Website Design

Hold on! This legit website could be a trick to steal your passwords

  • Fraudsters are increasingly relying on genuine services, like website builders, to host phishing campaigns, researchers have found.
  • They believe that using these legitimate services tends to make these scams believable.
  • People can still spot these scams by looking for telltale signs, phishing experts suggest.

Mykyta Dolmatov/Getty Images

Just because a legitimate service asks for your login credentials doesn’t mean you aren’t being manipulated.

According to researchers from Unit 42, the cybersecurity arm of Palo Alto Networks, cybercriminals are increasingly abusing true software-as-a-service (SaaS) platforms, including various website and form builders, to host phishing pages. Using these reliable services helps fraudsters give their scams an air of legitimacy.

“It’s very smart because they know we can’t [blocklist] the likes of Google and others [tech] giants,” Adrien Gendre, Chief Tech and Product Officer at email security provider, Vade Secure, told Lifewire in an email. “But despite the fact that phishing is more difficult to detect when a page is hosted on a reputable website, it is not impossible.”

genuine counterfeits

The use of legitimate services to trick users into giving up their login credentials is not new. However, researchers have noticed a massive increase of over 1100% in the use of this strategy between June 2021 and June 2022. Besides website and form builders, cyber crooks operate file sharing sites, collaboration platforms, etc.

According to the researchers, the growing popularity of true SaaS services among cybercriminals is mainly due to the fact that pages hosted in these services are usually not flagged by various fraud and scam filters, neither in the web browser nor in the clients. messaging.

Moreover, not only are these SaaS platforms easier to use than building a website from scratch, but they also allow them to quickly switch to another phishing page if removed by law enforcement. order.

This abuse of genuine services for phishing does not surprise Jamesa senior threat hunter at a threat intelligence firm who specializes in credential phishing and does not want to be identified while investigating active phishing campaigns.

While he acknowledges that it usually takes a bit more effort to detect such abuse, it’s not impossible, adding that these legitimate services are often more inclined to act on reports of abuse, making it easier much removal of malicious sites.

In a chat with Lifewire on Twitter, Jake said that most phishing campaigns, including those hosted on legitimate services, show obvious telltale signs to anyone paying attention.

“These legitimate services often have banners or footers that hackers can’t remove, so sites like Wix have a banner at the top, Google forms have a footer saying never enter passwords in forms, etc.” Jake said.

Peeled eyes

Building on this, Gendre says that while the domain may be trustworthy, the phishing page will likely have anomalies in the URL and the content of the page itself.

Jake agrees, adding that, to begin with, the credentials phishing page will always be hosted on the abused website rather than the service whose credentials are being sought. For example, if you find a password reset page for Gmail hosted on the website of a website builder like Wix or a form builder like Google Forms, you can rest assured that you have landed on a phishing page.

bagotaj/Getty Images

What’s more, with a little vigilance, these attacks can be drowned out in their offerings, the researchers suggest. Just like other phishing attacks, this one also starts with a fraudulent email.

“Users should be wary of any suspicious email that uses time-sensitive language to trick a user into taking some kind of urgent action,” the Unit42 researchers said.

Gendre thinks people’s biggest weapon against such attacks is patience, explaining that “People tend to open and respond to emails very quickly. Users should take the time to read and inspect the email to determine if anything is suspicious”.

Jake also suggests people not click on links in emails and instead visit the website of the service that apparently sent the email, either by entering its URL directly or through a search engine.

“If you’re able to use a password manager, these products are able to match the target URL with the current page you’re on, and if they don’t match, it won’t enter your password. password, which should sound the alarm,” Jacques said.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button