Anti-Phishing Skills: Don’t Bite The Bait!

Bait! (Image courtesy of Field & Stream)

Last updated: 2022-Apr-04

Phishing succeeds only when you bite the bait. The recent phishing fiasco involving a huge payout by OCBC (Jenner, 2022) clearly highlights that phishing victims are responsible for their own losses. This article equips you with important Cyber Hygiene skills to defend against phishing.

That said, Singapore victims of phishing are legally not liable for their losses. “Common sense” factors in law (“Constructive knowledge,” 2021). Given how Singapore’s MAS has never been able to publish a succinctly comprehensive and feasible education for basic Cyber Hygiene (other countries do!), phishing victims here can actually disclaim liability! If you’re a victim of phishing, you must swear you never read this article. ;-)

(TODO: Ping me to write about Singapore’s critical dearth of technologists, and our actual sources of technologies, especially if you want to know how to set up a technology team in Singapore.)

This article will bring you through a structured flow. We start with your web browser and online destinations.

Table of Contents:
1. URL: the location you visit online
2. Authority of a URL
2.1. Reading your Host: Right-to-Left
2.2. Banks to publish list of operational hosts, NOT!
3. Shortened URLs: hiding, in short
4. QR Codes: pretty, hidden URLs
4.1. iPhone QR Code Previewer
4.2. Keep up-to-date on technology glitches
5. HTML: not what it seems
6. Quick Summary
7. Final Thoughts

URL: the location you visit online

Your web browser goes places, online. Online places are online destinations each addressed by a Universal Resource Locator (URL), such as `https://www.dbs.com.sg` and `https://internet-banking.dbs.com.sg/IB/Welcome`. This URL is a destination address.

TIP: Obviously, your web browser cannot physically visit `18 Marina Gardens Drive, Singapore 018953`. It can at most visit `https://www.gardensbythebay.com.sg`.

When we visit an online destination, we want to know that it is a destination we intend to visit. Imagine hopping into a cab and asking to go home, but alighting at the zoo instead. (Might be fun to live at the zoo, though!)

(TODO: Creative cartoonists, please fill in here!)

How do we ensure we arrive at an online destination we intend to go to? By ensuring that the destination address (URL) is correct.

Authority of a URL

The correctness of a destination address can be checked simply by looking at the originator (aka owner) of the URL. Think of this owner as the owner of a house address. If your friend’s virtual house is at `https://my.good.friend.sg`, you don’t need to check whether the URL leads correctly to your friend’s dining area at `/big-s-dining-area`.

That is, any long URL like `https://my.good.friend.sg/big-s-dining-area` only needs the Authority segment (Berners-Lee et al., 2005) checked. How do we extract the Authority segment of a URL?

The Authority segment comes after the scheme segment (e.g. `http://` or `https://`), and before the first `/`.

WARNING: Ensure the URL’s scheme segment is `https://` and not `http://`! The former is secured with encrypted data channels, so that the messages between your web browser and the online destination cannot be read by eavesdroppers.

In our example above, the Authority segment would be `my.good.friend.sg`.

The typical case of an Authority segment consists only of the host component.

TIP: For now, ignore the Authority segment’s components userinfo and port, in case you actually diligently read Berners-Lee’s RFC! To satisfy the OCDs among you, an uncommonly full Authority segment could be `john.dough@` with `my.good.friend.sg` and `:8000`. Let’s move on.

Now that we know how to extract the Authority segment of a URL, how do we check the Authority is correct?

We read the host component right-to-left.

Reading your Host: Right-to-Left

IMPORTANT: The host component is the key to reading the Authority of a URL correctly. Ensure you go through the practice attached in this section.

Neuro-Linguistic Programming: Profitable myth to sell, unreliable to use (Image courtesy of Live Science)

(TODO: Somebody draw a hilarious cartoon for this lame quip? “Your right side is your truthful side. I can’t talk to your left side!”)

A host component is read right-to-left, punctuated by `.`, such as interpreting “petstore” of “commerce” of “Singapore” from `petstore.com.sg`.

WARNING: The punctuation is `.`, not `-` nor `_`! Worth repeating again… the punctuation is the period, the `.`, the dot that functions as a full-stop at the end of English sentences.

TIP: Don’t be shy about prying into your hosts’ lineage! Which industry do they hail from? Which country are they operating in? The alternative is to hand your passwords to a masked stranger who claims to be the “Login Form” for your bank. Phishing predators operate on your blind trust!

Let’s do some practice here. We use a local bank’s URLs to get a real-world hands-on. We look at `https://www.dbs.com.sg` and `https://internet-banking.dbs.com.sg/IB/Welcome`.

The “frontdoor” of DBS’s online presence is at `www.dbs.com.sg`. It is easy enough to see that this host is anchored to “dbs” of “commerce” of “Singapore” by reading `dbs.com.sg`. (We’ll explain `www` soon after, something called “subdomain”.)

The internet banking application (software, function) is at `internet-banking.dbs.com.sg`. This host is also anchored to `dbs.com.sg`. So, we can be confident that `internet-banking.dbs.com.sg` originates from DBS (and not scammers).

TIP: Subdomains such as `www`, `internet-banking` are of no consequence in reading the host to establish the correctness of the Authority. They are only related to distinct clusters of servers (computers serving up an online destination for you to visit). It is common for separate functions, such as “frontdoor” versus “internet banking”, to be served by distinct server clusters.

Even if DBS gets vain and verbose with its destination addresses, and throws at us something like `sub3.sub2.sub1.dbs.com.sg`, we will still be able to ascertain that the host is still anchored to `dbs.com.sg`.

WARNING: Look closely at the host because certain carefully designed “typo errors” can deceive a casual glance, such as `internet-dbs.com.sg`, `bank-dbs.com.sg`, `login-dbs.com.sg`, and so on.

Banks to publish list of operational hosts, NOT!

You might actually spot an operational gap here: why don’t the local banks publish an easily-accessible list of host names they operate from?

In all likelihood, perhaps for marketing and branding purposes, DBS could operate from `dbs.com.sg` and `dbs.com`. (This is actually the case: `ideal.dbs.com` anchors to `dbs.com` rather than `dbs.com.sg`.)

Your best bet is to write down a comprehensive list of hosts that your bank operates from. You might have to ask your bank to confirm this list for you.

TIP: MAS might take some years to pick this up, judging from my experiences working with the government here. Do yourself a favor meantime, and create this list for yourself as a customer of local banks. Don’t wait for MAS.

Now that we’ve learned how to verify the correctness of a URL (destination address), we look at how phishing predators hide that URL!

(The next part of this article could be exciting for a lot of you. Perhaps nothing short of a good conspiracy novel!)

We look at how address abbreviations hinder our ability to verify the correctness of URLs.

IMPORTANT: Before we dive in, consider grasping and wielding this simple and convenient concept… clicking on any hidden URLs is asking for nasty surprises.

Shortened URLs: hiding, in short

You can create your own Shortened URLs with popular and free services online, such as https://bitly.com .

You should have a bit of fun here. Go to https://bitly.com and shorten this URL: `https://i.drink.your.milkshake.real-dbs.com`. Copy your Shortened URL, and paste it at http://checkshorturl.com .

That Shortened URL Resolver should yield these information:

So that’s what you’re hiding, URL abbreviator!

WARNING: Never click on a Shortened URL, just as you never give your house keys to a masked stranger. Always expand a Shortened URL to check the actual URL first, before you visit the online destination advertised by the destination address.

QR Codes: pretty, hidden URLs

QR Codes are the newest trick that phishing predators use, as if Shortened URLs don’t already pwn local bank customers enough (OCBC paid a terribly high price just months ago).

Think of a QR Code as a graphical representation of a Shortened URL. Just as sneaky, just as risky.

Again, let’s have some fun creating our own “malicious” QR Code. Go to https://www.qrcode-monkey.com and enter a URL of `https://i.drink.your.milkshake.real-dbs.com`. Click the button `Create QR Code`. We’ll be using this QR Code soon.

How do we expand a QR Code into its actual URL? The iPhone QR Code Previewer.

iPhone QR Code Previewer

The iPhone QR Code Previewer resides in the iPhone’s `Camera.app` (Apple Support, n.d.).

WARNING: DO NOT use the `Code Scanner` to scan QR Codes! It executes the QR Code immediately, firing up your web browser and landing you at a potentially malicious online destination!

Point your iPhone’s `Camera.app` at the QR Code we created above. Your iPhone should indicate `real-dbs.com`.

TIP: Google Lens also works in the same way, but does not zoom in only on the originator of the URL. The above example will show full, and potentially confusing, URL in Google Lens. Just make sure you always read hosts right-to-left. iPhone is generally sleeker than Android.

Keep up-to-date on technology glitches

It is still important to check with the latest updates on cyber security (or ping me for an updated overview). There was a time (iOS 11) when the iPhone QR Code Previewer did not work correctly (Cluley, 2018).

That glitch has been fixed. At https://www.qrcode-monkey.com, enter a URL of `https://dbs.com@real-dbs.com`. Your iPhone QR Code Previewer should indicate `real-dbs.com`.

As can be seen in 2018 iOS 11, even Apple can get security wrong. Keep yourself educated and up-to-date.

HTML: not what it seems

Lastly, beware of rendered HTML hyperlinks (W3C, n.d.) when you try to assess the safety of URLs. HTML can hide the real URL, presenting a sleek and usually shortened link, much like how Shortened URLs work. This link, for example, leads to my barren Twitter account rather than my Medium.com profile: https://jhannwong.medium.com.

WARNING: Just about every online page you read on your web browser will be presented in rendered HTML. However, a greater concern is rendered HTML in emails. Phishing predators use personalized emails to send you malicious URLs they want you to click on.

A good practice is to right-click the hyperlink and “Copy Link” (Safari), which will let you see the actual URL the link launches to.

Quick Summary

Before visiting an online destination, check its destination address (URL) to ensure it is pointing to the destination you intend to visit.

To check a destination address, extract and examine its Authority segment. Check that the segment has a host component that originates from your intended online destination.

Never click on hidden URLs. Always expand Shortened URLs and QR Codes to check the actual URL. Click on actual URLs wherever possible.

Final Thoughts

The above write-up comprehensively and succinctly delivers the Cyber Hygiene skills required to defend against phishing. However, a reasonable amount of real-world practice is required to internalize these skills. Hence, I’m identifying trainers who can competently deliver a training course based on my writings.

A possible end-goal is to officially and cost-effectively certify customers of local banks, such that customers are properly and duly diligent in guarding against phishing.

In the corporate setting, yearly Cyber Hygiene assessments or audits of staff can completely thwart phishing, disarming a key attack vector that cyber criminals use to deploy the most devastating security breaches — ransomware, backdoors, and more.

(And to my friends who keep bugging me to save Singapore from critical cybersecurity gaps: I am determined to avoid cybersecurity work. You guys step up given what I’m by now willing to write; Singapore’s security is in your hands now! Those of you in mid-to-senior management in the government, band together now, or forever hold your peace about where your bosses are goofing/golfing around! Do, or do not; there is no try, nor “my-boss-disappointed-me” resignation.)

References

Apple Support (n.d.). Scan a QR code with the iPhone camera. iPhone User Guide, Apple Support. https://support.apple.com/en-sg/guide/iphone/iphe8bda8762/ios

Berners-Lee, T., Fielding, R., Masinter, L. (2005, January). Uniform Resource Identifiers (URI): Generic Syntax, section 3.2, Authority. Internet Engineering Task Force. https://doi.org/10.17487/RFC3986

Cluley, G. (2018, March 28). Be wary when scanning QR codes with iOS 11’s camera app. WeLiveSecurity. https://www.welivesecurity.com/2018/03/28/scanning-qr-codes-ios-11s/

Constructive knowledge. (2021, October 31). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Knowledge_(legal_construct)&oldid=1052708164#Constructive_knowledge

Jenner, A. (2022, February 4). OCBC’s goodwill payouts to scam victims were one-off gesture, do not set ‘general precedent’ for future cases: MAS. Channel News Asia. https://www.channelnewsasia.com/business/banks-measures-implement-digital-banking-security-ocbc-scam-2479146

World Wide Web Consortium (W3C) (n.d.). Links. HTML 4.01 Specification. Retrieved April 4, 2022, from https://www.w3.org/TR/html401/struct/links.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store