To be clear, this is not to be confused with Blackmail or Phishing Blackmail methods, which we cover on a different article “How Would I Blackmail using the Internet”, none of the conventional phishing rules apply bar 1.

This article is looking at phishing from a marketing scam perspective i.e. pretending to be a legitimate business or pretending to offer a legitimate service.

The old favourite, phishing.

What is Phishing?

Automated Marketing Scam, simplest way to look at it. This has always existed, you get something put through your door, looks legitimate, you dial the number, gives the fraudster an in.

Digital version

Step 1 – Click on a link

Step 2 – Could be automated from there, could be a site that prompts information, could be a site that ‘sells a service’ requesting you to call up for a quote.

It could even go for a nice little catch about requesting you to call for a quote, “The reason we conduct all business over the phone is to ensure we conduct business in a secure way, we will never transact over the internet”

So when people describe phishing, often pertaining to technology, they miss out the simple definition.

Phishing = Misdirection

So it is not just links in emails, I can phish without a link using a phone number and some blurb about how that is a more secure way of communicating.

So what we have to consider is that there are a whole heap of ways phishing can occur.

Now the advice actually hasn’t changed since pre-internet, so we need to look at 3 distinct points.

  1. How the Crime is Committed
  2. What a Consumer can do to prevent it
  3. What the industry has to do to prevent it

How the Crime is Committed

Phishing Emails

Well, this is an interesting one, most consumer advice is tailored around “you have a dead relative in a country you have not heard of, he has left you £10 million pounds, get in touch to access the funds”

Well first off, if I were to commit Phishing, how would I start my process

Step 1 – Google “How to spot a phishing email” this is what I follow when creating a phishing email

What is interesting is, there is only ever one decent piece of advice, so let’s list some common ones

  1. The message contains a mismatched URL (where you hover over the URL to check the destination)
  2. URLs contain a misleading domain (this could be an intentional typo in a domain, like “arnazon.com” or could be the position of something in the domain, so info.amazon.shop is real, amazon.info.shop is fake, guru.apple.com is real apple.guru.com is fake)
  3. You didn’t initiate the action
  4. It is not addressed to you personally
  5. Sender address does not match domain, or using a common hosting service (like @gmail or @yahoo)
  6. You are asked for money
  7. Asking for personal information
  8. Offer seems too good to be true
  9. Pressures you to act quickly or makes threats
  10. Poor spelling/Grammer (intentional typo before you go off on one)
  11. Comes from an official bank/government authority

Can you spot the only piece of advice that is true and can be followed by everyone in a generic sense of the term?

Number 3, everything other than your actions can be easily faked and worked around and depends on your set up for emails.

This is obviously a catch 22 for businesses

  1. Phishing Advice should be – delete all emails unless you initiated the email, things you initiate would follow and action, like an order confirmation from Amazon or an account reset
    • This includes deleting things like notifications from banks or “your bill is ready to view”
    • This excludes emails you receive from someone you know personally, like a friend or business contact.
  2. The catch for the business is – If as a business I give this advice, how do I send marketing emails or emails to my customers?

Now the rest of my approach is predominantly around my structure, so, let us answer the phishing advice with how this adapts my process if I were to start phishing people

  1. The message contains a mismatched URL
    • Buy a domain instead of pretending to be someone else or use Short URLs
  2. URLs contain a misleading domain
    • Buy a domain instead of pretending to be someone else or use Short URLs
  3. You didn’t initiate the action
    • Generate contacts off the back of a data breach (like the TSB and Experian debacles), but there is no way to guarantee this so I may need to create different ins using something like Social Media
  4. It is not addressed to you personally
    • Per above, but also consider using companies house and things like that, or scraping companies “About Us” pages
  5. Sender address does not match domain, or using a common hosting service (like @gmail or @yahoo)
    • Set up a domain
  6. You are asked for money
    • Don’t ask for money off the bat, work the scenario like any sales process.
  7. Asking for personal information
    • Don’t ask for personal information in the initial attempt, build up confidence first
  8. Offer seems too good to be true
    • Find offers online for things, base my offers on those prices or use ‘Free Trials’ type marketing
  9. Pressures you to act quickly or makes threats
    • Don’t pressure consumers, I only need a few, at most use terms like “Limited Time Only” or put an expiry date on the offer several weeks ahead
  10. Poor spelling/Grammer (intentional typo before you go off on one)
    • Install Grammarly
  11. Comes from an official bank/government authority or pretending to be someone else
    • Don’t pretend to be something you are not, unless you can pull it off

Short and sweet of it, re-introduce methods that were refined for the last goodness knows how long for traditional mail fraud.

Now, lets make it a little bit more challenging, I’m going to pretend to be someone else, that is the hardest part of this, pretending to be someone you are not. There are significantly easier ways to achieve phishing, so I’m going to up the game a bit (but not really)

As of December 2018 this URL is available ‘tinyrebrand’

I’m not going to purchase it, I am having to buy enough URLs to prevent people from doing this to me, I don’t have the funds to help others. But lets pretend I did purchase this domain.

So who am I going to pretend to be?

https://tinyurl.com/

Now this is a short URL service, you as a consumer are conditioned into clicking these links, they appear like this

https://tinyurl.com/y8px6kfn

Hover over the link, check the URL in the bottom left, if you click the link it redirects to another part of my website.

You find Short and Dynamic URLs everywhere now days, from social media to legitimate emails and websites, they are used for certain purposes like guiding the landing page based on the device type that you use to click the link, to saving character spaces on social media posts.

How do I get your name and email address?

I can get that from Job boards, from LinkedIn, or from any number of data breaches from Experian, Social Media to your bank.

I can even use a combination of company house and google i.e. google a name of company, get names and email addresses. I will also be able to find the director name, or as they are otherwise known, the biggest security risk to a business. I know it is not nice to stereotype all people into the same basket, I’m sure all directors are not a security risk, but they are the worst in my experience for following the processes that everyone has to.

So off the bat, points 1, 2, 4, 5 and 11 out the window for your phishing advice.

So what is next in my campaign?

Social Media posting and following

It is like the age old proverb goes, “If you connect with people, they will accept”

So every social media platform pretty much uses Short URLs for me, they also condition users to click the links.

This also helps a bit with point 3, “You didn’t initiate the action”, well, if you accept a connection with someone on social media, it is not unheard of that they contact you, you initiated that by accepting the connection.

250 is the limit of requests at any one time, I tried it on my own account with 30 random connections, 75% accepted within the first day. So, building up a few thousand quickly and within the spamming rules of say LinkedIn, it is not impossible.

Anyway, for those links it really doesn’t matter what I enter or where it lands, people click them.

Email Shots

Now people have heard of TinyUrl, people use it, it is not an uncommon service, quite common for businesses.

I could however pretend to be any of them, this one just makes it easier as the URL format looks more legitimate than the others.

As covered, your name and email address is available from a multitude of places, so where I go from here is something like

Start Email Example

Dear Mr X

We hope you don’t mind us contacting you, but we at TinyURl.com would like to tell you about our new service, tiny re-branding.

As you may know, Short URLs are used all over the internet, from websites to social media, or in a dynamic way to help guide your customers process through your services, you rely on short URLs to communicate with customers, but sometimes your URL is turned into a short one without choice.

While this is a good thing, it is not great for businesses as the Short URL in place can hide your brand.

We at Tiny URL are offering a new service, Tiny Re-branding, so that your URL will always keep the brand that your consumers know and trust.

This is an example of our Tiny Re-branded URL for Tiny URL.com, which will take you through to our pages for where you will be able to sign up for a 14 day no obligation free trial*

https://tinyurl.com/y8px6kfn

Alternatively, you can visit our pages here

https www tinyrebranding com

Thank you for your time

Bobby

Direct Line: [Skype/Voip Telephone Number]

You are receiving this email because you are either following us on Social Media, have registered with TinyUrl or TinyRebranding directly, or have used our services before. To unsubscribe click this link Unsubscribe

End Email Example

I would then take that text and run it through Grammarly or a service like that.

I have intentionally broken the “tinyrebranding” URL that I could have purchased, basically, I don’t want to pull a ‘Rudy Giuliani’ with links on websites…

I would own the domain “TinyRebranding” so the email would come from “bobby” at this domain, no faking there.

The “TinyURL” link, which does look legitimate, navigates to a different part of this website but would go to the tiny rebranding website that I would make when I purchased that domain.

Branded Tiny URLs are a legitimate service offered by companies out there.

Now the real con here, is it looks like I have rebranded the URL using my “Tiny Rebranding” service, but I have just used their URL shortening service offered by tinyURL on a domain I set up pretending to be a new section of their business.

It is a legitimate approach, Tiny URL could offer URL re-branding for short URLs.

Anyway, that is the rest of the advice you are given for phishing out the Window.

A free trial is not too good to be true, most web services have one, spelling and punctuation needs to be run through Grammarly, a lot of businesses use short URL services, all social media does, I’m not asking for money, I’m not asking for personal details, all I really want to do at this stage is get you onto my website.

I also throw in an unsubscribe functionality, where I would genuinely unsubscribe you, because if you go for that particular link, you are potentially a bad mark.

Misdirection

That gets you on my website, that would be the bait and the hook if you like.

What I need now is an essence of misdirection, so I need you to do things you are conditioned to do and feel comfortable with, on the assumption you get a service out of it.

It all depends on what I want from you, so I need to utilise methods that exist that you are familiar with.

For example, “Log in with Google” or create an account, now as part of the Log in with google step, I prompt you for your Google password, making every effort to make it look like the real Google Log in. A lot of websites use this functionality, from Social Media to Job boards, it is something we are familiar with seeing, familiarity likely means we don’t pay close attention.

Obviously, this is not the real log in with google page, but it would look like it. If I guide the web design in the right way, I can get you to enter your email address before providing the “Sign in with google” option, this way the next page will look legitimate if you choose that option.

The other way I could go about this is to offer a desktop application, this would then be malicious software.

What I also need to consider is the time between someone trialling the service and the time it takes to work. It is common for Domains to take 72 hours to work when setting one up or redirecting one, I can piggy back off of that notion, even though it isn’t true for a short URL or rebrand URL.

So I have 72 hours to effect whatever I have put in place, longer if I just offer a bad service and it never works, using cliches if they contact me to complain or query e.g. “Teething issues”, “We have some bugs we are working through” etc.

Either way, I don’t need your payment details to get your money, there are more effective ways to get money and in larger sums.

Is this what I would really do?

No, too much effort for too little pay off, too much risk of being caught out by the actual company I am pretending to be, too short a half life.

I just wanted to show you how I can pretend to be a legitimate service that is doing the hard work for me.

At the very least, I would not operate this scam in isolation, this would be one of many. Everything is made so easy and quick, the actual effort required to go into this is minimal. So it could be one that I set up and have running for a while, all the time setting up the next set of scams.

The other argument here is that i’m better off just setting up a company, running it legitimately for a short period to build up a social media presence, getting people to follow me, getting them to keep updated via Twitter, launch a service once I have some interest generated, as the volume of people who legitimately use that service increases, then I start on whatever illegal activity I intended from the beginning.

Colloquially known as Traditional Fraud.

Your phishing advice would not help you here, it would for all purposes look like a legitimate business.

Interestingly, this is also traditional mail fraud, where the short and sweet of the old advice in the analogue world was “ignore stuff like this when it is put through your door”, but we don’t get that same advice for our emails, simply ignore it or delete it.

Essentially, the most effective types of fraud are where the service offers a genuine benefit for someone, they then spread the service via word of mouth, everyone else after the initial ‘customers’ are the mark

There are many different ways I can do this now, I can utilise a VoIP service for listening in on calls, I can set up fake bitcoin or even legitimate bitcoin cloud wallets, I can operate Bitcoin as a pyramid scheme, which has been seen to be quite effective to date.

Anyway, all the hard work is automated in some way shape or form, including phishing.

I would therefore likely attempt multiple scams at the same time.

They don’t all have to be a direct pay off, for example, some could just be going for information which then leads into a refined brute force attack, the more information I have about you, the more likely it is that I can guess your passwords for services. So getting you to set up an account with an email address and a password, without asking for anything else other than your name, can tell me about how you structure passwords. Subsequently, an online attack is then more viable (which we cover in a different article).

Then you have to consider that it is not just you, so from all the people that do fall for my phishing attempt, I then maybe have 6 months worth of people to get through before I make my way to you, it is then unlikely you would relate the fraud back to whatever means I used to trick you in the first place.

Now, on the next page we look at what consumers can do about this, given I have highlighted that all advice given for phishing is pretty poor, we need something that works.

Then on the page after we look at what businesses can do about this.

Back to How I would Commit Cyber CrimeNext Page