What is Phishing and How to Protect Yourself | What the Cyber?
So I started noticing, once my phone started glitching in a weird way. Which I would’ve paid no attention to. Then I got a PayPal email to an email address that I definitely don’t use with PayPal, stating that I have money on PayPal account. I got a Squarespace notification that my account has been accessed in China. There was someone using half-anonymous name and saying that I had been doxxed so basically someone had published my information online and sent a link. And then I was like “Hmm, phishing or not?” and made that like a Twitter thing. And then the guy got really sad, and I felt sad, because I had made him sad – but I never clicked the link though. That was actually us. Yes! So you played my empathy! I really loved the fact that you used thing like Pastebin, which is like a thing that I’d recognize. That Squarespace thing was also us. We were trying to get access to your Gmail via those two. Because I checked that Squarespace was squarespace.fi and I started to think… It was actually squarepace.fi That I didn’t notice. In general, because so much of my life was online and I realized that I have like gazillion unused accounts, is it easier to target someone like that or someone who doesn’t have much presence online? In general, I’d say it’s easier if you have a big digital footprint online, because of course you can maybe gain access to an older MySpace or something like that, and use that as a further leverage to move forward with the attack. So after I would’ve clicked on a link it would’ve lead me to a Google page that looks exactly like a real Google page. Is there anything I could’ve done at that point to protect me? Well yeah, basically we registered like a generic domain and we stole the look and feel from an actual Google login page. So if you’re really strict on for example reading the URL and who has registered the HTTPS certificate that’s used on the page then you can spot that’s not the correct one. And what if I had typed in my password, what happens then? Then we would’ve just recorded your password and it would have forwarded you to the actual login page. When you had the password, how would you have masked your access from me, so that I wouldn’t notice that you have access? In the case of Gmail for example, there are some further security controls that we’d have had to figure out. For example, it sometimes notices when you’re logging in from unusual IP address. Yeah, I’ve gotten those notifications. The easy way of protecting against this is to use the two-factor authentication that Google is offering. So then you’d also need to use the mobile application. Guess what? I have that! The end goal wasn’t only to get in to my email, right? For an attacker, your network would be valuable. Gaining access for example to your email or LinkedIn account would be good. So we could leverage your persona in attacking other businesses. An attacker would for example search for a discussion you’ve had with a high value person, then we would be able to hijack that discussion as you and send some kind of crafted malware payload or something like that to the recipient and then gain access to his or hers organization. How big of a role human errors play in attacks like these? Well I don’t know if it’s an error, because emails are designed to be opened and read. That’s the typical way in, but of course there should be other controls in place to protect against first line of attack. So I definitely taped all of the cameras and audio jacks of my phones.. What’s the level of smartness one should have when facing situations like these? Going forward, should I still keep everything taped? Well I think that’s not necessary. I think using just the good controls that are already in place in the services, for example the two-factor authentication is an excellent way of protecting against these phishing attacks. Thank you for watching! Remember to like, share and subscribe. And if you don’t feel like liking, sharing or subscribing, remember: you can also hack us. We have a bug bounty! And if you’re able to break into our services, we’ll pay you money! Good luck and I’ll see you online.