Scammers want to steal your passwords and financial data with fake websites. But where do they host them and how do you spot a fake?

Beware: Hundreds of thousands of websites are fake. They are designed to look like the websites of popular online stores, banks, and delivery services, but with a different goal: to steal your passwords and financial data. Victims are lured to these sites by phishing emails, Messenger chats, and even paid ads. But don't despair: even if you click on a potentially malicious link, you may still be able to escape the scammers' clutches without losing anything. But that's as long as you detect the fake in time.

Where are phishing sites hosted?

Sometimes, scammers create a new, special website and register it under a name similar to the original website (e.g. netflik.com instead of netflix.com). It’s worth checking out our separate post on fake names. But these sites are expensive to set up and easy to block, so many cybercriminals take a different route. They hack legitimate websites on a random topic and then create their own subsections where they post phishing pages. Small and medium-sized businesses often fall victim to hacks of this type because they don’t have the resources to constantly update and monitor their websites. Sometimes, a website hack can go unnoticed for years, which is simply a feast for cybercriminals.

One of the most popular web content management systems is WordPress, and as such, the number of hacked websites on the platform runs into the tens of thousands. However, once you know what to look for, it’s not difficult to spot these sites on your own.

First sign of forgery: inconsistency between the website name and address

When following a link in an email, social media post, or advertisement, it’s worth taking a look at the URL of the website you’re taken to. If it’s a hacked site, the discrepancy will be right in front of your eyes. The name of the service the fake site is pretending to be may appear somewhere in the directory path, but the domain name will be completely different. For example: www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php. Everyone knows that Netflix is at netflix.com. So what is it doing at medical-helpers24?

Checking the URL requires a bit more effort on mobile devices because many apps open links in a way that the website address is not visible or is only partially visible. In this case, click on the browser address bar to see the full website address.

Second sign of spoofing: directory path elements

When looking at the full address of a web page, pay attention to the final part of the URL after the domain name. It can be a bit long, but focus only on the first few parts.

Hacked subsections of the site are usually hidden in the WordPress service directories, so the address will likely contain elements like /wp-content/, /wp-admin/, or /wp-includes/.

In our example www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php, one of these elements is right after the domain name, confirming our suspicions that the site has been compromised.

The URL probably ends in .php. Pages with the .php extension are quite common, but that alone is not a sign of a hack. But combined with this directory path, the .php extension is a compelling piece of evidence of guilt.

Third sign of forgery: the website has a different subject

If the website name seems strange or suspicious, you can perform an additional check by going to the homepage. To do this, delete the end of the URL, leaving only the domain name. This should open the page of the real website owner, which will be completely different from the phishing page, both in subject matter and design.

Your personal data on a fake website

It may happen that some information fields (such as your email address or bank card number) are pre-filled correctly even on a phishing website. This means that attackers have somehow obtained a database of stolen personal data and are trying to enrich it with additional information, such as passwords and CVV numbers. To do this, they publish a table with known data about victims, and this can usually be downloaded for free from the website. Therefore, if you see your real card number on a fake website, reissue the card immediately and think about additional security measures for other personal data. For example, if your email has been leaked, protect your email login with a stronger password and make sure to enable two-factor authentication.

How to protect yourself from phishing

Always be vigilant. For the above tips to work, remember to check every link you click.

Check links before clicking them — some attacks don't require the victim to do anything other than visit the infected website. On a computer, move your mouse pointer over a link to show the actual destination URL. On a smartphone, tap and hold the link with your finger to see the URL in the pop-up menu.

It's best to access important addresses (your bank, email server, etc.) through bookmarks or by typing them in manually, rather than through links in emails.

Install security solutions on all your computers, tablets and smartphones. Phishing can reach you on any device, so use Kaspersky Premium to keep all your digital companions safe.

Content previously posted at: Kaspersky Blog

We are Software.com.br, the Official Kaspersky Representative in Brazil and also a reference in technology solutions for the corporate world in Latin America. Count on our consultants specialized in Software Licensing, Cybersecurity, DevOps, Infrastructure and Data Analytics.

See more about Kasperky on our website: Software.com.br