Fake websites have long been a thorn in the side of both consumers and enterprises. The problem has become significant enough for some desktop Web browser makers, including Google and Apple, to reconsider their entire approaches to the classic URL bar.
For example, a version of Chrome Canary from last year experimented with removing the full URL from view and instead displaying only the domain name. This way, a genuine website would likely show a short string (e.g., "Apple, Inc." for an HTTPS login page) while a fake one would have a long and messy name. The difference is much hard to tell when scrutinizing full URLs, which typically contain many modifiers and can be hard to evaluate for authenticity with the naked eye.
The deceptive power of fake websites and their phishing campaigns
What do fake websites do? They might trick people into handing over sensitive information through a form that looks legitimate. A few years ago, Trend Micro senior threat researcher Noriaki Hayashi looked at a classic example along these lines, namely a phishing attack that utilized a fake donation site. In that case, the site presented itself as a portal for raising money for victims of the early 2011 earthquakes in Japan. An attached blog and on-page advertisements helped boost the fake site's SEO so that it could lure more victims.
More recently, fake websites have been tricking some people who have been trying to access services from the U.S. federal government. The country's Federal Bureau of Investigation issued a public service announcement this year warning Internet users to be on the look out for fake websites that imitate the functionality and feel of official government sites. The organization's bulletin also noted that imposters were using SEO techniques to enhance their attempts at deception, just like the donation sites profiled by Hayashi in 2011.
"Victims use a search engine to search for government services such as obtaining an Employer Identification Number or replacement social security card," stated the FBI bulletin. "The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website."
From there, the compromised site may extract various fees from its visitors, as well as submissions of the personally identifiable information found in documents and items such as birth certificates, driver's licenses and and employee badges. This data can in turn be used for identity theft or, in the case of pilfered payment card details, fraudulent transactions.
What can CIOs and IT do to avoid imposter websites?
Many Web browsers and endpoint security tools have built-in mechanisms for identifying risky websites and protecting users from being led into a swindle. However, there are situations, such as being on a personal mobile device, in which a person may be at risk of divulging important information to cyber criminals. What steps can he or she take to stay safe?
A good place to start if with a simple WHOIS search of the domain in question. Often times, the results can reveal if the site is legitimate or a fly-by-night operation set up to make a quick buck. Research can also help: Does the site have any reviews or testimonials? Fakes often show up in relatively few results other than the ones from their own domains, while legitimate ones have a larger online trail.
Fake websites are just one risk among many to navigate when trying to steer clear of phishing scams. Phishing can also come through channels such as email or social networking, via messages or headlines that demand immediate user action. Ideally, close attention to email wording and formatting or to the source of a social media post can help weed out dangerous communications.
If someone does end up clicking through, the destination is often a compromised site similar to the fakes we have discussed here. Keep an eye on the URL, page formatting (does it have an excessive number of spammy headlines and advertisements?) and security (is a valid SSL certificate in use?). Effective employee cyber security training along with endpoint security tools can help keep everyone safe from phishing and data theft.