Beware this new phishing attack that’s after your passwords! - fordquatere

Markus Spiske / Pixabay

A classic bit of internet security advice just bit the dust. For ages, email users were told to hover their mouse over a link to see where it led—if you saw the URL of a legitimate website, you were in the clear. Simply happening Tuesday, Microsoft shared details on a kind of phishing attack information technology's visual perception more frequently: Email with links that contain a known web site at the beginning, but in reality redirect to a malicious page.

This ploy relies on a type of join often in use by sales and marketing teams to racetrack information about who clicks along a URL in a newsletter or on social media. Known arsenic open redirect links, the structure of the join begins with a primary area, then includes a drawing string of analytics information and a final finish site.

But atomic number 3 Microsoft describes in a post on its security blog, this phishing strategy uses open redirect links to exploit an average end user's security training. Because open redirects posterior start with any primary domain and end with any final destination, these phishing links can start with a lawfully-begotten situation and then go to a malicious page.

Adding further complexness to this scheme is the use of captchas to lend an air of authenticity. Users World Health Organization trust they're on a genuine site volition and then enter login certificate in the impression they're accessing a notification, report, Oregon straight Zoom meeting, only to encounter a fake error page claiming a session meter-out operating theater incorrect password—prompting a indorsement entry of login credentials. After the phishing try out has successfully captured the drug user ID and password double, users receive redirected to another genuine website.

You can see peculiar examples of this attack and a sample list of malicious destination URLs in Microsoft's blog post, but you don't need to dig that deep in fiat to protect yourself. Instead, start using a password manager. It won't automatically cater your login certificate on a spoofed site. You can also look over the whole URL when you land on a web site, only it's not nearly as fool-proof a method as a countersign manager.

Note: When you buy something afterward clicking golf links in our articles, we may earn a small commission. Interpret our affiliate link policy for more than details.

Alaina Yee is PCWorld's resident bargain hunting watch—when she's non covering PC edifice, computer components, mini-PCs, and more than, she's scrubbing for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.