MISCELLANEOUS

Top 3 WINs and FAILs of phishing

We

Fail nr. 3: This was in the age when phishers just discovered redirects in order to avoid detection. Avoidance is quite simple: you redirect from one link to another and you end up in a clone of an official institution. Guess what… some times, copy paste is against you. We’ve seen some “phishing” samples where the last page was…. [eyes wide open] the official bank.

Indeed, this is not that funny. We will present here also WIN nr. 3:

Win nr. 3: Sometimes cloning an official institution can be tricky. If you copy everything, you might also copy this: “THE BANK WILL NEVER, UNDER NO CIRCUMSTANCES, ASK YOU TO PROVIDE CONFIDENTIAL INFORMATION BY E-MAIL (USER ID OR PASSWORD, CARD NUMBER, CARD EXPIRY DATE OR PIN)”And guess what: this actually works. It even sometimes creates more credibility than just removing it.

Let’s move along with FAIL nr. 2, which was quite common two years ago: You receive a phishing email which stated that your bank has to do maintenance work to its servers and you need to re-log-in to the website. Nothing interesting here, it is just the classical phishing scenario. But what happens when you get greedy and target multiple institutions? Well… yes: mistakes. Like sending emails targeting institution A, but the phishing website is targeting institution B.

Win nr. 2: We think this would be the case for the universal phishing. Sometimes, in order to make online payments, you have to register your card details. Hence… behold, the universal phishing. Ladies and gentleman: please insert below every detail about your card: credit card number, pin, security code, name, expiration date, and also, your address, the issuing bank (since we have no idea which bank you are using) and so on. Also, if you have multiple cards from multiple banks, please insert their details also. Lovely, isn’t it?

And for FAIL nr. 1… we actually couldn’t decide here. Let’s see if you can! Remember the financial crisis from 2009? Remember that some banks went bankrupt? Well… how about sending phishing for those banks, a couple of months after they were gone?

And the other one? How drunk can you be when you write a phishing email, and you forget to… you know… the basic stuff… like actually inserting the phishing link?!?

And for Win nr. 1: Well… remember the famous quote from “The usual suspects” – “The greatest trick the Devil ever pulled was convincing the world he didn't exist.” The same applies here: “The greatest trick the phishers ever pulled was convincing users that they only hunt for banking details”. Yes, that is true 50.000 times per month, but actually, any other detail about yourself is equally important.  

On a serious note now… you should check out this movie.