Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

3 Most Common Phishing Scams

A recent report by the Securities and Exchange Commission (, indicates that phishing is on the rise. In fact, phishing is the kind of cybercrime an average user is most likely to encounter on a day-to-day basis. Phishing attacks rely on human vulnerabilities, making them more difficult to defend against when compared to viruses, for example. Although modern browsers and security suites incorporate anti-phishing technologies, it still pays to be aware of the most common phishing scams.


Still the most common form of phishing, emails from phishers impersonating bank employees or other legitimate parties asking the recipient to click on a link to enter sensitive data remain a threat. Typically, links will appear to be valid, but will actually direct the user to a forged website. Phishers count on users mistaking the fake site for the real one, and entering login information, credit card numbers, bank account information and other valuable data.

Often, these emails will include a logo for the impersonated company or agency and may even contain some legitimate links to seem more convincing. In the past, many of these emails featured blatant “tells”, such as a generic salutation – “Dear customer,” or something similar – and even contained grammatical or spelling errors in the body of the text. However, a report issued in 2011 by the Anti-Phishing Working Group listed “spear-phishing,” or the targeting of a specific individual by addressing him or her personally, as a growing threat.

Security experts recommend some basic tactics to avoid becoming the victim of a scam email. Since banks and government agencies rarely contact people regarding account information or personal data by email, be suspicious of any email claiming to be from bank personnel or an agency such as the IRS, especially if it opens with a generic salutation or contains spelling or grammatical errors. If you receive such an email and think it might be legitimate, call your bank or the organization directly and ask. If there is a link in the email, manually enter the link address rather than clicking on the link. 

Website Forgery

Website forgeries often pick up where an email left off. FraudWatch International ( lists several browser exploits designed to con a user into trusting a fake website and entering personal information. The use of JavaScript to hide the browser’s actual address bar and replace it with an image of an address bar displaying the legitimate URL is a common tactic.

Another, simpler tactic is to direct the user to a URL that closely resembles a legitimate web address, such as, or to a sub-domain containing the name of the real company. For example, a link might point to, counting on the fact that some users will not realize that the domain is, and not a Bank of America site.

JavaScript or ActiveX can also be used to launch a pop up window while directing the browser to the real site. Users, seeing the legitimate site in the background, will assume that the pop up is associated with the site. In fact, the pop up window simply sends login information back to the phisher.

A variation on that tactic is referred to as a “Man-in-the-middle” (MITM) attack. These attacks occur when a phisher uses a fake site to capture data from the user, sends that data to the legitimate site, and then displays the data returned from the legitimate site on the fake page.

Disabling JavaScript and ActiveX execution in your browser is a simple way to prevent most of these attacks, although that might also limit the functionality of legitimate websites. A safe way to ensure that legitimate sites that use scripts are still usable is to add known good sites to a “safe” list, allowing scripts to run on those and only those pages. Also, be careful to avoid entering personal information unless using a secure connection. Look for the padlock symbol in either the corner of the browser window or in the address bar, and click on it. Compare the name of the site in the certificate to the URL in the address bar. If they don’t match, chances are good that the site is fraudulent.

Evil Twin

Taking the MITM attack to the next level, the so-called “evil twin” attack is a method by which phishers impersonate a legitimate wireless access point in an effort to glean login information and other sensitive data from nearby wireless users. Once the bogus access point is set up, it can be configured to pass users through to the legitimate access point in the hopes of gaining access to even more information. Because these attacks rely on the proximity of the phisher to potential victims, they can be effectively run using just a laptop with a WiFi card.

As early as 2005, PC World reported on this phenomenon, noting that attacks frequently occurred in typical “hotspot” areas such as cafes. With the dramatic increase in WiFi coverage, the popularity of WiFi hotspots, and the prevalence of powerful wireless devices, these types of attacks are a growing threat. Business travellers and users in areas such as airports and hotels are especially vulnerable, since these places see large numbers of transient customers, making it unlikely that a hacker would stand out from regular customers.

Evil twin scams can be difficult to detect since there aren’t many signs that would indicate to the non-technical user that something is amiss. Still, there are steps you can take to protect yourself, and to mitigate any harm should you fall victim to one of these attacks. Before you log on to any WiFi service, ask an employee for login instructions. They should be able to tell you the SSID of the wireless connection, as well as any security information you might need. Use your operating system and browser’s security features. All major operating systems and browsers offer security presets for wireless connections in public places such as libraries and cafes which make it more difficult for hackers to access your data. Some experts recommend getting one credit or debit card used solely for online activity in order to mitigate any financial repercussions should your card number be stolen, but the safest advice is to avoid carrying out any personal financial transactions in public spaces.

photo credit: ivanpw

Jump to Category