Regular readers are familiar with our ongoing coverage of phishing attacks.
Recently, we reported on an Apple ID SMS-based phishing scam, and described how tax-related phishing attacks surged by 400 percent this year.
The continued success of these and other phishing campaigns reveal a persistent deficit of security awareness among users. Indeed, as we shared in an article earlier in 2016, Tripwire found that more than half (52 percent) of respondents for a survey conducted at RSA were “not confident” in their ability to spot a phishing attack.
That’s troubling news. And as attacks continue to grow in sophistication, it’ll only get harder to spot a phish.
On Monday, UK malware researcher @dvk01uk came across the phishing campaign.
— My Online Security (@dvk01uk) June 13, 2016
This sophisticated technique negates a common anti-phishing tactic: hovering over a URL to confirm it points to where you would expect it to point.
Fortunately, users can protect themselves against this phishing technique, though for how long remains to be seen. The malware researcher @dvk01uk expands upon this point in a blog post:
“The only saving grace with this particular phishing attack is that the phishing page is a HTML page / form that they tell you to open on your computer and not a link to a website. The advice we always give to NOT open any attachments to emails and definitely do not fill in html form attachments should protect you. But once a phisher puts this onto a website with a plausible & believable URL, then all bets are off and it will be almost impossible to detect the phish. This is very worrying.”
Fortunately, PayPal offers users the ability to enable two-step verification, which will help protect their accounts even in the event someone compromises users’ passwords.