Link Hijacking

This may sound over-dramatic, but I don’t think it is; there are few things that will turn our attention to the news faster than reports of an aircraft hijacking – and yet there’s a different kind of hijacking occurring in malicious eMails hundreds of thousands of times a day that can have equally dramatic consequences for the victims; consequences like loss of life savings and even potentially loss of life (in the case of deployment of a crypto virus that knocks essential services off-line for weeks as was the recent case at Waikato Hospital) – I call it “link hijacking”.

This screen grab from some spam I received illustrates it perfectly:

At first glance it looks like the links all refer to content on Vimeo right? WRONG! That’s NOT the destination of the link – that’s only the DESCRIPTION of the link. The destination that it took someone to was COMPLETELY different and bore no correlation to vimeo whatsoever.

The implications of this can be huge; just imagine for example that you receive an eMail that appears to be from your bank; it has their logo on it – all their correct contact information on it – everything looks legit. You click on a link and it takes you to a screen that looks like the same page you always use to log in – you log in as per normal and … you’ve just given the bad guys access to all your account because the link you clicked only LOOKED like the link to your bank’s login page … it was actually a link to a completely different site that’s controlled by the bad guys and setup to LOOK like the site it’s impersonating.

So how do we protect ourselves against these types of attack? Fortunately there are a few things we can do to keep ourselves safe:

1. Be suspicious. Be VERY suspicious of unexpected eMails saying they’re from your bank – Microsoft – Netflix – Linked In – eBay etc (the list is endless) – especially ones saying “your account has been locked due to …” or “your account is going to be … unless you …”.
   
2. Official advice is to “not click links” in eMails – instead, type the address in your browser yourself. Personally, I find that a bit unrealistic in that not many people will go to that trouble – but at the very least, hover your pointer over the link and look (often in the bottom left hand corner of your browser) at where the link is really going to take you. Read it carefully, keeping in mind that it’ll often be something that looks right at first glance but is actually a slight misspelling or other sleight-of-hand designed to deceive.
   
3. Use 2FA (2 factor authentication) or MFA (multi-factor authentication) as much as possible for important sites; this is where in addition to your password, you also need to supply a code sent to your phone (or something similar). If the bad guys get your password they still can’t get in (seriously – it’s great stuff).
   
4. If in doubt DON’T DO IT; many young people are far too careless when clicking links … and many old people (of which I’m one!) are far too trusting. It’s a problem. If you’re in any way suspicious then run it past someone you trust first … it may just stop you from losing your life savings.

As always, please don’t hesitate to get in touch if you’d like me to take a look at something suspicious – I’m more than happy to – and there won’t be any charge. These attempts to relieve people of the fruits of their labour really (can’t use the word I’d like to!) “annoy” me; I’m too old to leap into a brawl & break up a fight – but if I can stop this kind of attack on an innocent person then that’ll make my day.