Top 3 Phishing Attacks Use Similar Tricks

Phishing scams are immensely popular and we see millions of phishing messages everyday. Today we offer the top three phishing scams that attempt to steal your web mail credentials.

Web Mail Scam

This scam starts with an email that appears to come from Administrator or Helpdesk and requests that you validate or update your account. Clicking on the link in this message will take you to a fake Outlook Web Access Login page. This page is generally hosted on sites that are created by using free services. Attackers also use vulnerable servers (running CMS) to upload these fake pages, which allow scammers to collect your username and password for their own malicious use.


WebMail Phish E-Mail Example

iTunes Scam

This attempt starts with an email purporting to be from the Apple Store. The email informs users that their accounts may have been hijacked. Users are asked to click a link and supply information to restore the account.

Those panicked into clicking the link will be taken to a bogus website that looks like a genuine Apple login page. Attackers often use an “” string in the link to make the link appear legitimate, for example: hxxp://

iTunes Phish E-mail

Gmail Scam

This Gmail scam is by far the most sophisticated phishing attack. It also starts with an email that urges readers to view an important document on Google Docs. Clicking the link will take them to a fake Google Docs login page.

Recently, attackers used a Google Drive public folder to upload a fake Google Docs login page and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages. Because the page is hosted on Google’s server and is served over SSL, the page appears more convincing. After discovering the attack, Google has successfully removed the phishing pages, but the attackers are still using other vulnerable servers to upload the fake login page.

It’s quite common to be prompted with a login page when accessing a Google Docs link, and many people may enter their credentials.

Gmail Phish

An ounce of prevention is worth a pound of cure in dealing with phishing. We advise you to watch for such scams and their modus operandi. You can avoid phishing attacks by following these simple steps:

  • Don’t click on links sent via email messages by someone you don’t know
  • Before entering credentials, always check the URL in the browser’s address bar for authenticity
  • Be careful while sharing sensitive personal information over social networking sites
  • Regularly change your account passwords
  • Never share your account credentials over email or text

McAfee customers are protected against these attacks.

The post Top 3 Phishing Attacks Use Similar Tricks appeared first on McAfee.