How to avoid going to fake web sites.
Welcome to Cyber Security Today. It’s Friday August 7th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
One of the key reasons cybercriminals have success is their ability to create fake web sites. It’s not hard to copy a company logo from a genuine site. In fact some crooks make a living selling high-quality copies of company or government logos to those who want to build a convincing-looking copycat site. So with the help of Ryan Olson, vice president of threat intelligence of cybersecurity company Palo Alto Networks, I want to talk ways to recognize a fake web site you may get sent to by clicking on a link in an email or text message sent by an attacker.
First, know the web site of where you expect to and want to go. Always look at the website’s address, called the URL. That’s the line that starts “HTTPS www.company.com” . Is there something odd about the address? Is there an “i” in the place of an “l”, or a zero instead of an “O”? Are you been sent to “company.org” and not “company.com”?
UPDATE: A just-released report has found a new attack method that swaps letters in the URL for spreading malware.
Is the URL confusingly long? That’s not uncommon. But criminals can use a real organization’s name in a fake URL to fool you. Is the address the one you’re expecting? And where is it really going? For example, you think you’re going to MyRealBank.com. The URL says “www.myrealbank.com.support.today.org/country.” The real place it’s going to is “today.org”. Remember what’s before the first slash is where you’ll really go.
If the site lets you log in and handles financial transactions or sensitive information, it should say HTTPS. The “S” means communications are encrypted. There should be a padlock on the far left of the URL. That also verifies the site includes encryption. To have padlock a site has to get a certificate from an approved certificate authority which verifies the owner of the site. A certificate is a small piece of code your browser recognizes. If you click on the padlock you can see who issued the certificate, and the organization it was issued to. So, if you want to go the myrealbank.com and the certificate was issued to www.myrealbank.com, that should give you confidence you’re on the right web site. And your confidence should increase if the certificate comes from a company you recognize.
However, Ryan Olson notes a legitimate certificate doesn’t always mean a website is legitimate. Certificates can be stolen or faked. If you expect to go to myrealbank.com and the crook has set up myrealbank.org, they can get a real certificate for myrealbank.org. It’s up to you to validate that the information you see is what you expect. Don’t just trust that everything with a padlock is a safe web site.
Finally, looking for padlocks and certificates isn’t easy on smartphones with their small screens. So be extra careful before logging into a web site that you get sent to by clicking on a link in an email or text. This is especially true for doing banking transactions. Only go to a bank through an app you have downloaded from a trusted app store.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon