Mobile Phishing Campaign Offered Free Flights: A campaign that was recently reported by Farsight Security which involved an internationalized domain name (IDN) “homograph-based” phishing website that tricked the users to put their personal information. This suspected phishing website that presented as the commercial airline carriers — specifically Delta Airlines, EasyJet and Ryanair – and that offered free tickets, fooling the users with the age-old bait-and-switch technique.
These users were asked to respond a series of questions and then to shared those offers with 15 of your friends on WhatsApp contacts before the redirect you to the URL where they could access the free tickets. After Farsight that discovered the first suspected Delta phishing site, they immediately informed the company. According to the researchers of Farsight, the websites were optimized for mobile and failed to work smoothly on desktop, it means they only targeted the mobile users for this attack.
It is for sure not unusual for phishing scams to use the spoofed websites and homograph domains to fool the users with trusted brand names. “Users, especially on smaller mobile screens, may not be paying close attention to the URLs or domain name of sites to verify their legitimacy,” said Dirk Morris, chief product officer at Untangle.
Despite having been around for a while, they types of attacks remain largely successful on their mission. “Studies have shown that 95% of the web-based attacks use social engineering to trick the users,” said Atif Mushtaq, CEO at SlashNext.
“These types of contest phishing scams have been become increasingly sophisticated, in large part because people are getting trained by their organizations to recognize the fake emails, giveaway scams or imposter websites asking for the credit card or login details.”
Being in the situation in phishing scams is not uncommon, but there are various signs to look for in phishing scams, explained at HUNT program at SecureSet.
“Check the ‘from’ email address for any signs that it might not be legitimate, and look for numbers instead o letters or common misspellings or letters that are inverted or missing. Poor spelling and grammar can be giveaways in the body of the email,” Menendez said.
“Your bank and other legitimate accounts will never ask for your social security number in an email. If you receive an email asking for this information, call your bank (and any other company who may be requesting this) to confirm. Never provide email, account information or password via email.”
“Many phishing scams will look very legitimate, he said, “so even if the email looks like it comes from your cable company, be extra cautions. This is an instance where an ounce of prevent is worth a pound of cure.”