Phishing techniques: Expired password/account
Nowadays, a fair number of phishing attacks have been linked to expired password scams. This is a tactic used to steal identifying information and account access by luring users into entering their credentials in a webmail or webpage able to collect them. Every computer or mobile user of the internet can be a potential victim.
Best Reviews, a site that guides consumers on best products (including best password management apps) and services, points out that fake password reset emails are actually one of the oldest internet scams.
Phishing simulations & training
The scheme is actually effective as it bets on the fact that users are very often asked to update their passwords periodically; therefore, these requests can seem legitimate. There are, however, ways for users to recognize the scam and defend their system.
What does an expired password phishing scam look like?
Phishers sometimes craft emails that seem to be from a genuine service or website, requesting that users change their password as soon as possible before it expires. This tactic can scam unwary users.
The scheme is familiar. Phishers distribute a malicious link or attachment to extract login credentials and account info directly from the user so as to gain privileged access to secured data. The message is often urgent and pushes the target to act quickly.
Let’s see a few examples. The following (shared by Imperva) illustrates a common phishing scam attempt:
- A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible
- The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours
Once the user clicks on the link, different actions can occur. For example:
- The user is redirected to a page that looks like part of the myuniversity.edurenewal.com site. This is actually a bogus page where both new and existing passwords are requested. The old, original password is hijacked and quickly used by the attacker to gain access to the account and network
- The link lands the user on the actual password renewal page. In the background, it loads a malicious script that hijacks the user’s session cookie, results in a reflected XSS attack and opens the account to the attacker
Here is a copy of what fake email text might look like in a phishing attack (as shared by the Police Federal Credit Union). Here, the user is lured by providing even a temporary password. Again, the tone is urgent.
Dear User,
This notification is mailed to you concerning your online banking user password has been expired.
Create a new user password by following these steps:
- Log into your online banking by our secure link for Expired Password (link removed) and entering the temporary password below. Your temporary password is: vn#E
- You will then be prompted to change your password.
This temporary password will expire in 24 hours.
While all of these tactics are annoying, phishing makes the practice worthwhile for scammers. In fact, a phisher’s main attack vector for such a scam consists of simply sending emails stating that “your password will expire and be changed unless you login and confirm that you want to keep it the same”; the subject is often a line like “Account Update” to attract attention immediately. The message may appear to originate from a reputable source (e.g., a major credit card company) and often from an account used daily by the user.
Other emails, instead, ask for users to enter the last password they remember. According to Slawomir Grzonkowski, Principal Research Engineer at Symantec Ltd., the password recovery scam that consists of typing your login or username and password is designed to trick users into handing over account access info. This can also be done simply through social engineering or by the attacker disguising himself as a trustworthy entity.
Phishers do, indeed, have many tricks up their sleeves to deceive you. This includes running scams and attacks through your mobile phone. And because cellphones are often registered as an additional form of verification, the user does not suspect foul play when receiving a warning via SMS.
The phisher often interacts with the targets and even makes further requests or sends the victim a message such as “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD].”
How to avoid phishing
Phishing attempts are often clever, and it can be hard to spot the scam in between the so many legitimate emails or SMSs that we all receive every day. So how can users defend themselves? Though phishing attacks are becoming increasingly difficult for even trained and knowledgeable users to detect, it’s still possible to not fall victim to such scams.
In addition to making sure your browser is up to date and has pop-ups disabled, include anti-phishing security features. Learn to recognize the most common signs of a malicious email and refrain from responding to text messages or opening webmail attachments asking for account numbers and passwords.
Security awareness training is, however, the best defense for users. They can learn to take countermeasures to protect themselves against fraudulent attempts by phishers trying to obtain sensitive information. In a company setting, class training, simulation exercises, tip-of-the-day messages, posters and more can be effective education.
Users should learn the importance of creating complex passwords and to never follow links when asked to update information. The best course of action is to use a web browser to independently access the site that appears to have sent the email or verifying information from there. If the URL doesn't match the address of legit business it could be a phishing attempt. It is also possible to verify the legitimacy of the request by contacting the alleged sender by phone.
At the end of the day, it’s important to take all the necessary steps not to take the bait and report the incident. A suspected, fraudulent email should be hard-deleted after having reported it to the company anti-spam department. Complaints can be sent to FTC at ftc.gov/complaint and the webmail can be forwarded to the Anti-Phishing Working Group: reportphishing@apwg.org.
Developing employees: Phishing awareness
With many internet users being vulnerable to phishing account scam emails, it really comes down to awareness. A number of government websites and private organizations offer phishing recognition training.
The FTC, for example, has information on recognizing and avoiding scams with a number of tips and actions users can take to protect themselves. There are also programs that companies can use to help develop their staff such as the Infosec IQ phishing simulator. Basically, it’s important to test each person’s susceptibility to phishing and understand if they overlook deceptive cues.
Conclusion
Phishing attacks are successful because they target basic human natural responses. It’s important to strengthen the “human firewall” by implementing phishing countermeasures and introducing employees to the best practices for identifying and mitigating phishing.
Phishing schemes conducted through webmail or popups requesting password updates are especially effective. Stealing the credentials on one site can actually have even wider consequences, as users often reuse passwords or use a variant of them between different online accounts.
Taking everything into account, can you spot an email phishing scam and password fraud and avoid them? If the answer is no, then there’s no better time to learn to be very cautious about any requests that might ask to “verify your account” or “confirm your password.”
See Infosec IQ in action
Sources
- Phishing attacks, Imperva
- Top 5 Phishing Scams, MetaCompliance
- What is a Phishing Email? (With Examples), uSecure
- A quarter of users will fall for basic phishing attacks, ComputerWeekly
- What's Worse for Your Account: a Data Breach or a Phishing Attack?, PCMag
- Fake Password Reset Emails to Be Cautious About, Best Reviews
- Expired Password Scams, Identity Theft Resource Center
- Phishing Email Instructs Users to Click on “Keep Same Password” Button, The State of Security
- Silly Phishing Scam Warns That Your Password Will be Changed, Bleeping Computer
- 7 Ways to Recognize a Phishing Email: Email Phishing Examples, SecurityMetrics
- Lateral phishing used to attack organizations on global scale, ComputerWeekly
- Online Security | Harris Poll Survey, Google
- Former hacker warns against password reuse, Naked Security by Sophos
- How to Spot a Password Reset Email Scam, TechOperative