Your account will be closed in 24h!

Yahoo phishing

Thursday night and checking Facebook on my mobile before going to sleep. One of my friends is complaining about how hard it is to use Yahoo mail abroad. Problem logging in and now there’s some problem with the account. “Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. Click Here to verify your email account now.” And when you try to resolve it, it doesn’t even work. You just end up on the login page! Damn Yahoo!

Stop! This message is not about a problem with the mail system, it’s a very typical phishing mail. I responded with a warning, and yes, the link had indeed been clicked and the credentials entered on a page that looked like the Yahoo login page. That made my friend a phishing victim like so many other Internet users. It was the beginning of a long night trying to figure out how to change the mail password using a tiny mobile screen. But the case came to a happy end. The password was apparently changed before the attackers had a chance to take benefit from the account, thanks to the swift reaction.

How to spot a phishing attempt?

  • It arrives as a mail message. Mail can be sent by anyone and it is trivial to spoof the sender’s address so that it seems to come from your mail operator or some other company you trust.
  • People think less when they are afraid so it tries to create a sense of danger. Something bad will happen unless you react. The closure of your account is a very common threat when phishing for e-mail accounts.
  • People think less when in a hurry so it tries to create a sense of urgency. You need to act right now. This lowers the risk that the victim checks out the facts first. The 24h deadline is a typical trick to achieve this.
  • It links to a web page that looks like an official page of, for example,  your mail operator. But it is actually controlled by the attacker, who also receives any information you enter. You are hacked if you enter your mail user name and password, or other valuable information.

My friend is not a computer newbie, and did in theory know all this. But the attack succeeded anyway. How is this possible? Imagine that it is late in the night and you are tired. There are other people distracting you. You are traveling and really depending on your mail account. And on top of that, you have had problems and expect even more trouble with this operator. So this is a very typical situation where the fingers can be faster than the brains. This is really the optimal situation for an attacker to hit, and they happened to send this phishing mail at the right wrong time.  Honestly, are you sure this couldn’t happen to you?

Ok, so what should I do to avoid being phished?

  • First of all, do not click links in mails! This is not just about phishing, many get malware too by clicking links. But there are also legitimate links that friends send to you. So you should always think about who the sender is (remember, the apparent sender can be spoofed), in what style and language the message is written, what the claimed content of the link is and how does all this fit together? To summarize, do I expect this kind of message from this person (or company) at this time? This way you should be able to spot the legit links.
  • If in doubt, check what address the link is taking you to before you click. Note that the text forming the visible part of the link may look like a web URL but still be linked to a totally different address. Hover the mouse pointer over the link and examine the address that the mail client or browser shows you. Make sure that the address match the company or site that the link is claimed to point to. For example: The login to Gmail should start with “https://accounts.google.com/” but a phishing site targeting Gmail may use an address like “http://accounts.google.com.etw368hj.nu/”. The latter does NOT belong to Gmail.
  • Get familiar with the login URLs of your favorite services BEFORE you run into a phishing mail. Then it is a lot easier to spot the spoof. The address may look long and nerdy, but you only need to mind the part after the double-slash “//” but before the first single slash. That part identifies the server that you will access. (Your browser may show the address without the initial “http://”, in that case just examine the part before the first slash.)
  • Get familiar with the concept of secured web pages and how to recognize them. Login pages of important services are typically protected this way. Their addresses start with “https://” instead of “http://” and your browser shows a lock or similar symbol next to the address field. You can examine the certificate of the server you are connected to by clicking the lock, and this is reasonable hard proof about who’s running the service. Needless to say, the phishing sites can’t duplicate these cryptographic certificates.
  • If you suspect that there really may be a problem with your mail account, then log in with the link that you normally use to access the account. Do not use a link in a mail message. Look for info banners and pop-up messages shown in the browser after you have logged in. These messages are a lot more reliable and can generally be trusted. Mail operators are well aware of the phishing threat. If you get a mail claiming that there’s a problem, then you can be pretty sure that it isn’t true. The mail operators do not communicate in that way.
  • If you still fall for the scam, attempt to change your password right away. This is also a good time to think about if you have used the same password on other services. Say that john.doe@gmail.com is using the same password as john.doe@hotmail.com. If one get hacked, then the hacker just need to try some of the common mail services to get access to more accounts. This would be a good time to brush up your password practices.

As a practice, examine the link above and try to figure out where it points and what company it belongs to without clicking it.

Safe surfing,
Micke

Phishing @ Wikipedia.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

More posts from this topic

search

Is Search Engine Result Link You’re About to Click on Safe?

Two of the top five sites on the internet are search engines, which makes a lot sense. We depend on them to find everything from the news to toothpaste to a place to eat dinner. According to internetlivestats.com, Google processes over 3.5 billion searches worldwide every day. Its rival Bing is rising to become the second largest search engine, accounting for 33% of all search queries performed. Now here’s the interesting part. Given these billions and billions of queries, can you be sure that all these search results 'harmless'? When you are clicking on a link Google, Bing or Yahoo! gives you, how do you know you are about to visit a site that is safe? You can't That's why you take simple precautions to make sure you don’t unintentionally visit malicious sites. The most convenient way to stay safe while using search engines is by using a free website safety rating service, such as F-Secure Search. F-Secure Search pre-screens the search results returned by a search engine and gives each result a safety rating. Harmful sites that try to violate your privacy or harm your device are clearly marked, so you know which sites are safe and which to avoid, even before you click on a link! Adult content is automatically blocked from search results, so you have peace of mind when your children are using F-Secure Search. Also, all communication between you and F-Secure is encrypted, so there’s no room for snooping. To help you keep both your personal details and your PC protected from malicious sites, simply go to search.f-secure.com and start using it today. You can also use F-Secure Search as the default search engine in your browser. And while we're you're thinking about surfing safely, take a minute to make sure your browsers are up-to-date. With a safe browser and safe results, you'll be surfing safer than ever.

September 12, 2016
Christine Bejerasco

Meet the Online Guardian Working to Keep You Safe

Every time you go online, your personal privacy is at risk – it’s as simple as that. Whether you’re creating an account on a website, shopping, or just browsing, information like your email, IP address and browsing history are potential targets for interested parties.   All too often, that information is sold on or sometimes even stolen without you even knowing it. And the threats to our online privacy and security are evolving. Fast.   As F-Secure’s Online Protection Service Lead, Christine Bejerasco’s job is to make life online safer and more secure.   “We’re basically online defenders. And when your job is to create solutions that help protect people, the criminals and attackers you’re protecting them against always step up their game. So it’s like an arms race. They come up with new ways of attacking users and our job is to outsmart them and defend our users,” Christine says.   Sounds pretty dramatic, right? Well that’s because it is. While it used to be that the biggest threat to your online privacy was spam and viruses, the risks of today and tomorrow are potentially way more serious.   “Right now we’re in the middle of different waves of ransomware. That’s basically malware that turns people’s files into formats they can’t use. We’ve already seen cases of companies and individual people having their systems and files hijacked for ransom. It’s serious stuff and in many cases very sad. If your online assets aren’t protected right now you should kind of feel like you’re going to bed at night with your front door not only unlocked but wide open.”   Christine and her team of 11 online security superheroes (eight full-time members and three super-talented interns) are on the case in Helsinki.   Here’s more on Christine and her work in her own words:   Where are you from? The Philippines   Where do you live and work? I live in Espoo and work at F-Secure in Ruoholahti, Helsinki.   Describe your job in 160 characters or less? Online guardian who strives to give F-Secure users a worry-free online experience.   One word that best describes your work? Engaging   How long is a typical work day for you? There is no typical workday. It ranges from 6 – 13 hours, depending on what’s happening.   What sparked your interest in online security? At the start it was just a job. As a computer science graduate, I was just looking for a job where I could do something related to my field. And then when I joined a software security company in the Philippines, I was introduced to this world of online threats and it’s really hard to leave all the excitement behind. So I’ve stayed in the industry ever since.   Craziest story you’ve ever heard about online protection breach? Ashley Madison. Some people thought it was just a funny story, but it had pretty serious consequences for some of the people on that list.   Does it frustrate you that so many people don’t care about protecting their online privacy? Yeah, it definitely does. But you grow to understand that people don’t value things until they lose it. It’s like insurance. You don’t think about it until something bad happens and then you care.   What’s your greatest work achievement? Shaping the online protection service in the Labs from its starting stages to where we are today.   What’s your idea of happiness? Road trips and a bottle of really good beer.   Which (non-work-related) talent would you most like to have? Hmmm… tough. Maybe, stock-market prediction skills?   What are your favorite apps? Things Stumbleupon   What blogs do you like? Security blogs (F-Secure Security blog of course and others – too many to list.) Self-Help Blogs (Zen Habits, Marc and Angel, etc.)   Who do you admire most? I admire quite a few people for different reasons. Warren Buffett for his intensity, simplicity and generosity. Mikko Hyppönen for his idealism and undying dedication to the online security fight. And Mother Theresa for embodying the true meaning of how being alive is like being in school for your soul.   Do you ever, ever go online without protection? Not with systems associated to me personally, or with someone else. But of course, when we are analyzing online threats, then yes.   See how to take control of your online privacy – watch the film and hear more from Christine.  See how Freedome VPN will keep you protected and get it now.

July 14, 2016
BY 
Porn blog post image

4 People who can see what Porn you Watch, and 4 Tips to Stop it

In the grand scheme of things, there certainly are more important facets to online privacy than keeping one’s porn habits private (government overreach, identity theft, credit card fraud to name a few). However, adult browsing histories are one of the secrets in their online lives people want to protect the most, so it might be disconcerting to know that porn browsing is not as private as one might think. A large majority of web users are lulled into a false sense of security by incognito mode or private browsing, but this is only one of the steps needed toward becoming private online. Here are a few people who have access to this info, along  with a few easy tips that can be taken to prevent this from happening. 1. Anyone on the same hotspot No one is suggesting you should watch porn at your local coffee shop (in fact, please don’t). However, what people surf in places like the privacy of their hotel room should probably stay there. With that in mind, the following statement might be more than a little disconcerting: What you do on Wi-Fi can be usually be seen by pretty much anyone connected to that hotspot. It doesn't require great hacking skills to see what other people connected to the same network are doing. Only traffic on encrypted websites starting with https is always secure, and almost no adult sites fall under this category. 2. Foreign web service providers When traveling, it's easy to forget that what might be culturally acceptable in one country can land you in hot water with the authorities in another. Whether on public Wi-Fi or roaming on the network of a foreign internet service provider, they may be bound by law to report anyone surfing adult material. The personal freedom we enjoy to surf anything we want online is so second nature to many of us by now, we easily forget the same isn't true for others. 3. Analytics and advertisers (often one and the same) It might not bee too surprising to hear that most companies aren't exactly jumping at the chance to be associated with adult websites. For this reason, networks that serve ads to adult websites don't serve ads to "normal" websites, making porn sites mostly self-contained when it comes to using your private information for advertising purposes. Unfortunately, your adult browsing can still be connected to you. Many adult websites implement analytic services, as well as "like" and "share" buttons, that feed into major advertisers such as Google and Facebook. 4. Your employer (in the U.S. and many other countries) Now, we are DEFINITELY not suggesting you watch naughty stuff at work. I mean, they call it NSFW for a reason. However, that doesn’t change the fact that in some countries, companies have an uncomfortable amount of rights to spy on their workers. It’s natural that employers don’t want their workers doing anything illegal, but you still have a right to privacy, even on a work network. What are your options? So what can you do to prevent privacy intrusions? The first and most obvious choice is to not supply any personal information to adult websites. A lot of porn sites require registration in order to comment on videos (if that's your thing) or to view content in higher quality. Keeping a separate email address for adult websites is therefore highly recommended. The other obvious choice is to always have private browsing on, as this prevents cookie-based tracking and embarrassing browsing histories from being saved on your computer. A slightly more technical but still very easy tip is to disable JavaScript from your browser settings while surfing adult websites. A lot of websites don't function without JavaScript, but all the adult websites we tried for research purposes work just fine. JavaScript makes it much easier  to do something called device fingerprinting. This frustratingly intrusive method of snooping involves the use of scripts to identify your computer based on variables such as your screen size, operating system and number of installed fonts. It might not seem like it, but there are enough variables to make most devices in the world completely unique. But the simplest and most efficient method of controlling your privacy is to use a VPN. A VPN (virtual private network) encrypts all your traffic, meaning no one is able to intercept it and see what sites you visit or what you download. It also hides your real IP address, the unique number which can easily be used to identify you online. A top-tier VPN like Freedome also contains extra features like anti-tracking to stop advertising networks from identifying you, and malware protection to automatically block webpages that contain malicious code. The app is easy to use, and available on most platforms. Online privacy is not a difficult or expensive  goal to achieve, and by following these few steps you will be able to surf what you want without worry.

June 13, 2016
BY