By Maria Sole Scollo, IT security expert at Consortium GARR
On an ordinary beach in an ordinary country, an ordinary girl is lying in the sun and enjoying her summer holidays whilst surfing the net with her smartphone looking for bargains!
She accesses the website of a well-known fashion brand in search of bargains and finds some interesting opportunities, but she postpones the purchase: she wants to think about it a little longer and then it’s time to take a swim!
The next day the ordinary girl accesses the same site (or so she thinks) because she has almost made up her mind to buy that beautiful dress on sale she saw the day before. She types the name of the brand in the search engine and, without thinking too much and without seeing clearly because the sun glares on the screen, she clicks on the first link in the list, like she did the day before. She opens EXACTLY the same pages that she already saw and rushes to the desired dress. Something IS actually different: the prices have fallen! Wow! -she thinks- I was really lucky to postpone the purchase!, and this opportunity for further savings eventually convinces her to fill her shopping cart.
it comes the time to pay, but first she needs to register on the website and create an account. She enters all the data: as a user name she is asked to enter her e-mail address, she chooses a password on the fly, but doesn’t write it down (she is on the beach, after all, and doesn’t want to waste too much time) then she proceedes with the payment. How strange, PayPal is not among the options for payment! In fact, the only possible payment option is by credit card… then so be it!
As soon as the payment is completed, the order confirmation e-mail arrives (Order no. etc ..) as well as the SMS of the transaction by the bank (payment authorisation, etc.), the girl can see them from the preview on her smartphone screen… no need to open them, after all, the sun in her eyes has already bothered her enough.
The girl had the package delivered to an acquaintance, because she will still be on vacation when it arrives (after only 3/4 days it was specified on the website), but the days pass by and the package doesn’t arrive – it must be a delay due to the pandemic – she thinks, and then she stops thinking about it and enjoys her vacation.
The girl has returned home and now she remembers the package. She calls the friend who should have received it, but there is not even the shadow of a package in sight. Our girl starts to be impatient. So she opens the first e-mail that arrived at the time of the order. Something is wrong. This email is so anonymous… in fact it does not provide any information, other than a trivial order number. There is neither a logo nor any other reference to the website of the brand from which she purchased.
She then thinks to access the website with the account she created for the occasion, to retrieve some information, perhaps a link to track her package. As always, she searches for the brand name on the search engine, she clicks on the first link in the list, and proceeds to login: username and password… user name… oh yes! It was the email address. Her password… she doesn’t remember it, she had chosen it on the fly at the beach, remember? Never mind, she decides she will proceed with the recovery… but… what does it mean “there is no account with this user name”? She tries again and again. She can’t be wrong, after all the confirmation email had arrived, so the address entered was correct.
And here, in an ordinary day, in an ordinary city, an ordinary girl suddenly realises: it was a case of PHISHING!
To be sure, she checks the browser history, and only then she realises that the site visited on the first day (when she did not make the purchase) is called namebrand.com, and is the same where she just tried to log in, while the name of the website visited on the day of the purchase is called brandname.ONLINE.com.
At the end of the story, the package never arrived, but luckily the bank sent her a compensation for the stolen money.
Our girl has become aware of the fact that a pair of sunglasses sometimes can save a bank account as well as the eyesight, but above all that one can never be too cautious, because phishing is always lurking… even on holiday!
Maria Sole Scollo
Maria Sole Scollo is an IT security expert at Consortium GARR, she has been part of GARR-CERT since 2002 (cert.garr.it). She deals with the management of security incidents, user support and publication of security alerts, as well as cybersecurity training. She is also interested in the analysis of Cyber Intelligence sources for operational data protection.