Phishing is an attack method that has been around since the mid-1990’s. It started when a group of teenagers decided to use AOL’s chat room feature to impersonate AOL administrators. They wanted to ensure they would always have free AOL access, so they needed credit card numbers. AOL had a “new member chatroom” where someone could go for assistance with their access. The hackers, Da Chronic and his friends, would create what appeared to be valid AOL administrator’s screen names like “BillingAccounting” and inform the user there was a problem with their account. They simply then needed to provide their card number again to get the problem fixed. The hackers then had a card number to charge their service to. They coined the term phishing at that time. It has now come to primarily be associated with email scams. Phishing scams continue to this day in plenty. About 90% of successful information breaches begin with them.
Since phishing primarily relies on social engineering it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that the hackers use to convince a user to do something that they normally would never have done. Social engineering could be something as simple as someone standing at a door with their arms full and ask someone to open it for them. Another social engineering attack is to drop USB thumb drives in the parking lot labeled “family photos”. Someone will pick it up and want to return it to their co-worker so they plug it into their computer. The USB thumb drive could have a piece of malware that gets installed on the computer compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks where the attacker sends out emails to as many addresses as possible. The emails state something about your account being compromised, so in order to catch as many people as possible they will use more commonly used services like PayPal or Bank of America. The email will state something about your account having been compromised and that you need to click on this link and verify that everything is ok, or not. The link will usually do one of two things, or both:
- Take the user to a malicious website that looks a lot like the real site, e.g. www.PayPals.com vs the real www.PayPal.com. Note the extra ‘s’ on the first URL. If it takes the user to a malicious website it could capture the users ID and password as they attempt to login to their account. The hacker would now have access to the bank account to be able to transfer money out to any place they want. There is a second possible benefit though; the hacker might now have THE password that is used for all of that person’s account, such as Amazon or eBay, etc.
- Infect the user’s computer with downloaded malware. If malicious software (malware) is installed onto their computer it could be used for a future attack. The malware could be anything from a keystroke logger, to capture their logins or their credit card numbers, to ransomware that will encrypt their drive contents and not release it until money is paid, usually in the form of bitcoins. A very possible use at this point in history is to use the user’s computer to mine for bitcoins. It could mine when the user is not actually on their computer or it could lock the user out of part of the CPU capability at all times. The hacker now can mine and the user has a slower functioning computer.
Phishing has evolved through the years to include attacks from many different perspectives. The hackers will do anything they can that will get them something, usually they are after money.
Learn more about Phishing attacks.
A phishing attack is the action or set of actions that the hacker takes in order to exploit the user. Poorly crafted emails for the classic email phishing scheme are often easy to spot due to poor grammar or misspelled words. The attackers are getting better and more technically sophisticated with the attacks that they launch. Many simply crafted attacks still work quite well though. The attack exploits the human behaviors such as the desire to be in control, outrage or simple curiosity.
The attack against RSA in 2011 was targeted at just 4 people within the business. The email itself was not very sophisticated but it was successful because of the targeting of specific people within the business. It looked like it was something of interest to those individuals but would not have been that interesting to most others. It contained an attachment that was titled “2011 Recruitment plan.xls”.
Learn more about Phishing attacks.
Types of phishing
There are many different types of phishing attacks, these include the classic email attack, social media attacks as well as oddly names ones like smishing and vishing. The basics of phishing relies on the gullibility of human nature.
- Phishing – usually done by email
- Spear phishing – more targeted email
- Whaling – very targeted email, usually towards executives
- Internal phishing – phishing attacks originating from with an organisation
- Vishing – done by phone calls
- Smishing – done by text messages
- Social media phishing – Facebook or other social media posts
- Pharming – compromises DNS cache
Learn more about Types of phishing.
Internal phishing attacks are a growing concern and occur when phishing emails sent from one trusted user to another of the same organisation. Since the originated users is trusted, recipients are more likely to click on a link, open an attachment, or respond with requested information. To send internal phishing emails, an attacker controls the user’s email account with compromised credentials or is in control of a user’s device either physically (device loss / theft) or though malware on the device. Internal phishing emails are part of multi-stage attacks with the end goal of extortion (i.e. ransomware) or theft of financial or intellectual assets.
Smishing is a particular attack that exploits our mobile devices. There are more mobile devices sold than personal computers at this point in time. Hackers have taken to this platform in order to steal personal data. Sending a text message out to phone numbers telling users that there is a problem with their account and they need to call to clear things up. It is also quite amazing that if you call the number the hackers answer the call. There is no myriad of options that you have to click through just to be placed into a queue to talk to someone. Hackers have effectively created companies that pay their employees, on time, for their work, which includes talking on the phone.
If the users do not fall for the text message then the hackers could just call them and say something like “your account has been attacked we need you to confirm your account details to clear this up”. If they dial enough numbers someone will talk to them. This is actually called Vishing.
Learn more about Smishing.
Social media phishing
Social media is such a major part or our online world that the hackers use it against us. There are so many choices these days, from Facebook to LinkedIn and Instagram as well as others. The hackers are also on those platforms causing plenty of trouble. One common attack on Facebook are posts in your friends account that says there is a great sale on (insert something interesting here, like high end sunglasses) and if you click on this link you can get a great deal as well. This does first require the hacker to hack into a Facebook account. Unfortunately this can be easy for many people’s account. If there has been a breach in another company’s online servers that results in the leak of people passwords the hackers then try the same email and password combinations on other common platforms like Facebook or LinkedIn.
Learn more about social media phishing.
As users have gotten better at not falling prey to phishing attacks the attackers created new attacks. Pharming compromises the Domain Name System (DNS) cache in the user’s computer. This is done through the use of drive-by downloads. As someone is browsing websites and clicking from one to the next the attacker exploits the lack of security that is often found on websites. It is fairly easy to alter the HTML text that comprises a website so that it includes the download of information as someone reaches the website or clicks through to it.
If the user will not click through the email that says their bank account is compromise, for example, then the attacker will simply wait for the user to connect to their bank. The altered DNS cache information will direct the user to the hacker’s version of their bank website. Then the user enters their user id and password and, voila, the attacker now has your credentials and can access your bank account and clean it out.
How do you prevent phishing?
There are many things that we can do to prevent a successful phishing attack. The boil down to a simple, yet often difficult thing to do, be a bit paranoid about anything you can click on or anyone you could talk to. If it sounds too good or too bad to be true, it probably is. There are some very specific things that we can do though as individuals:
- Enable two-factor authentication (2FA) on any account that you can.
- Use anti-malware programs.
- Use firewalls.
- Be suspicious of pop-ups and pop-unders.
- Be suspicious of email attachments from known and unknown sources.
- Be suspicious of text messages or IMs from known and unknown sources that want you to click through to some destination or result in a query about your personal information.
- Don’t give out your personal information. Period. Unless there is a very good reason that someone needs it.
As organisations, in addition to the recommendations above for your staff, you should:
- Filter for phishing email and malicious web traffic at the gateway.
- Authenticate email senders using DMARC.
- Filter for phishing emails based on sender, content, and analyse URLs and attachments for malicious attributes using static and dynamic techniques.
- Employ advanced filtering techniques are available to use AI to spot BEC emails and credential stealing attacks.
- Prevent internal phishing attacks with a service integrated security solution which hooks into your cloud or on-premise email platform using API’s (available for Microsoft Office 365, Google G Suite, Microsoft Exchange Server, IBM Domino server).