Stories of Ordinary Insecurity: Clickjacking, Pharming and Phishing

Clickjacking: When a Click Hides a Scam

Marco is a big football fan. Every day he follows news about his favorite team on different sites, from official ones to niche ones. It is probably the part of the day he loves most, but will it always be? During one of his web sessions, Marco is attracted by a link reporting sensational news about his team. Taken by excitement, he clicks and nothing happens. “It must be a site problem,” he thinks. But no. A few days later Marco receives an email with a photo of him in pajamas and a message: “I have many photos like this, I can spy on you, but if you pay me I will stop.”

(Clickjacking attacks can allow access to the webcam and microphone by changing Adobe Flash software settings)

Wikipedia says: During normal web browsing, the user clicks with the mouse pointer on an object, for example a link, but in reality the click is redirected, without the user's knowledge, to another object. Typically the vulnerability exploits JavaScript or Iframes.

Pharming: Original Site or Ad-Hoc Web Page?

Giuseppe spends many hours in front of the PC, especially on social networks. He likes sharing links, looking at friends' photos, commenting on his favorite singer's fan page and chatting with his sweetheart. Too bad Giuseppe is only 14 and a little naive. While browsing, a page opens in his browser that looks like Facebook's homepage, but is not the real Facebook. Giuseppe enters his data and logs in: in a flash the attacker next door has the account nickname and password, and once inside creates highly embarrassing situations...

Wikipedia says: Pharming is a cracking technique used to gain access to personal and confidential information for various purposes. With this technique, the user is deceived and led to unknowingly reveal sensitive data to strangers, such as bank account number, username, password, credit card number and so on.

Phishing: Biting Like Fish on the Hacker's Hook

Giovanni works as a nurse in his city's hospital. His dream has always been to help people, care for them and support them when they need it. His days are so intense that, when he returns home after exhausting work hours, he only wants to lie on the bed and check his email in peace. One evening an email arrives from the Post Office: “We are checking the security of our customers' accounts, enter your access data here, we will verify whether your account is safe!” Fatigue and worries prevent Giovanni from understanding the serious scam he is facing. He enters the data and his account disappears in a very short time.

Wikipedia says: It is an illegal activity that exploits a social-engineering technique: by sending random email messages that imitate the graphics of banking or postal sites, a malicious actor tries to obtain from victims the password to access the current account, the passwords authorizing payments or the credit card number.

Moral of the Story

Marco will have to install an updated browser to avoid falling into the same scam again. It is worth remembering: “Never accept sweets from strangers.”

Giuseppe will have to get a good antivirus and check, on every site where he enters personal data, whether a security certificate is provided or the HTTPS protocol is used.

Giovanni will have to understand that no bank, and not even the Post Office, will ever ask for sensitive data by email. Also, by paying attention to the site link, he will notice that it certainly differs from the original, even by just one symbol!