Microsoft is spreading the word about a phishing campaign that's been going on for months. It utilizes open redirector links which in the main, helps for URL shortening.
How does it work?A redirect service is an information management system, which provides an internet link that redirects users to the desired content. The typical benefit to the user is the use of a memorable domain name and a reduction in the length of the URL or web address. A redirecting link can also be used as a permanent address for content that frequently changes hosts
Summary Of Redirector
- for URL shortening;
- to prevent broken links when web pages are moved
- to allow multiple domain names belonging to the same owner to refer to a single web site
- to guide navigation into and out of a website
- for privacy protection
- for hostile purposes such as phishing attacks or malware distribution.
As with most internet application technologies, there are cowboys and Indians in the wild(west) looking for means and ways to transgress by subterfuge and make a financial gain at someone else's expense. Most of the time, their victims are the internet's newbies and since these numbers are dwindling, they are looking at new ways to formulate a far more advanced attack that seasoned internet users can be caught in the net as well.
This scam is the next evolution of phishing scams, as many users are trained or compelled to hover over links and assess the URL before clicking on it. However, by using sneaky redirects, these scammers are able to disguise the links themselves as seemingly valid links.
Microsoft hasn't made public the number of victims who have fallen for this scam. But if they're issuing a statement about it, it's likely that a sizeable number have fallen to these nefarious scammers.
How Does This Scam Work?Like most phishing scams, this one starts with an email. According to advice from Microsoft, this email will look fairly professional and will ask the user to click a link. At this point, more experienced users might be apprehensive and check the link for any signs of phishing. However, these links are well-crafted and may fool even the most diligent eye.
Upon clicking this link, the user will be lead to a page that, again, will look very professional, even asking for a reCAPTCHA verification. This page will then ask for the user's password.
“If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again.”
“Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.” – Microsoft Blog
While it's a quick process, it's all the scammers need in order to fool some people into giving away their login credentials. And with the believability of these emails, it's likely that a lot of people are falling victim to it.
How Dangerous Is This Scam ?Like most scams, they can only spell bad things for the victims. The specifics of this scam aren't actually widely known yet, but the fact that it's harvesting users' usernames and passwords is a bad omen.
By using this information, scammers can access the victim's accounts and view/send emails. The emails they're viewing might hold even more sensitive data, like banking information or addresses.
If you think you've fallen victim to this scam or something similar, the best thing you can do to protect yourself is immediately changing your password, which will hopefully make the old password invalid. It would also pay to keep an eye on your accounts over the coming weeks to make sure no unusual activity is going on.
How to Protect Yourself OnlineThis scam is one of many, as phishing scams have seen a massive increase over the past couple of years. Outside of general caution and attention to detail, what can the everyday person do to avoid falling victim to such a scam?
One of the best ways to avoid such a trap is to install anti-virus software. When given access to your email account, anti-virus software can give every incoming email a quick scan and warn you of any suspicious links. In a more general online security sense, it's always a good idea to install a VPN. Using a VPN while browsing online is like wearing a mask in a public area. It will help you avoid detection, as well as any harmful third parties, like phishing scams or hackers.
Another thing you can do is use a password manager. Password managers allow you to stay on top of your various accounts and login information, meaning you won't have to rely on your memory or storing them somewhere where they might be compromised.