⁵, organizations who fall victim could incur heavy losses too. Cybercriminals can obtain access to an organization’s internal systems or email accounts through phishing attacks carried out against employees. This enables them to carry out further attacks such as the Business Email Compromise (BEC) attack. In BEC, cybercriminals use compromised company email accounts to carry out illegitimate requests internally, such as for payment to be made to a vendor but with the provided bank account being the cybercriminal’s⁶.
Defending against Phishing attacks
With scammers frequently coming up with new phishing campaigns utilizing different ruses, tactics and channels, how can one protect against phishing attacks?
Below are 3 methods to help keep you safe:
- Use of Anti-Phishing tools
- Learn about Phishing and its tell-tale signs
- Keep calm, think rationally
1) Use of Anti-Phishing tools
An effortless way of protecting yourself against phishing attacks would be to let anti-phishing tools do it for you. These tools might be part of a full endpoint solution or come as a standalone tool like an anti-phishing browser extension. Examples of such tools include Uppsala Security’s UPPward, a web browser extension with capability of warning users when they visit malicious sites.
2) Learn about Phishing and its tell-tale signs
Sadly, anti-phishing tools do not guarantee you complete protection against phishing scams. Ultimately, the most straightforward way of protecting yourself against phishing scams would be familiarizing yourself with common tricks used in phishing campaigns (such as SMS spoofing) and learning how to identify one.
SMS Spoofing
Through SMS spoofing, it is possible for attackers to set the organization they are impersonating as the sender’s name in their SMS message.
As seen above, the SMS seemed to have originated from OCBC Bank, however it is actually a fake SMS from a phishing campaign. Members of the public who are not tech-savvy and unaware that such an attack exists might easily fall for phishing scams using it.
Although phishing scams might come in variations and through different channels, there are thankfully a couple of generic tell-tale signs across them. Here are some of them:
Misspelt/Incorrect URLs
A skilled attacker can accurately recreate a legitimate organization’s website, but he will never be able to copy the website’s unique URL.
To overcome this and increase their chances of tricking victims, many attackers employ various deceptive tactics when crafting their phishing URLs. Below are a few of the common tactics used.
Keeping these common ploys in mind, you can protect yourself from phishing scams by meticulously examining links provided by the scammer and ensuring it matches with the legitimate URL.
Illogical, Unrelated Domains
In scenarios where one is unfamiliar with the exact URL of the legitimate website being spoofed, one can instead examine the domain of the URL given by the scammer. A tell-tale sign of phishing campaigns are URLs which have domains that sound illogical or are too generic and bear no relation to the impersonated organization’s brand. Examples include these actual phishing websites which targeted Airbnb customers.
These URLs might seem related to Airbnb at first glance. However, their domains should sound off warning alarms.
Suspicious Email Address from Incorrect Domains
When it comes to identifying phishing emails, one can look at the domain of the sender’s email address. Most organizations, especially those prominent enough to be targets of phishing campaigns, use email addresses belonging to their own email domains for official correspondence. If the sender’s email address does not belong to the supposed organization’s email domain, it is likely to be a phishing email.
Another point to bear in mind is that an email sender’s name is not unique and can easily be set by a cybercriminal. When verifying the authenticity of an email, we should always refer to the sender’s actual email address and not name. As seen in the phishing email above, the scammer had set the name as ‘DBS iBanking’ to mislead victims. However, by looking at the domain of the sender’s email address, we see that the email is sent from @automail.com and not @dbs.com, hence it should not be trusted.
3) Keep Calm, Think Rationally
Yes, phishing is a social engineering attack and cybercriminals try to exploit your emotions by creating scenarios that invoke greed, fear or urgency. They try to make you think and act irrationally. However, knowing how prevalent phishing scams are today, we should consciously try to keep calm and do the opposite. Most phishing scams targeting the general public adopt a ‘spray-and-pray’ approach — a generic scenario is created and sent out to the masses via different channels. As such, there are often logic gaps in the stories or claims created by attackers.
Dinner invitation from the President? I don’t think the President is THAT free to randomly invite citizens for dinner out of the blue…
Police demands you pay a fine for distributing illegal content? Why believe it nor worry if you have never done so?
Suspicious transactions made by your bank account? Simply log into your official iBanking app and check!
At Uppsala Security, we believe that cyber threats can be tackled more effectively through collective, crowdsourced threat intelligence. If you come across any site you suspect to be malicious, inclusive of phishing sites, please report it to us through https://portal.sentinelprotocol.io/create/case.
UPPward is free to use and available on Chrome, Brave and Firefox Browsers.
Chrome & Brave Extension: https://chrome.google.com/webstore/detail/uppward/okchiedmnincflodifnojcnhnncldcbk
Firefox Extension:https://addons.mozilla.org/en-US/firefox/addon/uppward-by-sentinel-protocol/
