PETALING JAYA – Fake news and phishing emails are not just all as far as Internet scammers are concerned.
The cheats have taken to designing elaborate imitation websites to fool people into revealing confidential and financial information, warn cybersecurity experts.
IT security services company LGMS founder C.F. Fong said imitation websites tried to act “legitimate” by using a prominent site’s reputation.
“They pretend to be someone they are not, from there that’s how they conduct fraud and deceive people who mistake them for the real deal,” he said in an interview.
Cybersecurity firm Forcepoint South-East Asia principal security consultant Brandon Tan concurred, saying: “By pretending to be a genuine entity, cybercriminals create seemingly legitimate websites and try to trick people into revealing their personal information or credit card numbers.”
Security software company Sophos senior technologist Paul Ducklin said lookalike websites were a “cornerstone of phishing”.
He said one was not likely to enter passwords or other personal details into a site that looked fishy.
“But a site that looks right enough can easily catch you out if you’re in a hurry.
“Using a lookalike domain name and lookalike content is just one more step in making a fake site look more realistic,” he said.
Besides reaping financial gain, Tan said cybercriminals were also creating fake websites for political purposes.
“Sometimes, fake websites are created for propaganda and spreading misinformation. By designing illegitimate sites, cybercriminals deceive by luring unwary users.
“They constantly change their tactics to avoid being caught and once the motive is accomplished, they disband the fake website,” he added.
Kaspersky Lab SEA general manager Yeo Siang Tiong said scam websites worked in a variety of ways, from publishing misleading information to promising wild rewards.
“Some are deliberately designed to look like legitimate, trustworthy websites or those operated by official government organisations, for example.
“The end goal is always the same – to get you to part with your personal or financial information,” he said.
Yeo said users needed to always be vigilant about the credibility of websites they visited.
“Take nothing for granted and don’t just click links to open a website. Instead, type in the web address manually, or store it in your bookmarks.
“Unscrupulous operators will often buy domain names that sound and look similar at first glance. By typing it in yourself or storing the one you know is accurate, you give yourself added protection,” he said.
Agreeing, Ducklin further cautioned: “Do not be in a hurry to click a misspelled domain name like ‘examp1e.com’, instead of ‘example.com’.
“It is easy to miss, but once you have spotted it, you know for sure that someone is being really sneaky and has your worst interests at heart.”
“When it comes to personal data, if in doubt, don’t give it out!” he said.
Fong said prominent website operators needed to be more proactive in looking out for imitations.
“If they find fakes, they can initiate a take down service by lodging a complaint with the Internet service provider or domain registrar of the site about the abuse,’’ he added.
One way to spot a fake website is to check if the URL is a HTTP (Hyper Text Transfer Protocol) or HTTPS (Hyper Text Transfer Protocol Secure), with the latter having a security certificate in the form of a green lock at the left-hand edge of the URL.
“Unfortunately, this is not foolproof either, as imitation sites can obtain a certificate for their fake URL as well,” Fong said.
CyberSecurity Malaysia (CSM) senior vice-president for cybersecurity responsive services, Dr Aswami Ariffin, warned that fake sites were becoming sophisticated.
“Previously, cybercriminals made bad copies and even added skulls and crossbones to their sites.
“But now they are very professional and make convincing copies to the point that viewers without an IT background will have a hard time telling it apart,’’ he added.
Aswami said this was a form of “behavioural hacking”, where cyber criminals fooled users into releasing confidential information without needing to resort to software hacking.
Under an MoU with the Malaysian Communications and Multimedia Commission (MCMC), CSM is tasked with reverse engineering fake websites to uncover the cyber criminal’s modus operandi and objective.
Aswami said recent data showed 1,526,403 malware infections in Malaysia, with machines being infected with various malicious software such as keystroke loggers, viruses and botnets.