Social Engineering Knowhow 2: Everything you should know about Phishing

Social Engineering Knowhow 2: Everything you should know about Phishing

For the second post in our Social Engineering Knowhow blog series, we discuss phishing. Through the blog, we would help you understand what phishing is, how it hoodwinks the targets and also spot the differences between phishing, spear-phishing and whale phishing. Besides, we would also tell you the measures for detecting and avoiding any such trickeries.

Cybercriminals usually prefer various unusual off-track routes to penetrate and gain control over the networks while flying under the radar.

And most of such deceiving methods involve phishing as the primary method of intrusion.

Phishing in the cybercrime dictionary is synonymous to the real-life fishing techniques and involves an identical concept of using bait to ensnare the targets for gaining control over the targets. Popular phishing attacks mostly involve baits such as free online offers, massive discounts, awards, fraudulent anti-virus, scareware pop-ups, fake software/service installation messages, fake websites, and impersonated emails.

A phishing attack usually gets executed via an email message or even a phone call explaining a fake lottery prize, spoofed service or service message or something similar. The bait involved in these phishing messages/emails come via a shortened URL link or attachments under the guise of something relevant to tempt the victim clicking on it.

Phishing titbits

Phishing is one of the most infamous social engineering method to execute various kinds of cyberattacks. Unlike malware, phishing banks on human errors and seldom get noticed by tracking software.

While usual phishing attacks don’t specifically target any person or enterprise, spear phishing attackers observe and monitor the target’s internet behaviour for sometime to execute a more personalised attack.

There is also the concept of ‘Whale Phishing’ wherein attacks get targeted at wealthy or powerful individuals.

Phishing attacks usually eyes sensitive financial data of the victims’ such as online banking/email/social media credentials, credit card details, insurance data or retrieve Personally Identifiable Information (PII) such as Full name, Gender, Mother’s maiden name, favourite city or any such sensitive data which gets commonly used as an extra security measure in online banking and services.

The phishing scams have been there around since the 90s, and the first recorded campaign happened in 1996 when a hacker named Khan C. Smith impersonated the America Online (AOL) website to loot tens and hundreds of personal and credit card information of the victims’ via emails and social messenger.

Real-life scenarios

To get an overview of how scary phishing could be, we would explain a few notorious phishing attacks happened over the past decade.

Between the year 2013 and 2015, a Lithuanian hacker duped both Google and Facebook through a sophisticated invoice phishing scam. Both companies lost more than $100 million.

Crelan Bank, one of the largest Belgian bank, got victimised via a CEO fraud phishing. The attack was executed via a legitimate-looking email from the impersonated bank CEO. It reads, “Please process a wire transfer payment of $250,000 and code to admin expenses by COB today.” 

Following the instruction, the recipient CFO transferred the amount resulting in a $75.8 million fraud.

In 2017 con-artists developed 12 fake websites of original construction companies and swindled around $11.8 million from MacEwan University, Canada.

Link Manipulation: a notorious Phishing method

Cybercriminals use umpteen phishing techniques to execute their malice. And the most popular method for executing modern phishing schemes is link manipulation,

In link manipulation attacks, the threat actors email the victim loaded with malicious links. These dubious links usually re-directs the victims internet traffic to a malicious website instead of the mentioned one to do the damage.

However, many modern commercially available cybersecurity solutions offer email filters and phishing protection which could filter out such suspicious links. As an act of disguise, the cyber thugs embed legitimate URL links and/or contacts inside the phishing emails.

Modern phishing emails also come with many techniques such as re-directing the browser to a legitimate webpage after retrieving the credentials or use official logos with changed HTML attribute to bypass the anti-phishing filters.

How to spot a phishing attack

Detecting a phishing mail is a complicated task. Cybercriminals use many techniques to hide the commonly visible symptoms of a phishing mail. However, spotting down a phishing attack is not a strenuous effort unless you skip paying attention to detail. Here go a few common signs you should look for to spot a scam:

  • Pay close attention to the senders’ email id and the subject line. As the rule of thumb, the senders’ address should match the brand name, e.g. a person called ABC working in XYZ Computing should have an email id like ABC@XYZ.com.
  • Threatening or dramatic language is also a common trait of phishing messages. Official emails usually refrain from any such tones.
  • If you find anything suspicious about any URL, check the security certificate of that website.
  • While entering a password or credit card information, pay close attention to the entire website. If you find anything fishy about it, stop clicking or sharing it with others.
  • Never blindly download any attachment, especially if it is something you don’t need.
  • Download no email attachments from an unacquainted person. Cybercriminals nowadays send malicious Active X or Macro-enabled files as attachments for compromising anyone’s security.
  • Attackers always try to create a sense of urgency to compel the target to take action immediately. It could tempt you to take advantage of a special discount available from any e-commerce website or offers to avoid a late payment fee.
  • Make transactions only on trusted websites. Also, share credit card details only on reputed payment gateways.
  • You should be cautious about any site that asks you to enter the login credentials of your social media accounts.

Beyond the email

Besides phishing attacks, we’re now seeing emerging social engineering techniques via voice (known as ‘vishing’ or voice phishing) and text messages (‘SMShing’).

Our researchers at K7 Labs every day spots tens and a hundred such instances of newly found phishing attacks on social media, through impersonated LinkedIn InMails or messages on Facebook, WhatsApp or Telegram Messengers.

We would discuss both the Vishing and SMShing in our next blog post. Till then, stay safe.

Social Engineering Knowhow 1: The Psychology of Falling Prey to Cybercriminals

Today we are unveiling a new blog series captioned, “Social Engineering Knowhow.” 

Through the series of articles over a month, we would explain and spread awareness to help users become more educated about Social Engineering because it is a concern for SMEs, SOHO’s, enterprises and also for individuals, families, government and educational institutions.

Instance 1

In 2019, the CEO of a British energy firm received a call from his parent company’s CEO asking for an urgent transfer of €220,000. The deepfaked voice was minutely crafted to deceive the person on the other end and maintained even the exact German accent of the other CEO. Assured by the voice, the British CEO transferred the asked for amount to a Hungarian account of the Cyber Crooks.

Instance 2

Before the US Presidential elections in 2016, Hilary Clinton’s campaign chair, John Podesta received a spoofed email in his Gmail account. The legitimate-looking email from a Russian-sponsored hacker group asked the victim for a password reset. In exchange, John Podesta gave away his password, thinking it was the original Gmail login page.

Instance 3

In 2015, Patricia Reilly, an employee of Pebbles Media, received a series of emails from the Managing Director asking for a quick fund transfer. Obeying the order, Ms. Reilly transferred sums amounting to £193,250 through multiple transactions. Unfortunately, the emails Patricia received were from cyber thugs. The company recovered a portion of the money from the bank. It sued Patricia asking for the rest of the money.

Instance 4

In 2011, cyber thugs sent an email with an MS Excel spreadsheet to two employees of American computer and network security company RSA. Once opened, the macro file inside the Excel sheet installed a backdoor into the systems. The total cost of the cyber breach was measured later as a massive $66 million.

All these four real-life attack scenarios spread over a decade have one thing in common, cybercriminals used different forms of convincing social engineering tricks to dupe the victims. And most of the time, such nefariously-brilliant social engineering tricks involve multiple stages.

The various stages are: preparing the ground by accumulating information on the victim, selecting the mode of attack, engaging the target victim, expanding foothold, executing malware and covering the tracks by removing any digital footprint from the victims’ devices.

A real-life social engineering attack is complex and sophisticated, manipulating the weakest link in the chain – humans. Interestingly, all the social engineering attack methods focus on exploiting human psychology to achieve their goals.

The Deep Inside 

According to several psychologists, the threat actor banks on four key human emotions – fear, greed, desire, and curiosity, to hunt their victims. And with social engineering tricks, the adversaries trigger pure human emotion embedded with the best available technology to ensure the victims logic system turns down. 

To understand what goes on the victims’ mind, we have to dig deep inside the human brain. With each social engineering trick, the threat actors successfully manage to trigger the amygdala, an almond-shaped set of neurons sitting inside the brain’s medial temporal lobe.

The amygdala is responsible for our perception of extreme emotions such as anger, fear, greed, and many more.

When the victim encounters a finely-crafted social engineering trick, the amygdala turns on, and most of the time it draws power from other sections of the brain which are responsible for making us think rationally and renders us helpless to make decisions based on emotions.

Types of Social Engineering

Social engineering is a vast pool of trickery methods and is usually executed by involving human emotion in mind. The most popular methods of social engineering techniques used for engineering massive and small forms of cyber-attacks are Phishing, Vishing, Smishing, Spear phishing, Pharming, Baiting, Pretexting, and Scareware.

Social Engineering 101

We would discuss each type of attack with examples in the upcoming blogs. For now, here goes a handful of takeaway to keep the SOHOs and SMEs safe from any social engineering attacks.

  • In nine out of ten social engineering attacks, employees without proper cybersecurity awareness knowledge end up as the potential victims. Hence every SME or SOHO should factor in the severity and educate its employees to be wary of such attacks.
  • Embracing multi-layered security is the right approach to mitigate any such attacks. K7 Business security offers you just that. Multi-layered security comes with a bunch of nested levels as security measures which effectively detects and quarantines the infected part of a network or machines to keep the system safe. 
  •  Make sure your security software comes with a dedicated firewall and gateway security. K7 Business Security suite comes with a smart firewall and capable of detecting and hunting down the incoming threats.
  •  Phishing is the most common and popular form of social engineering method to dupe the targets. As an act of safety, securing business email accounts is another must-have to stay away from attacks. Make sure your security software offers real-time phishing protection to filter out most of such mendacious emails.
  • Impersonating popular websites is one of the most popular methods of launching social engineering attacks. As an act of protection against any such attacks, your business should also embrace a solution to detect spoofed versions of popular websites. 
  •  Encourage your employees to use multi-factor authentication whenever available.
  •  Double-check the authenticity of any finance-related phone calls, emails, and messages before taking any action.