Beware of Flash Phishing Attacks
In the first quarter of this year, HKCERT has processed over 300 phishing attack incidents per month on average, up about 30% from same period last year. Apart from the increase in cases, HKCERT has also noticed that hackers have been using new techniques, with some using fake domain names to steal the victim’s personal information and use it in financial fraud. This blog aims to raise public awareness by analysing the recent phishing attack techniques and channels as observed by HKCERT.
Flash phishing attacks
Flash phishing attacks make use of fake domain names to launch attacks. Hackers continuously register different domain names targeted to specific organisation. They then launch a fake website using the registered domain and send the phishing message with a link to the victims through different channels (e.g. email, SMS, Instant Message). The attack will last for a few days. Afterwards, hackers will deregister those fake domain names and then launch a new round of attacks with another set of domain names. The characteristic of this technique is that the fake websites have very short lifespan. Therefore, when the websites are reported, they are already offline. We believe that attacker’s tactic is to evade investigation and blacklisting.
There are three common types of fake domain names. Let’s use “www.hkcert.org” as an example to illustrate them:
- Appending random characters to the legitimate domain name
- Examples: www.hkcertaa.org, www.hkcertab.org or www.hkcert00.org, www.hkcert01.org
- Substituting a similar character or repeating an original character of the legitimate domain name
- Examples: www.hkcevt.org or www.hkcertt.org
- Using another Top-level Domain
- Examples: www.hkcert.cc, www.hkcert.site, www.hkcert.info
These fake domain names look alike to legitimate domain names. Users should be cautious trapping into these fake domain names when browsing the Internet.
Phishing sites use HTTPS
Websites using HTTPS only mean the network traffic has been encrypted. It does not necessarily mean the websites are genuine and credible. Attackers can abuse free digital certificate registration sites such as Let’s Encrypt to register a digital certificate for an untrusted domain. Indeed, HTTPS-enabled phishing sites have continued to climb. According to the Hong Kong Security Watch Report for Q1 2021, over 80% of phishing sites were using HTTPS. This rising trend is also in line with the latest report of Anti-Phishing Working Group.
Hackers may use different channels to launch phishing attacks, such as email, SMS and instant messaging software. Phishing attacks via SMS and instant messaging software will become more frequent with the wider use of mobile devices. As a result, the public should verify any message received, especially when the user browses these sites using mobile devices. To avoid becoming a victim, think carefully before clicking any links or opening any attachments, and do verify the legitimacy of a website before providing any information.
As phishing attacks become more mature, to avoid becoming a victim of personal data leakage or even financial loss, you are advised to adopt the security advice below:
- Pay attention to the spelling of domain names of websites and check their authority;
- Do not assume a website that uses HTTPS is a legitimate site. A phishing site may also use HTTPS;
- Verify any message received, especially for users of mobile device;
- Do not click any link or open any attachment casually and do verify the legitimacy of a website before providing any personal information.