Phishing is an attack method that has been around since the mid-1990’s. It started when a group of teenagers decided to use AOL’s chat room feature to impersonate AOL administrators. They wanted to ensure they would always have free AOL access, so they needed credit card numbers.
AOL had a “new member chatroom” where someone could go for assistance with their access. The hackers, Da Chronic and his friends, created what appeared to be valid AOL administrator’s screen names like “BillingAccounting,” and inform the user there was a problem with their account.
The user provides a card number to get the problem fixed. The hackers then had a card number to charge their service to. At the time, the term phishing was coined. It has now come to be associated primarily with email scams. Phishing scams continue to this day in abundance. About 90% of successful information breaches begin with them.
Since phishing primarily relies on social engineering, it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con hackers use to convince users to do something they would normally never do.
Social engineering could be as simple as someone with full hands asking that a door be opened. Another social engineering attack is to drop USB thumb drives in the parking lot labeled “family photos.”
The USB thumb drive could have a piece of malware that gets installed on the computer, compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks where the attacker sends out emails to as many addresses as possible, using common services like PayPal or Bank of America.
The email states the account is compromised and prompts the recipient to click on a link to verify whether everything is okay. The link will usually do one of two things or both:
- Take the user to a malicious website that looks a lot like the real site, for example, www.PayPals.com vs. the real www.PayPal.com. Note the extra ‘s’ on the first URL. If it takes the user to a malicious website, it could capture the user’s ID and password upon login attempts.
The hacker would now have access to the bank account and be able to transfer money anywhere. There is a second possible benefit though. The hacker might now have the password that is used for all of that person’s accounts, such as Amazon or eBay.
- Infect the user’s computer with downloaded malware (malicious software). Once installed, it could be used for future attacks. The malware could be a keystroke logger that captures logins or credit card numbers. Or it could be ransomware that encrypts drive contents and holds then for ransom, usually in the form of bitcoins.
A very possible use at this point is to use the infected computer to mine for bitcoins. It could do this when the user is not on the computer, or it could lock the user out of part of the CPU’s capability at all times. The hacker can now mine and the user has a computer that functions more slowly.
Phishing has evolved through the years to include attacks from many different perspectives. The hackers will do anything that will get them something, usually money.
A phishing attack is the action or set of actions the hacker takes to exploit the user. The classic email phishing scheme is often easy to spot due to poorly-written emails riddled with poor grammar or misspelled words.
The attackers are getting better and more technically sophisticated. Many simple attacks still work quite well, exploiting human emotions, such as the desire to be in control, outrage, or simple curiosity.
The attack against RSA in 2011 was targeted at just 4 people within the organization. The email itself was not very sophisticated, but it was successful because it targeted specific people. It looked as it was something of interest to those individuals but would not have been that interesting to most others. It contained an attachment that was titled “2011 Recruitment plan.xls”.
Types of phishing
There are many different types of phishing attacks. These include the classic email attack, social media attacks, and oddly-named attacks like smishing and vishing. The basics of phishing rely on the gullibility of human beings.
- Phishing – usually done by email
- Spear phishing – finely-targeted email
- Whaling – very targeted email, usually towards executives
- Internal phishing – phishing attacks originating from within an organization
- Vishing – done by phone calls
- Smishing – done by text messages
- Social media phishing – Facebook or other social media posts
- Pharming – compromising a DNS cache
Internal phishing attacks are a growing concern. They occur when one trusted user sends a phishing email to another in the same organization. Since the originating user is trusted, recipients are more likely to click on a link, open an attachment, or respond with requested information.
To send internal phishing emails, an attacker controls the user’s email account with compromised credentials. An attacker can also be in control of a user’s device either physically due to device loss or theft, or though malware on the device. Internal phishing emails are part of a multi-stage attack with the end goal of extortion with ransomware, for example, or theft of financial or intellectual assets.
Smishing is a particular attack that exploits mobile devices. There are more mobile devices sold today than personal computers. Hackers have taken to this platform to steal personal data. They send a text message out to phone numbers telling users there is a problem with their account and that they need to call and clear things up.
It is quite amazing that if you call the number, the hackers answer the call. You don’t have to click through a number of options just to be placed in a queue to talk to someone. Hackers have effectively created companies that pay their employees, on time, for their work, which includes talking on the phone.
If the users do not fall for the text message, the hackers could call and say something like, “Your account has been attacked and we need you to confirm your account details to clear this up.” If the hackers dial enough numbers, someone will talk to them. This is called Vishing.
Learn more about smishing.
Social media phishing
Social media is such a major part of our online world that the hackers use it against us. There are so many choices these days, from Facebook to LinkedIn to Instagram and others. The hackers are also on those platforms causing plenty of trouble.
One common attack on Facebook are posts in your friends’ accounts that say there is a great sale on something like high end sunglasses, and if you click on this link you can get a great deal as well.
This first requires the hacker to hack into a Facebook account. This can be easy to do in many accounts. If there has been a breach in another company’s online servers that results in password leaks, the hackers try the same email and password combinations on other common platforms like Facebook or LinkedIn.
Learn more about social media phishing.
As users have gotten better at not falling prey to phishing attacks, the attackers have created new attacks. Pharming compromises the Domain Name System (DNS) cache in the user’s computer. This is done through the use of drive-by downloads.
As someone is browsing websites and clicking from one to the next, the attacker exploits the lack of security often found on websites. It is fairly easy to alter a website’s HTML text so it includes the download of information when someone reaches the website or clicks through to it.
If the user does not click through an email that informs of a compromised bank account, for example, the attacker simply waits for the user to connect to the bank. The altered DNS cache information directs the user to the hacker’s version of the user’s bank website. The victim enters the user id and password and, voila, the attacker now has the user’s credentials and can access the bank account and clean it out.
How do you prevent phishing?
There are some very specific things we can do as individuals to protect ourselves:
- Enable two-factor authentication (2FA) on any account that you can
- Use anti-malware programs
- Use firewalls
- Be suspicious of pop-ups and pop-unders
- Be suspicious of email attachments from known and unknown sources
- Be suspicious of text messages or IMs from known and unknown sources that want you to click through to some destination or result in a query about your personal information
- Don’t give out your personal information. Period. Unless there is a very good reason someone needs it
In addition to the recommendations above for staff, an organization should do the following:
- Filter for phishing email and malicious web traffic at the gateway
- Authenticate email senders using DMARC
- Filter for phishing emails based on sender and content, and analyze URLs and attachments for malicious attributes using static and dynamic techniques
- Employ advanced filtering techniques that use AI to spot BEC emails and credential-stealing attacks
- Prevent internal phishing attacks with a service-integrated security solution that hooks into your cloud or on-premise email platform using APIs. These are available for Microsoft Office 365, Google G Suite, Microsoft Exchange Server, and IBM Domino server