- What is Overview
- What is Phishing?
The art of stealing user or corporate information through well-crafted emails that rely on social engineering techniques. The more masterful the attack, the less the user will realise they have been duped.
Phishing is an attack method that has been around since the mid-1990’s. It started when a group of teenagers decided to use AOL’s chat room feature to impersonate AOL administrators. They wanted to ensure they would always have free AOL access, so they needed credit card numbers. AOL had a “new member chatroom” where someone could go for assistance with their access. The hackers, Da Chronic and his friends, would create what appeared to be valid AOL administrator’s screen names like “BillingAccounting” and inform the user there was a problem with their account. They simply then needed to provide their card number again to get the problem fixed. The hackers then had a card number to charge their service to. They coined the term phishing at that time. It has now come to primarily be associated with email scams. Phishing scams continue to this day in plenty. About 90% of successful information breaches begin with them.
Since phishing primarily relies on social engineering it is critical for all users to understand how the attackers work to exploit human nature. First, social engineering is a con that the hackers use to convince a user to do something that they normally would never have done. Social engineering could be something as simple as someone standing at a door with their arms full and ask someone to open it for them. Another social engineering attack is to drop USB thumb drives in the parking lot labeled “family photos”. Someone will pick it up and want to return it to their co-worker so they plug it into their computer. The USB thumb drive could have a piece of malware that gets installed on the computer compromising security in some way. This is known as baiting.
Phishing is primarily used in reference to generic email attacks where the attacker sends out emails to as many addresses as possible. The emails state something about your account being compromised, so in order to catch as many people as possible they will use more commonly used services like PayPal or Bank of America. The email will state something about your account having been compromised and that you need to click on this link and verify that everything is ok, or not. The link will usually do one of two things, or both:
Phishing has evolved through the years to include attacks from many different perspectives. The hackers will do anything they can that will get them something, usually they are after money.
Learn more about Phishing attacks.
A phishing attack is the action or set of actions that the hacker takes in order to exploit the user. Poorly crafted emails for the classic email phishing scheme are often easy to spot due to poor grammar or misspelled words. The attackers are getting better and more technically sophisticated with the attacks that they launch. Many simply crafted attacks still work quite well though. The attack exploits the human behaviors such as the desire to be in control, outrage or simple curiosity.
The attack against RSA in 2011 was targeted at just 4 people within the business. The email itself was not very sophisticated but it was successful because of the targeting of specific people within the business. It looked like it was something of interest to those individuals but would not have been that interesting to most others. It contained an attachment that was titled “2011 Recruitment plan.xls”.
Learn more about Phishing attacks.
There are many different types of phishing attacks, these include the classic email attack, social media attacks as well as oddly names ones like smishing and vishing. The basics of phishing relies on the gullibility of human nature.
Learn more about Types of phishing.
Internal phishing attacks are a growing concern and occur when phishing emails sent from one trusted user to another of the same organisation. Since the originated users is trusted, recipients are more likely to click on a link, open an attachment, or respond with requested information. To send internal phishing emails, an attacker controls the user’s email account with compromised credentials or is in control of a user’s device either physically (device loss / theft) or though malware on the device. Internal phishing emails are part of multi-stage attacks with the end goal of extortion (i.e. ransomware) or theft of financial or intellectual assets.
Smishing is a particular attack that exploits our mobile devices. There are more mobile devices sold than personal computers at this point in time. Hackers have taken to this platform in order to steal personal data. Sending a text message out to phone numbers telling users that there is a problem with their account and they need to call to clear things up. It is also quite amazing that if you call the number the hackers answer the call. There is no myriad of options that you have to click through just to be placed into a queue to talk to someone. Hackers have effectively created companies that pay their employees, on time, for their work, which includes talking on the phone.
If the users do not fall for the text message then the hackers could just call them and say something like “your account has been attacked we need you to confirm your account details to clear this up”. If they dial enough numbers someone will talk to them. This is actually called Vishing.
Learn more about Smishing.
Social media is such a major part or our online world that the hackers use it against us. There are so many choices these days, from Facebook to LinkedIn and Instagram as well as others. The hackers are also on those platforms causing plenty of trouble. One common attack on Facebook are posts in your friends account that says there is a great sale on (insert something interesting here, like high end sunglasses) and if you click on this link you can get a great deal as well. This does first require the hacker to hack into a Facebook account. Unfortunately this can be easy for many people’s account. If there has been a breach in another company’s online servers that results in the leak of people passwords the hackers then try the same email and password combinations on other common platforms like Facebook or LinkedIn.
Learn more about social media phishing.
As users have gotten better at not falling prey to phishing attacks the attackers created new attacks. Pharming compromises the Domain Name System (DNS) cache in the user’s computer. This is done through the use of drive-by downloads. As someone is browsing websites and clicking from one to the next the attacker exploits the lack of security that is often found on websites. It is fairly easy to alter the HTML text that comprises a website so that it includes the download of information as someone reaches the website or clicks through to it.
If the user will not click through the email that says their bank account is compromise, for example, then the attacker will simply wait for the user to connect to their bank. The altered DNS cache information will direct the user to the hacker’s version of their bank website. Then the user enters their user id and password and, voila, the attacker now has your credentials and can access your bank account and clean it out.
There are many things that we can do to prevent a successful phishing attack. The boil down to a simple, yet often difficult thing to do, be a bit paranoid about anything you can click on or anyone you could talk to. If it sounds too good or too bad to be true, it probably is. There are some very specific things that we can do though as individuals:
As organisations, in addition to the recommendations above for your staff, you should:
Phishing Topics
Related articles