phishing

  • Sorry to burst your bubble but Air Canada isn't giving away free tickets; neither is JetBlue, EasyJet, Lufthasa or quite possibly any other airline. If you've received a WhatsApp message that looks something like this:

     

     

     

    Then chances are someone who has your phone number stored in their contacts fell for this scam and was instructed to share this message with 20 friends to qualify to get the free tickets. 

     

    At a quick glance, this message might seem to be legit but an immediate give away is the spelling of the website address. 

     

     

    As highlighted in the image above, there is no dot in the 'i' in the spelling of aircanada.

    This is a classic example of Unicode Spoofing or Visual Spoofing although the correct name for this is internationalized domain name (IDN) homograph attack . Yes, quite a mouthful but as the name says, it's an exploit on the fact that characters across different languages look alike. 

     In this particular example, the i without a dot is commonly used in the Turkish language. 

    The second part of this exploit uses website masking where you see one website address in your address bar (in this case http://www.aırcanada.com/tickets ) but you're actually visiting another website

      

    I've noticed that desktop browsers are quicker to pick this up than mobile phone browsers and actually display the masked address. 

     

    So a good test to see if a website could be a scam or not is to check it on your desktop and mobile browser and see if the address changes!

     

    The questions asked on the page are not actually saved anywhere nor is the countdown timer real or the number of tickets remaining. A look at the source code of the page shows that these are all generated and not linked to anything. 

     

    Lastly, what looks like a FaceBook feed with user comments is actually just code on the page to make it look like a FaceBook feed. None of the images, comments are real or come from FaceBook.

     

     

     

    UPDATE: I tried visiting the fake website address a second time and was immediately prompted with this message using Safari Browser on iPhone: 

     

    Upon further investigation, I noticed that the website address was changed as well and now there is another trick in the characters being used.

    See if you can figure out the IDN trick this time:

     

     

    So what happens if you clicked the link? 

    If you were prompted to enter any personal information to 'access your free ticket' then this information could be stored and used in a subsquent attack directed towards you / your email etc. 

    There is also the possibility that by clicking on the link and visiting the site that a malware or virus could have been downloaded to your phone or computer. 

    The best course of action would be to run an anti-virus check on your device and also to run an anti-malware check on your device. 

    If you did enter any personal information, it is advised that you change your password(s) BUT only do so after running the anti-virus and anti-malware checkers on your device. 

    #BeCyberSafeTT

  • Customers of ScotiaBank Trinidad and Tobago (and Worldwide) have been receiving text messages instructing them to take action by logging on to a website to prevent them from having their ScotiaCard blocked, Fees Withdrawn, Account Closed and the list goes on. This smishing activity has been dismissed by ScotiaBank and they have warned users to ignore and delete such messages. 

    Smishing / Text messages may look like this

     

    Clicking on the link in the text message (www.scotiabanktrinidad.com) leads you to a somewhat legitimate looking website

     

    Some of the links on this site lead to an official ScotiaBank website however, the action to submit your credentials and sign in is where the Phishing activity takes place. 

    A closer look at the whois.com record for www.scotiabanktrinidad.com shows that it's not owned by ScotiaBank but by what seems to be a Russian individual. 

     

     

    Needless to say, most banks if not all won't send you these types of messages. While this article speaks about ScotiaBank, the smishing and phishing activity can be made to look like it's happening from any bank. 

    Be very cautious of opening any emails or clicking on any links that imposes a sence of urgency to have you change your password or login to prevent something 'bad' from happening. 

    Even if you believe the message to be true, check with your bank first by giving them a call or a walk-in visit.

    You can never be too safe in this regard.