Email phishing: why clicking links is a bad idea
Everyone knows you have to be careful with links sent via email, but most people don’t know exactly why. Let’s take a closer look.
First, it’s important to know that it is still relatively easy to make an email appear to come from someone else. This is called spoofing, and allows unscrupulous people to send an email that appears to come from your bank, your credit card, your web host, or anywhere else.
Now let’s consider the email itself. It is easy to copy a legitimate email with its branding and graphics and wording and send it out with slight modifications. At this point you have an email that looks like it comes from somewhere official, and it looks correct. No red flags here.
Next it is important to understand how domains work. Domains consist of three main parts.
(.com) The first is the Top-level Domain (TLD), which is the last part of the domain. Usually .com, but it can be a lot of options including country specific ones (e.g. .ru for Russia) or US governmental ones (e.g. .gov). In most cases you’ll be looking at a .com domain though.
(mazuzu.com) The next part is the domain. Google, Facebook, Microsoft, Mazuzu, etc. The key here is that this part is unique, which means that facebook.com is the ONLY facebook.com and mazuzu.com is the ONLY mazuzu.com.
(mobile.mazuzu.com) The third part is the subdomain and this part comes before the domain, separated with a period. This is a way for businesses to divide their sites into different sections. They are a useful part of most websites. The important thing to note here is that they are NOT unique to the business. While you cannot have google.com, you can have google.yoursite.com because anyone can have any subdomain. There can even be more than one. (mobile.app.mazuzu.com)
Now, let’s say an unscrupulous goon wants you to think they are from your bank and let’s assume the web address for your bank is mybank.com. (Note: after recording the video for this topic we discovered that the domain ‘mybank.com’ is actually an existing bank but we aren’t talking about any specific business here, this is an example with an coincidental domain overlap.) The internet hoodlum buys a domain that sounds official. Let’s say securelogin23.com. Now they can link to that, but it isn’t all that convincing, so they add a subdomain: mybank.securelogin23.com. Much more convincing. What about taking it a step further? ‘com’ can be a subdomain, so why not use two subdomains and link to: mybank.com.securelogin23.com - this is now a very convincing and misleading link and does not lead to mybank.com.
Now we have an email that is from the right place (apparently), and it looks right, and it links to something that looks a lot like mybank.com. Perhaps there’s some text to scare people into acting quickly, such as a notice that your account has been compromised and you must update your login information. Convincing and effective. Let’s move to the web.
Webpages are easy to copy. The graphics, styles, text, and code can be copied quickly and easily. So, our nefarious ninja can copy mybank.com and display the exact same thing on securelogin23.com.
Now here’s where things get especially devious. It is possible to create a system to capture your login information when you type it into this clone of your bank website, and then this script can automatically redirect to your legitimate bank website and log you in to that site. So your experience is exactly as it should be. You are unaware that your data has just been stolen.
There are many variations of this sort of thing, and this is an example of how easily things can go wrong.
Always be careful to look for the correct domain (NOT subdomain) in email links, and if you’re not sure, simply open a browser and type in the address yourself.
Keep your eyes open. The hooligans are always very tricky.