This is how you get hacked online …
Here is an example of how you can get hacked:
1) You get an email message from an online provider that you use all the time e.g. from a Facebook, Hotmail, Gmail, your bank etc. It looks official, realistic and seems to come from a legit person from within the company (webmaster, security team, account rep etc.).
Below are examples of fake emails.
(Image courtesy of securelist.com)
(Image courtesy of gbradhopkins.com)
2) There may be an alarming message e.g. “Your account has been compromised. Login to change your password immediately.” or sometimes a more subtle reminder, “For security reasons, we ask that you log in to change your password. Your account will be disabled until you do so.” There are times where it asks you to log into your account to check a message that you have received about your account e.g. “Please log into your account to check your unread messages.” or as in the case of Facebook, you just got a message from one of your *friends* on your Facebook wall/ messaging system that you may want to reply to.
Whether it is an alarming, subtle or a simple message that asks you to change/ verify your account info/ reply, there is always a web link that is included in the email.
3) Because you want to safeguard yourself, you don’t want your account to be compromised, you are just following instructions or you just want to reply to that message — you click on the link provided.
4) Your browser opens up to a page that looks like a real page from Facebook, Hotmail, Gmail, your credit card company, your bank etc.
5) You log in (like you normally do) without even thinking twice.
6) Everything is normal while you are in the process of getting logged in. But, you are suddenly back to the official login page again. Looks like your username and password didn’t process.
7) You scratch your head and wonder why you are back to the log in page again. You try again. This time you are logged in successfully and proceed to do whatever you are told. For those who had a message asking them to check unread messages, there doesn’t seem to be any unread ones. For those that seemed to get a message from a “friend”, you don’t see that message at all.
You log out, thinking nothing is wrong or there was probably a mistake. Next day, you find yourself locked out of your account or there are spam messages being sent from your account (written by you). In a worst case scenario, you find that your bank account or credit card info has been stolen.
So the question is… when and where did you get yourself hacked?
The answer is in step number 4.
When you clicked on that link they provided you, you were redirected to a page that looks like a real page. That page is a mere recreation to fool you. What you didn’t notice, was that the web address was not a legit one. As an example, the real sign in page for eBay is https://signin.ebay.com. The fake one might look like this: https://signin-ebay.com. Another example might be Paypal — the real address is http://www.paypal.com . The fake one could look like this www.paypalsecure.com, www.paypa1.com, www.secure-paypal.com, and www.paypalnet.com.
Below are examples of fake pages (*notice the website addresses).
(Image courtesy of Ultramax)
Remember, the part in step 6 where it seems like something happened but you are suddenly back to the official login page again? What happened there, is that your login/ password was sent to the hacker and then you were redirected back to the official real page. You’ll think nothing of it when you look at the website address as it is the real address — most would just try to log in again. By then, your information has already been hacked and grabbed by the unscrupulous scammer and he’s ready to put it to
good bad use.
This is one of the more common examples of phishing scams.
Lesson learned — be careful when clicking on links within an email. When your browser opens up to a page, always look at the website address closely. There are often subtle differences between the real vs. fake website address. Better yet, don’t click on links in email. Physically open your browser, type in the web address of the page and log in that way. That extra step may save you from getting hacked and your private info compromised.