Information Security: Let's Catch a Phish

Overall, the internet has been a boon to all of us. It has simplified exchanges of ideas and opened up whole new areas of exploration, all via our laptops, desktops, smartphones, and tablets. Unfortunately, there is a downside to the internet, a true bain, and it is more evident today than ever before.

This article is to caution you about the dangers that are out there from malware, ransomware, and their evil kin. Our conclusion is, you can never be too cautious when trying to protect your data, sending and receiving emails, and surfing the web.

Just this past week, tens of thousands of computers around the world were infected with malicious ransomware in a repeat of a massive cyberattack that struck not all that long ago. If you were or are on the receiving end of any of these intrusions, you already know of the danger and hopefully, are taking the security measures needed to ward them off.

For all of our readers, we suggest studying carefully the attached articles as well as pursuing the matter independently. We urge you to take whatever steps you feel are necessary and in your best interest to protect your data and yourself for unwanted attacks from intruders intent on stealing from you and making your lives miserable.

Be assured, we at Aramco ExPats take cyber security very seriously. We hope you do as well. ~Commentary by Aramco ExPats

 

Tariq H. Driwish has no reservations in reporting phish test

Information Security: Let's Catch a Phish

Tariq H. Driwish of the Geophysical Data Acquisition Division was the first employee to identify a June phishing test email sent by Saudi Aramco’s Information Security Department. This month’s email featured a request to confirm a reservation made to the Madrid Ritz Hotel and asked recipients to “click here” if they wanted to cancel their reservation.

Driwish responded to the test email quickly by hitting the “Report as Spam Button” as soon as he saw several clues that it was a potential phishing threat. The clues included:

  • A suspicious entity (Ritzhotel@travelalrts.com)
  • An indicator that the email was sent from an external email
  • An embedded link Driwish immediately reported the message to spam@aramco.com, indicating the potential of a phishing email.
Cybersecurity Tip of the Month

Homograph phishing attacks are almost impossible to detect

Information Security: Let's Catch a Phish

As email and internet users are becoming cyber aware and are being trained in detecting phishing emails, hackers are going to great lengths in devising a sophisticated technique that is almost impossible to detect even by the most vigilant email users.

Hackers are able to deceive users by displaying a fake domain name as a legitimate domain name by exploiting a known vulnerability in the popular web browsers such as Chrome and Firefox. For example, a frequent user of apple.com may be lured to click on a link where the English language typeset consisting of Latin “a” is replaced with the Cyrillic “a” that is commonly used in Greek, Russian and Bulgarian languages. This technique is known as a homograph attack.

Hackers can register domains equivalent to apple.com by modifying an English character with a Cyrillic character. In multilingual computer systems, different logical characters may have identical appearances. For example, the Unicode character U+0430 — Cyrillic small letter a (“a”) — can look identical to the Unicode character U+0061, Latin small letter a, (“a”). Therefore, a website such as apple.com can be registered using the Cyrillic “a” to deceive internet or email users into trusting the website.

Inspecting the links by hovering the mouse over such a website URL will not be of any help since the underpinning destination URL is not revealed. However, if you try to copy and paste the URL in the browser, you will see the following Punycode URL address: https://www.xn–80ak6aa92e.com, which directs to a malicious website.

To make matters worse, the homograph link can also contain https://, so trusting https URL link is no longer a smart way of getting assurance if you are subjected to a homograph attack.

What to do?

It’s obvious how dangerous this scam can be, but you shouldn’t panic. If you are using the Internet Explorer or Safari browser, you should be fine since these browsers won’t show the address as apple.com if it is spoofed. However, if you use Chrome or Firefox browser, it is highly recommended to update the browser software immediately. The homograph phishing attack affects the Chrome browser version 57.0.2987 and Firefox browser version 52.0.2.

Preventing a homograph phishing attack:

  • Chrome and Firefox users should update browser software immediately.
  • Chrome has already released a fix in its latest “Canary” version. Alternatively, Chrome users are recommended to download Punycode Alert. It is a Google Chrome browser extension that warns users when the URL they are accessing has some Punycode content to prevent.

Firefox users can follow the below steps to mitigate the risk of a homograph Phishing Attack:

  • In your Firefox location bar, type ‘about:config’ without quotes
  • Do a search for “punycode” without quotes
  • You should see a parameter titled: network. IDN_show_punycode
  • Change the value from false to true.

When in doubt, type the URL in the browser rather than clicking the link in an email.

We encourage you to spread the word with family and friends so everyone can be safe online.