Author: Robert Broxup

The subject of copycat websites and services came up again this week when I received a call from a friend who explained that his wife had applied to update her driving licence details online, a service that is usually free of charge. The site asked her to pay a fee after entering all her personal information into the website. In this case, she realised something was wrong because she knew it was usually a free service and stopped before providing credit card details. No money exchanged hands, but this doesn’t change the quantity of personal information held by the website.

This call reminded me of an article (Copycat Services) I wrote last year about how fraudsters are still setting up websites which offer official services at potentially extortionate prices that are usually cheap or completely free of charge. This article is a follow-up to focus on what actions to take if you discover a copycat website at any stage from finding the site through to realising after the fact that you have paid for services using a fake website.

Copycat services are not necessarily illegal, and this depends on the circumstances. For example, accountants often process self-assessment tax returns on behalf of their customers. The problem, and the reason this is so much of an issue, is that in most cases, websites manipulate people into believing they are using a genuine service; when in reality they are using a 3^rd party to act on their behalf.

Communicating directly with the copycat service provider to resolve issues may seem like a good idea, such as to process a refund or ask for personal data to be removed. However, depending on the level of fraud involved, this could be akin to asking a mugger to give you back your wallet. If a company is going to operate in this way to deceive you into parting with your money, it is reasonable to assume that they don’t care about your personal information or any other safeguards in connection with financial transactions.

• Action Fraud – https://www.actionfraud.police.uk – the UK’s national reporting centre for fraud and cybercrime. Contact Action Fraud on 0300 123 2040. Where appropriate, Action Fraud will pass along information to the National Fraud Intelligence Bureau.

• Google – If you found the website using Google, visit https://safebrowsing.google.com/safebrowsing/report_phish/ to report the website and have it removed from search results. Google announced several years ago that it would remove copycat websites from search results, so it is reasonable to expect that they will take action.

• Your Bank – Inform your bank about the transaction, report it as fraud and ask them to process a chargeback. Depending on the circumstances and the website used, the bank may cancel the financial transaction, but could equally reject the request on the basis that you were complicit. Challenge any instruction to communicate with the potentially fraudulent service provider directly in the interest of personal safety and to prevent further exposure to fraud.

• CIFAS (Credit Industry Fraud Avoidance System) – Protective registration is available, which logs information about you in the National Fraud Database used by financial services institutions to prevent fraud. Consequently, financial institutions take more comprehensive measures to verify your identity.

• Credit File – request a copy of your credit file from credit reference agencies such as Experian and Equifax. One-off credit reports are available for free and additional services are available to monitor changes on an ongoing basis actively.

In recent years, the number of publicly available Wi-Fi hotspots has increased significantly. We have reached a point in time where public Wi-Fi in coffee shops, restaurants and hotels has moved beyond ‘nice to have’ to ‘expected’ and choices of destination are often being decided by Wi-Fi availability over and above the quality of food, drink and accommodation. With this increased availability, including other areas such as public libraries, airports, railway stations and on board public transport, so are the risks increased; something not widely understood.

Use 3G/4G

My first suggestion is to avoid public Wi-Fi altogether and connect using 3G, 4G or 5G when it arrives to avoid all the security issues with public Wi-Fi.  With this approach, the security which needs consideration is the telecommunications’ provider; one provider, not 100s or 1000s of different connection points in places you might never visit again. That said, it is not always an option for any number of reasons:

• Not all tablets have SIM card capability and sold as Wi-Fi only

• Roaming charges outside of the European Union can be too cost-prohibitive, resulting in a financial need to use Wi-Fi. However, if this is a frequently travelled destination or a long duration abroad, the option is available to use a foreign SIM card. Again, this is only as secure the confidence you have in the foreign telecommunications provider. Still, it will mean vetting one business rather than thinking or worrying about every Wi-Fi provider you connect with while out and about.

• Not many laptops have SIM card slots as standard; however, USB attachable mobile broadband is available and works in much the same way. Alternatively, set up mobile telephones and tablets as remote hotspots to route internet traffic.

If public Wi-Fi is the only option available, the following suggestions will strengthen your security posture and reduce risks.

Use a Virtual Private Network (VPN)

A VPN establishes an encrypted connection to an Internet server. Communication with the Internet is through this server instead of directly through public Wi-Fi.

The public Wi-Fi router will only see the encrypted connection between your PC, tablet or telephone and the VPN server. Encryption doesn’t stop interception of traffic, but considering the effort required to decrypt the data against the reward which may be available from doing so, unless a specific person is a target for particular reasons, an attacker is likely to choose an easier target.

If you were to log in to your bank, for example, the request is encrypted and sent to the VPN server. The public Wi-Fi only sees the encrypted connection. The VPN server connects to the bank. The bank, at this point, sees the VPN server, including the IP address of the VPN, not the IP address from your device. Up to the moment when you need to login to specific services, the VPN allows you to browse the Internet anonymously.

In addition to improved security, there are other motivations for using a VPN such as gaining access to region-specific websites. Many websites check the IP address of the incoming connection, and present content based on the geographical location of visitors. Using a VPN can bypass these checks if the VPN server is in the same place as the site you want to visit.

Many sites have geographical restrictions for legal reasons such as the broadcasting of licensed content. The BBC requires a TV licence for streaming of live content; therefore restricts access to IP addresses known to be within the UK. Likewise, with Amazon Prime, films and television programmes are available under licence for specific regions and apply restrictions to streamed content.

Consequently, because VPNs can bypass geographical restrictions, to comply with contractual requirements, extra measures often need to be taken to block access such as checking IP address ranges against known VPN services and blocking access. Some services will ask for the VPN to be disabled, but such requests are not always reasonable, and if you have invested in a VPN service, you should think twice if a website asks you to disable it.

For improved security, some websites check previously used IP addresses with the IP address used for the current connection to prevent unauthorised access. In practice, this means that using a VPN could result in a significant increase in identity checks such as emailing confirmation codes or one-time-use passwords. Although this might feel frustrating, this process does work as a form of two-factor authentication. With the VPN service, the servers could be in many different countries, and the server used can fluctuate quite often. From the perspective of your bank or other online services, the connection will show as coming from different countries and could easily be interpreted as potential unauthorised access.

The key is not to let the change in behaviour of websites you are visiting distract you from the fact that the VPN is there for your personal safety and security, and not to entertain the idea that you should need to disable it. If you were told by a website or piece of software, to disable your anti-virus software to use their service, you would not follow their instructions. Treat your VPN service in the same way!

Businesses that allow remote and home working provide their staff with VPN access as a means of connecting to the company network and protecting corporate data, which often includes customer data.

VPN services are not expensive. Some services are available free of charge. However, a key consideration is the trustworthiness of the VPN provider. With a VPN, you are choosing to explicitly route all your internet traffic through specific servers belonging to the VPN service provider; therefore, the provider must be trustworthy. Some of the leading brands in anti-malware offer VPN services, but when searching the Internet, there are 1000s of services available, most of which will be unknown to you. It is easy to assume that any VPN will do, but this could not be further from the truth.

Suppose you install a VPN service belonging to fraudsters for example. In that case, all Internet traffic travels through servers belonging to fraudsters, something far worse than the risk that someone might intercept communication over public Wi-Fi.

It is your responsibility to do your research and choose a service provider that you can trust and depend on for services. I wrote an article last year called ‘The Website Credibility Test’, but dependability and credibility are often very subjective, and the emphasis in this article was to help people decide for themselves.

Regardless of how you connect to the Internet, whether it is public Wi-Fi, 3G/4G, or from home, using a VPN is still a good idea. Without a VPN, there are always extra measures to improve your safety and security online. Here are more suggestions, and why they are essential.

Use HTTPS instead of HTTP

Accounts which require you to logon should be using HTTPS:// (Hypertext Transfer Protocol Secure) as the protocol in their web address, and not just HTTP://.  HTTPS:// encrypts traffic between your browser and the website that you are using. Regardless of where you are and how you are connecting to the Internet, only use login credentials on a website with HTTPS.

• Logging in on an HTTP website can expose your logon credentials. With the same logon credential used in multiple places, accessing low importance sites with public Wi-Fi can facilitate access to high importance sites.

• The options to always use HTTPS is available in browsers or available as an add-on component. If you use HTTP where HTTPS is available, the browser will change the connection automatically to HTTPS.

Other thoughts for consideration

So far, we have considered not using public Wi-Fi, using a VPN, and making sure that secure connections use HTTPS instead of HTTP. There are more things to help protect yourself online, and plenty of reasons why it is essential to do so.

• Malicious Wi-Fi – not all public Wi-Fi is legitimate. Suppose the first thing you do when visiting a coffee shop, restaurant or any other location is to look for the free Wi-Fi. How do you know that the network you are selecting is a legitimate service offered by the establishment you are visiting. If in doubt, ask a member of staff for the Wi-Fi details to make sure you are connecting to the right network. Anyone could create a mobile hotspot called ‘Coffee Shop Free Wi-Fi’ and make it look official.

• Free Wi-Fi without login details – if you can connect to Wi-Fi without a network ID and password, the connection is most definitely unencrypted

• Free Wi-Fi with auto site connection – when you have selected your Wi-Fi and open your browser, you are redirected to a specific page rather than your usual default page. These pages often open automatically and often ask for registration, but not all of them are legitimate. Some are there for the sole purpose of capturing personal information.

• Free Wi-Fi which requires extra software – Software installations are never necessary to use Wi-Fi. If a Wi-Fi connection redirects you to a webpage to download and install software, reject the idea altogether.

• Popup adverts on free Wi-Fi – advertisements delivered through free Wi-Fi often manipulate users into downloading malware. For example, special offers relevant to the current location, such as a 20% discount on duty-free goods through free airport Wi-Fi. If you believe the Wi-Fi service is genuine, you will not suspect an electronic attack.

• Something free needs a credit card – there are so many sites which offer something free, then ask for credit card details. If the intention is to provide you with something free of charge, your credit card is not required. If a credit card is required, it means their ulterior motive is to charge you for something. You should never need a credit card to connect to Wi-Fi – anywhere.

• Turn off file-sharing when connected to a public network

• Disable Wi-Fi in public places if access is not required

• Protect your devices with anti-malware

There is no such thing as 100% safety or 100% security, and although one option is never to connect to public Wi-Fi, ever this is far from practical, and there will always be times when it becomes necessary. The next alternative is to be selective over how you use your devices while connected to public Wi-Fi, such as:

• Not accessing bank accounts

• Not entering credit card details

• Not accessing social media accounts or email accounts

These options are not always practical and are activities people expect to be able to do safely and securely.

To conclude, here are three suggestions:

• Use 3G/4G to access the Internet instead of relying on public Wi-Fi

• Use a VPN configured to connect to the Internet; adding an extra layer of security even over 3G/4G and acts as a backstop in any dead spots where Wi-Fi is needed.

• Be mindful of how you are using the Internet in public and avoid anything which is out of the ordinary or deviates from standard established practices

When writing about information security and implementing defensive measures, common feedback includes questions about the extent to which advice about how to improve personal safety and security helps others to inflict harm and carry out cyber-attacks. The articles I am writing and publishing here provide insight into how attacks are identified and prevented through greater awareness. However, readers have expressed concerns, so I feel it does deserve some consideration here, as any information published could be a double-edged sword, not just cyber-security related.

• Spear phishing, for example, did not come about because someone read about it and decided it was a good idea. It evolved from phishing as a means of improving the success hit-rate. However, if phishing had not been understood and widely publicised with warnings in the past, then maybe its success rate would still be higher, and a more targeted approach might not be happening the way it is today. The point being that as awareness increases, the effectiveness of scams decreases, but scams evolve into something different or more sophisticated.

• Years ago, as a pre-requisite to participating in a banking project, it was necessary to undertake anti-money-laundering training. At the end of the course, the joke among delegates was that we just learnt how to launder money.

• Earlier this year, there were media reports about scams involving fraudulent Universal Credit claims and how individuals are left facing high bills. Dishonest agents representing them made bogus claims on their behalf in exchange for a fee upon receipt of financial grants. The news increased awareness of the issues, how the civil services struggled to cope with the situation, and how criminals exploited the system weaknesses. To what extent does this information encourage further fraud to be committed?

• A locksmith needs to be able to get into someone’s house and replace the locks if the keys are lost or stolen. The same information, training, knowledge and experience is adaptable to the committing of crimes.

In conclusion, I don’t buy into the argument that a security blog reduces security in any way at all. Security blogs and news media reports on real-life issues need addressing through greater awareness and the implementation of countermeasures. Whatever cybercrimes and fraud were likely to take place, would probably have happened anyway. Crime comes first, followed by countermeasures.

This article breaks down the attack into four stages: Identity, Research, Email and Action. Many of the tell-tale signs of spear phishing are the same as for phishing and more information is available in Caught in the Net, one of our previous articles.

Stage 1 – Identify

Identify key personnel within the target business likely to have access to confidential data of interest. Professional skills are often the most substantial asset, and along with client and project details, are used to demonstrate credibility in the marketplace. This information helps to identify targets for data theft and in many cases, can be found as follows:

• Personal CVs which identify current and previous roles and responsibilities

• Staff profiles on business websites

• Social Media profiles which often include visibility and easy access to a list of colleagues

• Business details on Social Media can provide public access to a list of all past and present employees to help build a profile of the company

• Client details which build up a supply chain profile

• CVs and Job Descriptions are often sufficient to build up a profile of an organisation’s cyber defence posture

Information is publicly available to identify key persons within a target business. Reduce what is published and be mindful of how someone could use the details against you or your employers.

Stage 2 – Research

Now that a compiled list of individuals within the target business is available, the next step is to research them individually to identify their interests and how they will respond to communication attempts.

With phishing, an email that looks like it came from your bank, for example, could be sent to 1 million people offering them a discounted or free 90-minute helicopter trip over the city of London. To claim the offer, click a link to login to a website which looks like your bank. Such an email would rule out anyone not interested in helicopter rides and also rule out anyone with a different bank.  With spear phishing, the research on individuals allows a more targeted approach and for communication to be more relevant, and consequently more likely to get attention. With so much personal information published on social media, this is achievable. For example, if someone:

• Posts a complaint on Twitter about how a specific bank is refusing to deal with a problem

• Lists paragliding as a hobby on Facebook or Linked In

• Posts photographs on Instagram with notes on how they enjoyed the view of the mountains while paragliding

Although detailed personal interests might not be available for everyone on the target list, if the target business has 20000 staff, and 100 individuals are potential targets, a significant amount of personal information will likely be available for many of these.

So much information is publicly available to identify the personal interests of any potential target. People need to think more carefully and be mindful about how much information they release into the public domain, and how others could use the information.

Stage 3 – Email

The next step is to write a convincing and personalised email to get the attention of their target and encourage them to take action, such as opening an email attachment, clicking on a link to a website, or calling an expensive premium rate telephone number. The email would be personalised and could ask you to log in for a special offer or tell you that information is available in your account involving your previous complaint.

This approach is not always a single email requiring immediate action; it could be a longer game to increase the level of confidence. The initial email may not have any links or attachments but only written in a way that expects a reply, for the perpetrator to insinuate themselves into your life. The initial email could be something along the lines of, ‘Hi Michael, great to meet last week at the paragliding event’. With other information on social media such as photographs taken in the bar after all paragliders had safely landed, the email could be more detailed. With enough relevant detail, the recipient could genuinely believe the email is from someone they had met in person.

With a follow-up email containing an attachment about paragliding, or if the initial email turns into an ongoing dialogue, a follow-up email at any time is an opportunity to introduce malware. The end game could equally be about seeking investment or other financial help and building a relationship to a point where someone is more receptive to a request for money.

Again, the key difference is the use of detailed personal information to deliver a targeted attack. The more personalised it is, the more realistic the situation is.

With phishing, many emails are often flagged as spam by Anti-Spam services within a relatively short period, so their effectiveness is limited. Some email systems also flag emails as spam because the email is similar to previously known spam. However, because of the personalised nature of spear phishing, emails are less likely to be flagged. Suppose someone registers an email address with Google, Yandex, Yahoo or one of the many free email services available, and uses it to send a personal message. In that case, that is most likely how the email systems will treat it unless the recipient marks it as spam. Email tools can send spear-phishing emails in bulk using databases of previously compiled data.

Other tactics, such as impersonating other employees in the same business, will serve to encourage the desired outcome. As a result of the level of research that goes into target selection, spear phishing is significantly more effective than phishing.

Stage 4 – Action

Phishing and spear-phishing emails ultimately require the recipient to take some action, such as:

• Giving away personal information

• Logging in to fake websites

• Registering with fake websites that take your information

• Allowing attackers to take what they want, for example by opening an attachment which installs malware designed to email or update data to a remote location

Protective Measures

Many phishing and spear-phishing attacks work well because the emails lead people to believe that actions are required urgently. This urgency is only there to reduce the available thinking time. Things are seldom so urgent that you need to ignore common sense and not exercise due diligence; measure twice, cut once!

• Exercise caution when making personal information publicly available

• Use effective Anti-Virus / Anti-Malware

• Use an effective anti-spam solution

• Be vigilant when opening and reading emails

• Avoid taking actions which deviate from standard established practices. More information is available here in Deviation from the norm