For the second post in our Social Engineering Knowhow blog series, we discuss phishing. Through the blog, we would help you understand what phishing is, how it hoodwinks the targets and also spot the differences between phishing, spear-phishing and whale phishing. Besides, we would also tell you the measures for detecting and avoiding any such trickeries.
Cybercriminals usually prefer various unusual off-track routes to penetrate and gain control over the networks while flying under the radar.
And most of such deceiving methods involve phishing as the primary method of intrusion.
Phishing in the cybercrime dictionary is synonymous to the real-life fishing techniques and involves an identical concept of using bait to ensnare the targets for gaining control over the targets. Popular phishing attacks mostly involve baits such as free online offers, massive discounts, awards, fraudulent anti-virus, scareware pop-ups, fake software/service installation messages, fake websites, and impersonated emails.
A phishing attack usually gets executed via an email message or even a phone call explaining a fake lottery prize, spoofed service or service message or something similar. The bait involved in these phishing messages/emails come via a shortened URL link or attachments under the guise of something relevant to tempt the victim clicking on it.
Phishing is one of the most infamous social engineering method to execute various kinds of cyberattacks. Unlike malware, phishing banks on human errors and seldom get noticed by tracking software.
While usual phishing attacks don’t specifically target any person or enterprise, spear phishing attackers observe and monitor the target’s internet behaviour for sometime to execute a more personalised attack.
There is also the concept of ‘Whale Phishing’ wherein attacks get targeted at wealthy or powerful individuals.
Phishing attacks usually eyes sensitive financial data of the victims’ such as online banking/email/social media credentials, credit card details, insurance data or retrieve Personally Identifiable Information (PII) such as Full name, Gender, Mother’s maiden name, favourite city or any such sensitive data which gets commonly used as an extra security measure in online banking and services.
The phishing scams have been there around since the 90s, and the first recorded campaign happened in 1996 when a hacker named Khan C. Smith impersonated the America Online (AOL) website to loot tens and hundreds of personal and credit card information of the victims’ via emails and social messenger.
To get an overview of how scary phishing could be, we would explain a few notorious phishing attacks happened over the past decade.
Between the year 2013 and 2015, a Lithuanian hacker duped both Google and Facebook through a sophisticated invoice phishing scam. Both companies lost more than $100 million.
Crelan Bank, one of the largest Belgian bank, got victimised via a CEO fraud phishing. The attack was executed via a legitimate-looking email from the impersonated bank CEO. It reads, “Please process a wire transfer payment of $250,000 and code to admin expenses by COB today.”
Following the instruction, the recipient CFO transferred the amount resulting in a $75.8 million fraud.
In 2017 con-artists developed 12 fake websites of original construction companies and swindled around $11.8 million from MacEwan University, Canada.
Link Manipulation: a notorious Phishing method
Cybercriminals use umpteen phishing techniques to execute their malice. And the most popular method for executing modern phishing schemes is link manipulation,
In link manipulation attacks, the threat actors email the victim loaded with malicious links. These dubious links usually re-directs the victims internet traffic to a malicious website instead of the mentioned one to do the damage.
However, many modern commercially available cybersecurity solutions offer email filters and phishing protection which could filter out such suspicious links. As an act of disguise, the cyber thugs embed legitimate URL links and/or contacts inside the phishing emails.
Modern phishing emails also come with many techniques such as re-directing the browser to a legitimate webpage after retrieving the credentials or use official logos with changed HTML attribute to bypass the anti-phishing filters.
How to spot a phishing attack
Detecting a phishing mail is a complicated task. Cybercriminals use many techniques to hide the commonly visible symptoms of a phishing mail. However, spotting down a phishing attack is not a strenuous effort unless you skip paying attention to detail. Here go a few common signs you should look for to spot a scam:
- Pay close attention to the senders’ email id and the subject line. As the rule of thumb, the senders’ address should match the brand name, e.g. a person called ABC working in XYZ Computing should have an email id like ABC@XYZ.com.
- Threatening or dramatic language is also a common trait of phishing messages. Official emails usually refrain from any such tones.
- If you find anything suspicious about any URL, check the security certificate of that website.
- While entering a password or credit card information, pay close attention to the entire website. If you find anything fishy about it, stop clicking or sharing it with others.
- Never blindly download any attachment, especially if it is something you don’t need.
- Download no email attachments from an unacquainted person. Cybercriminals nowadays send malicious Active X or Macro-enabled files as attachments for compromising anyone’s security.
- Attackers always try to create a sense of urgency to compel the target to take action immediately. It could tempt you to take advantage of a special discount available from any e-commerce website or offers to avoid a late payment fee.
- Make transactions only on trusted websites. Also, share credit card details only on reputed payment gateways.
- You should be cautious about any site that asks you to enter the login credentials of your social media accounts.
Beyond the email
Besides phishing attacks, we’re now seeing emerging social engineering techniques via voice (known as ‘vishing’ or voice phishing) and text messages (‘SMShing’).
Our researchers at K7 Labs every day spots tens and a hundred such instances of newly found phishing attacks on social media, through impersonated LinkedIn InMails or messages on Facebook, WhatsApp or Telegram Messengers.
We would discuss both the Vishing and SMShing in our next blog post. Till then, stay safe.