Although Phishing Attacks are Evolving Every Day, the Old-school Tricks Still Work.
We are easily tempted to click on the “Lucky Winner” pop-up because we are hoping we might hit that big lottery someday and that’s exactly why hackers still use this trick. The funny thing is if you haven’t entered a lottery or competition, you can’t actually win. Still people are motivated by money because let’s face it, money makes life easier. You shouldn’t feel ashamed because we’ve all been there but we must be more vigilant while browsing the internet. Thankfully, we know more now than we have in the past, which makes it easier to avoid. However, it’s still important to be cautious and aware of these targeted phishing attacks.
The Lucky Winner scam lures it’s users into answering a few questions in order to win a special prize, typically the latest model of an iPhone or Samsung phone. For many years this scam has been impersonating big name companies like Google, Facebook, Microsoft and Apple in an effort to infect your computer with malware and steal your personal information. Below we will talk about how this scam works and give you some tips on how to avoid it.
What Does it Look Like?
This scam uses domains that impersonate well-known companies and relies on mobile browser address bars because they are so small. Users may not be able to see the full URL, only the first part which is designed to look like a legitimate site. Basically, relying on users to see only what they want to see.
Once the user accesses the URL, a notification of winning a prize will pop up offering the user to participate in a small quiz for a chance to win. The questions are very easy, and the answers are mostly obvious. The questions will change depending on the company they are trying to impersonate, for example “Who founded Facebook” (Mark Zuckerberg, Warren Buffet or Bill Gates), or “Who founded Apple” (Mark Zuckerberg, Bill Gates or Steve Jobs).
After the user answers these questions, three chests will appear containing “The Hidden Prize” from which the user can choose. Once the user picks its favorite chest, a dialog window pops up asking the user to claim the prize and to read the terms and conditions. Sound familiar?
When the user clicks on the button to “Claim” the prize, they will be redirected to different web pages depending on the location or the type of user. The final destination may be a website full of advertisements, online gaming sites or lead to different phishing scams such as “Spin Wheel.”
The Spinning Wheel campaign offers users a free spin to potentially win a cool, electronic prize. Needless to say, there are no prizes but a lot of popup windows, false promises, redirections to websites with questionable content, and even fake flash player update offers. Once you access these malicious websites, your information is collected.
Words You Should Avoid Clicking to Stay Safe
Some of the most frequent words used that you should be wary of include a combination of “com”, “gadget”, “reward”, “lucky”, “winner”, “promo” and “gift”, or variations of them. Any combination of these words may lead users to high risk websites and end in further infection or loss of information.
Unfortunately, there are individuals out there who try to trick and manipulate us. Understanding this is very important. After receiving a link or an attachment we need to think before we click. Always ask yourself, “Why?” Well-known companies rarely send their customers offers to win a prize, they usually announce giveaways or other contests in advance through official communication channels.
Today, your employees are frequently exposed to phishing and ransomware attacks like these and they not only put your company’s data at risk, they put your reputation at risk too. It’s important to understand that your employees are the first line of defense against these malicious attacks and need to be trained. All the high-tech security in the world can’t protect your company if employees are unable to recognize an attack that’s sole purpose is to embed itself in your network to steal or ransom corporate, customer and employee data.
Kobargo offers Security Awareness Training in short, easy to understand online modules that don’t impact user productivity. Contact us today to learn more!