PCWorld (USA)

Beware this new phishing attack that’s after your passwords!

That email link might not send you where you expect.

- BY ALAINA YEE

Aclassic bit of internet security advice just bit the dust. For ages, email users were told to hover their mouse over a link to see where it led—if you saw the URL of a legitimate website, you were in the clear.

But on Tuesday, Microsoft shared details on a kind of phishing attack it’s seeing more frequently: Email with links that contain a known website at the start, but actually redirect to a malicious page.

This ploy relies on a type of link often used by sales and marketing teams to track informatio­n about who clicks on a URL in a newsletter or on social media. Known as open redirect links, the structure of the link begins with a primary domain, then includes a string of analytics data and a final destinatio­n site.

But as Microsoft describes in a post on its security blog ( go.pcworld.com/phcm), this phishing strategy uses open redirect links to exploit an average end user’s security training.

Because open redirects can start with any primary domain and end with any destinatio­n, these phishing links can start with a legitimate site, and then go to a malicious page.

Adding further complexity to this scheme is the use of captchas to lend an air of authentici­ty. Users who believe they’re on a genuine site will then enter login credential­s in the belief they’re accessing a notificati­on, report, or even Zoom meeting, only to encounter a fake error page claiming a session time-out or incorrect password—prompting a second entry of login credential­s. After the phishing attempt has successful­ly captured the user ID and password twice, users get redirected to another genuine website.

You can see specific examples of this attack and a sample list of malicious destinatio­n URLS in Microsoft’s blog post, but you don’t need to dig that deep in order to protect yourself. Instead, start using a password manager ( go.pcworld.com/pmng). It won’t automatica­lly supply your login credential­s on a spoofed site. You can also look over the whole URL when you land on a website, but it’s not nearly as foolproof a method as a password manager.

 ?? ??
 ?? ?? Microsoft has some examples of phishing attacks on its website.
Microsoft has some examples of phishing attacks on its website.
 ?? ?? Lastpass is our favorite password manager.
Lastpass is our favorite password manager.

Newspapers in English

Newspapers from United States