Coup plotters want to steal your money and financial data with fake sites. But where do you stay and how to identify a fake?

Attention: hundreds of thousands of sites are fake. They are intended to be similar to popular online shopping sites, banks and delivery services, but with another objective: to collect your earnings and financial data. Victims are attracted to these sites by phishing emails, Messenger emails and paid advertisements. But do not despair: even if you click on a potentially ill-intentioned link, perhaps you will still manage to escape the clutches of two coup plotters without losing anything. But this is so since you detect the falsification in time.

Where are phishing sites hosted?

Sometimes, the coup plotters created a new special site and registered with a name similar to the original site (for example, netflik.com instead of netflix.com). It is worth checking out our separate post on fake names. But these sites are expensive to create and easy to block, so many cybercriminals follow a different path. They hack legitimate sites for any subject and then create their own subsections where they publish phishing pages. Many times, small and medium-sized businesses are victims of hacks of this type because we do not have the resources to constantly update and monitor their sites. Sometimes, a site invasion may go unnoticed for years, or it may simply be a banquet for cybercriminals.

One of the two most popular web content management systems is WordPress and, therefore, the number of sites invaded on the platform is in the tens of thousands. However, once you know what to look for, it is not difficult to detect these sites on your own.

First sign of falsification: inconsistency between the name and the address of the site

To follow a link in an e-mail, social media post or advertisement, it is worth taking a look at the URL of the site for whatever you have raised. If a site is hacked, you will be in front of two eyes. The service name that the fake site pretends to be may appear somewhere outside the directory, but the domain name will be completely different. For example: www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php. Everyone knows that Netflix is on netflix.com. So, what is she doing at medical-helpers24?

Verifying the URL requires a little more effort on mobile devices because many applications open the links in a way that the site is not visible or only partially visible. In this case, click on the navigation bar in your browser to view the full view of the site.

Second sign of falsification: elements of the directory path

To consult the complete list of a web page, pay attention to the final part of the URL after the domain name. It may be a little long, but concentrate on just the first parts.

As subsections invaded by the site are generally hidden in the WordPress service directories, therefore, they will likely contain elements such as /wp-content/, /wp-admin/ or /wp-includes/.

In our example www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php, one of these elements is the logo and the domain name, confirming our suspicions that the site was compromised.

Check that the URL ends in .php. Pages with a .php extension are quite common, but this is just in case they are not a sign of invasion. But, in combination with this directory path, the extension .php is convincing evidence of guilt.

Third sign of falsification: the site has a different matter

If the name of the site seems strange or suspicious, you may perform an additional check on the home page. To do this, exclude the end of the URL, leaving just the name of the domain. You must open the page of the real owner of the site, which will be totally different from the phishing page, both in terms of subject and design.

These people are on a fake site

It may happen that some information fields (such as your email address or bank card number) are also pre-entered correctly on a phishing site. This means that the invaders will somehow get a dice bank of stolen people's dice and are trying to enrich it with additional information, such as senhas and CVV numbers. To this end, a table containing data known about the victims is published, and it can generally be downloaded free of charge from the site. Therefore, if you see the real card number on a fake site, reissue the card immediately and consider additional security measures for other people. For example, if your email is empty, protect your email login with a stronger and stronger certification to activate the authentication of two factors.

How to protect yourself against phishing

Always be attentive. For the above to work, be sure to verify all the links you click on.

Check the links before clicking on them — some attacks do not require the victim to do anything other than access the infected site. No computer, move or point your mouse over a link to display or actual destination URL. No smartphone, touch and secure the link with your finger to see the URL in the pop-up menu.

It is best to access important information (your bank, email server, etc.) through bookmarks or by typing them manually, and not through links in emails.

Install security solutions on all computers, tablets and smartphones. Phishing can happen on your own on any device, so use Kaspersky Premium to keep all your digital companions safe.

Content previously posted in: Kaspersky Blog

We are Software.com.br, Official Representative of Kaspersky in Brazil and also a reference in technology solutions for the corporate world in Latin America. Count on our consultants specialized in Software Licensing, Cybersecurity, DevOps, Infrastructure and Data Analytics.

See more about Kasperky on our site: Software.com.br