By Eddy Alexandre
Eddy Alexandre | CISSP | CISM | CCSP | CEH | Security + CE
LinkedIn @ www.linkedin.com/in/eddyalenxandre
Author: Eddy Alexandre is a Cyber Security Engineer, Author, and Publisher, who has 27 years of experience in computer engineering.
This article was written by the author himself, and it expresses a personal opinion. The author is not receiving any compensation for it. He has no business relationship with any company whose name or stock is mentioned in this article.
Table of Contents
“Phishing” literally means “fishing” or “angling.” The term is used to refer to attempts to trick people into providing information via email. For example, in phishing attacks, people are persuaded to send money, provide sensitive information, and even download malware undetected. Lies, deception, forgeries, and manipulation are used by those who carry out these attacks. That’s why phishing is also called “social engineering”: a type of attack based on human error rather than hardware or software errors.
Malicious persons use a phishing attack to obtain personal login details, credit card details, or access to internet banking. The method can be effective because the attack is aimed at provoking behavior in a person. The person is tempted to click on a link and leave data. While a computer can be protected by technical means, an individual cannot.
Phishing is frequently the first step in a series of activities that leads to a targeted assault on a person or organization. The next step may be that a specific person as an employee of a certain organization is selected as a target. This is called “spear phishing.”
A spear-phishing attack starts with the cybercriminal finding out information about the target. He then uses that information to build a connection with the target, and finally he uses that connection to make the target perform an action. Continue reading to learn about the three phases of a spear-phishing attack: bait, hook, and catch.
Step 1: The Information (Ace)
Setting up the bait is the first of three steps in a phishing assault. This involves collecting details about the target, which can be as simple as knowing they use a particular service or work for a particular company. This is one of the reasons why data breaches involving “non-sensitive” information may be so dangerous: if a service leaks a list of its customers’ email addresses, criminals can use their knowledge of who the owners of those email addresses are and approach them with emails that look to be from that service.
In more sophisticated spear-phishing attacks, cybercriminals can collect data from social media profiles to craft highly personalized spear-phishing messages that convince targets that they are real.
Step 2: The Promise (Crochet)
Once the attacker has the necessary information to catch the attention of the target, he must drop the hook. In order for the target to perform an action, the attacker must promise something or provoke him into action.
Many scams involve telling the target that one of their accounts has been hacked, creating a sense of urgency and causing the target to act quickly—perhaps without thinking. The attacker can then make the target follow a link to a page where he can collect the victim’s data.
Step 3: The Attack (Capture)
The third stage of phishing is the actual attack. The cybercriminal sends the email and prepares for the prey to grab the bait.
What the attacker does next depends on the nature of the scam. For example, suppose they misled the victim into typing their email password into a lookalike site. In that case, they can then log into the victim’s actual email account to collect more information and send phishing emails to the victim’s contacts.
Phishing attacks usually involve sending victims an email, hoping they will click a malicious link or open an attachment. Attackers use various techniques to lure victims into the trap:
- In link manipulation, sometimes called URL Hiding, a referral to a malicious URL is created that appears as if it would refer to a legitimate website or webpage. However, the actual link leads to a groomed web resource.
- Attackers try to hide the actual address of the link using shortening services such as bit.ly. The victims then have no chance of recognizing whether the link leads to a prepared web resource or a legitimate offer.
- In a homographic attack, the criminals try to display URLs with different characters so that they look like a legitimate address to the potential victim. For this purpose, attackers register domains with slightly different character sets, which then resemble established addresses.
- Attackers can occasionally get around the phishing defense by rendering all or part of the message as a visual element. Some security tools search the emails for phrases or terms that frequently appear in phishing emails. Attackers avoid this in some cases by rendering the message as an image.
- Another phishing tactic is based on covert redirection, in which, due to a vulnerability, it is not recognized whether a redirected URL points to a trustworthy address or not. In this case, the redirected URL is usually a prepared intermediary website that asks for login information from the victim. This happens before the victim’s browser is redirected to the legitimate page.
The most common attack method used by phishing scammers is to span a global network. Generic emails are sent from frequently used websites to as many people as possible in the hopes that a few people will fall for their tricks. While this method is effective, it is not the only way phishers can get their prey. Some scammers use more precise methods such as spear phishing, clone phishing, and whaling to achieve their goals.
- Spear Phishing and Whaling: As with general phishing attacks, spear-phishing and whaling attacks use emails from trusted senders to deceive the victim; however, instead of casting a wide network, spear phishing targets individuals or impersonates a trustworthy person in order to steal login data or information.
As with spear phishing, whaling involves a campaign around a specific target but with a larger prey fish in the center. Rather than targeting a larger group such as a department or team, attackers use Captain Ahab’s method and hurl their spears at high-level targets such as executives or influencers. The whalers attempt to impersonate senior executives such as CEOs, CFOs, HR directors, etc., in an attempt to convince employees to divulge confidential information that would be of value to the attackers. For such whaling to be successful, the attackers need to do more research than they would for normal attacks. The hope is that they can successfully pretend to be a whale. The attackers try to use the authority of the whale.
- Clone Phishing: Clone phishing attacks are less creative than spear and whale phishing, but they are still very effective. This style of attack has all the core characteristics of a phishing attack. The difference, however, is that the attackers do not pretend to be a user or organization with a specific request but instead copy a legitimate email previously sent by a trustworthy organization. The hackers then use link manipulation to alter the original email’s true link and lead the victim to a fake website. This will deceive people into inputting credentials that they would normally use on a legitimate website. This will trick users into entering the credentials they would use on the real website.
THE MOST COMMON PHISHING ATTACK
There is a huge variety of sophisticated techniques for phishing, and cybercriminals are always coming up with ways to improve on them. For optimal protection, it is important to study the most common practices. By becoming familiar with them, individuals are better prepared to recognize new forms of phishing as they arise.
- Deceptive Phishing: Deceptive phishing works by using domain spoofing. The domain of a company or organization is simulated. Emails are sent with the domain sender or bogus addresses of friends, coworkers, or other familiar contacts in order to drive users to this domain. The content of the email can contain credible text with a link or just a link. It is either clickable or not active, so the recipient must copy it into the web address bar. In this case, it is difficult for security filters to detect phishing attempts. Once on the website, the visitor is duped into disclosing personal information.
It should be noted that links that refer to HTTPS secured domains can be just as dangerous. Nowadays, almost two-thirds of all phishing websites are served via HTTPS encryption. Privacy requests, sweepstakes, security checks, data upgrades, and account limits are all forms of domain spoofing. File-sharing providers and service providers for internet data transmission are also faked for phishing purposes. Cybercriminals rely on people to question well-known companies, colleagues, friends or other important contacts less and generally be happy to follow their requests. The only thing that can help prevent this is: Do not follow any links received in email as a matter of principle. Always navigate to the website separately.
- Pharming: Suppose you carefully pay attention and check every email you receive. You have verified the sender’s address and the link to ensure that they are trustworthy and have thus initially done everything correctly. However, you are by no means protected from a phishing attack because the cybercriminals know that users are learning and will resort to increasingly treacherous methods, such as pharming. This tactic involves sending fraudulent emails from authentic sources and asking the target, for example, to change their account password. The tricky thing is that the link the target is supposed to click uses the same web address as the original, but they are redirected to a fake website. This occurs when malware infects their computer, which can be prevented by security software such as Kaspersky, AVG, BitDefender, Avast, Norton, etc. Alternatively, these attacks can involve tampering with DNS server settings to change a user’s correct internet address into a bogus IP address, causing the victim to end up on a fake website and unconsciously reveal their data. There is just one thing a user can do in this situation: verify the website’s legitimacy before entering important information.
- Watering Hole Phishing: The attackers behave like stalking the animals at a watering hole like a crocodile: Those who venture too far will be their victims. In the cyber world, the perpetrators find the websites that a company’s employees visit most often. This could be the website of a supplier that the company uses regularly. The perpetrators infect these websites in such a way that malware is automatically uploaded to their computer when they visit them. This malware, in turn, provides the attacker with access to their network, servers and sensitive information such as personal and financial data.
Unfortunately, the user cannot tell whether the website they are visiting has been turned into a watering hole by cybercriminals. The only thing that helps is a high level of general IT security measures at the company.
- Evil twin: A fraudulent wireless Wi-Fi access point disguises itself as a legitimate access point. The attacker can use it to collect information without the knowledge of the user. To do this, he has to be near a hotspot and use appropriate software to find out its radio frequency and the SSID (Service Set Identifier). Then the attacker sends a radio signal with the same SSID. If the user then connects, the attacker can read the network traffic.
If surfing on Wi-Fi for work, a user should only use a virtual private network (VPN) to connect to the internet. In private, play it safe and avoid conducting financial transactions over public hotspots.
- Smishing: The term smishing is short for SMS phishing. Typically, users think that SMS texts are coming from trustworthy sources, but they can contain dangerous URLs that users can be convinced to click on. Often, alleged voucher codes for discount campaigns, free tickets for events or other benefits are promised. The perpetrators usually replace their number with a five-digit speed dial number. This means that the user cannot immediately see whether the provider is genuine.
To check the veracity of the provider, follow up on this so-called premium speed dial number. Check databases or mobile network providers or by using a search engine on the internet. There good clues can be found regarding whether impostors are using a speed dial number or not.
- Vishing: The term vishing describes phishing using voice. In this case, the perpetrators tempt their target to make a phone call and then ask them to provide personal or financial information. As a rule, the target will not be called directly for a conversation during the first contact but will be encouraged to call back. A computer dials and immediately hangs up again. If the target calls back, they will be connected to the cybercriminal. In order to deceive their target, they will pretend to be a trustworthy person – for example, an employee of the target’s bank based on information they collected elsewhere. They may act as if the target’s account has been compromised and trick the target into disclosing their personal information by saying the account needs verifying. The fear this elicits will block the target’s natural suspicions.
So people should not call back unknown numbers, and if they still want to verify their account status, they should check the number on the company’s website. It is important that users hang up immediately if the person asks them to do something suspicious and not call back or receive any calls from that number again.
As different as phishing attacks can be, a phishing email can be recognized by these ten typical characteristics:
- The sender of the email is unknown.
- The message is not personal and is generically addressed (“Dear customer”).
- The email asks you to take urgent action (“Log in within two days”).
- The email contains threats (“Otherwise your account will be blocked”).
- The text is written in poor vocabulary or contains grammatical errors
- Umlauts have been forgotten or removed (instead of “ü”, there is “u” or “us”).
- Your confidential data is requested.
- The URL does not start with HTTPS: //.
- The URL contains suspicious characters (69z-allianz.ch or az-suisse.kunden.ch).
- The SSL security certificate (Secure Socket Layer) is missing on the linked website.
The cybercriminals tricks may be sophisticated, but if you follow these eight key phishing prevention rules, you can bypass their strategies:
- Do not trust emails whose sender address is unfamiliar. Trustworthy companies are often faked.
- Be careful if you receive emails demanding action from you and threatening consequences (loss of money, criminal charges, account or card blocked, etc.).
- Review payment requests that you receive by email.
- Do not click attachments or links in suspicious emails.
- Do not open email attachments with bizarre endings (e.g., picture.bmp.VBS).
- Only visit trustworthy websites.
- Check your credit card statements and bank statements regularly.
- Protect your computers with antivirus programs and keep your software up-to-date.