[BreachExchange] What is phishing and how to protect against It? by Liam Johnson

[Audrey McNeil]

https://hakin9.org/what-is-phishing-and-how-to-protect-against-it/


Phishing is a type of cybercrime which has become more and more common in
recent years. It involves an attacker, or “phisher”, posing as a legitimate
organisation and contacting their targets through social media, email,
telephone, or text message. The goal of the criminal is to convince the
individual that they are really from the organisation which they are
spoofing, such that the target is fooled into accidentally giving them
sensitive information such as usernames, passwords, or credit card details.
This data is collected either by an attachment containing malware or via a
fake website to which the victim is directed in the email.

Once the attacker has been given the sensitive information, they use it to
commit identity theft. They may also use the information that they created
directly to withdraw money from the victim’s accounts and transfer it to
fake bank accounts of their own, which they can then access.

How do phishers contact their victims?

The most common way that scammers contact their victims is by email. Some
phishing emails are clearly fake; they are poorly written, ask for personal
information very directly and contain no obvious indicators that they are
from a legitimate company. However, as public awareness of scams increases,
phishers have become more creative with their emails. Their operation
relies on their emails being difficult to distinguish from well-known
companies, so they will often include logos, signature graphics, and
background data collected from internet searches of their victim to fool
them into thinking they are being contacted by the real corporation.

Although less common, “vishing” (voice phishing) and “smishing” (SMS
phishing) are two alternative phishing strategies. Vishing involves
phishing over the telephone, with the phisher pretending to be an operator
from the legitimate company. SMS phishing involves the scammer sending
fraudulent text messages to their victim, in an analogous way to email
phishing.

What do the emails look like?

The emails are nearly identical to those of the legitimate organisation.
However, there may be small details which indicate that they are fakes,
such as spelling and grammar errors. Most companies will address their
emails to you as “Dear [username]”, whereas scammers will often write “To
our valued customer” or some other generic opening.

The cybercriminals will often try to instil a sense of urgency in their
email. They will claim that unless the victim logs into their account
immediately, it will be shut down, or something similar. They will then
direct the victim to login through a hyperlink embedded in the email, which
in reality leads to a fake website which the scammer has themselves created.

The website to which the victims are directed will also closely resemble
that of the organisation being spoofed. The use of subdomains or misspelled
URLs are common tricks used in scamming. Some phishing scams use JavaScript
to place a picture of a legitimate URL over a browser’s address bar, making
the scam even more difficult to notice. Furthermore, the URL shown when
however, over an embedded link may also be disguised using JavaScript.

How to prevent phishing?

The easiest way to avoid being a victim of phishing due to link
manipulation is not to follow the link embedded in an email. Simply search
for the website in question in a new tab, and login through that website.
If there really is something wrong with your account, you shall be informed
when you login. Using the appropriate email filters will also help prevent
these emails from reaching your inbox in the first place.

The Most Common Phishing Techniques

Classic phishing attacks involve sending mass emails to as many people as
possible and hoping that even a small proportion of them fall for the
attack. However, there are many other ways which phishers can fool their
targets to unwittingly hand over their private information. As technology
becomes more advances, so too do the techniques that cybercriminals use.
Here we detail some of the common phishing techniques, some of which are
very well-known, others which are quite niche. Knowledge of what these
techniques look like is a good way of ensuring safety online.

Spear phishing:

Spear phishing is much like the classic phishing attack, except targeted to
specific individuals or organisations. The hacker may have searched through
social media and the internet to find personal information which could be
incorporated into the email to make it seem more believable and increase
their chances of success. Whale phishing is a subset of spear phishing; it
specifically targets an individual which is high-up in a company, such as
an executive.

Session Hijacking:

In session hijacking, the phisher exploits the web session control
mechanism to gain unauthorised access to a web session and use it to gather
information from their victim. The most simple of session hijacking
attacks, the scammer users a procedure known as “session sniffing”, in
which the phisher can use a sniffer to intercept relevant information so
that they can access the Web server illegally.

Content Injection:

This involves the phisher changing the content of a reliable website. This
often redirects the user to a page outside of the legitimate website where
they are asked to enter their personal information, which the phisher then
uses for malicious reasons.

Malware:

The malware is often sent to a user through an attachment in an email. Once
the victim downloads the attachment, the malware begins to run on their
computer. The malware then collects data on the user’s computer, which can
then be accessed by the scammer. Similar to malware, ransomware is software
which denies the user access to their device, or certain files on the
device, until a ransom has been paid to the scammer.

Malware may be installed via malicious advertising (“malvertising”), which
exploits Adobe PDF or Flash to install the malware on the computer.

Link manipulation:

This is a very common way in which phishers trick their victims into giving
them private information. The phisher sends a link, often via email, to a
fake website. When the user clicks on the link and is told to login as
normal. When input their login details, the phisher collects them, and uses
them to commit identity theft. The fake website looks extremely similar to
the real website and may only differ in URL. Hovering the mouse of the
hypertext in the email will expose the link as a fake.

Keyloggers:

Keyloggers is a type of malware which is designed such that it logs inputs
from the keyboard of the victim’s computer. The phisher then receives this
information, from which they can pick out login details. Some high-security
websites will try to avoid this type of attack by using mouse clicks to
make entries of usernames and passwords through a virtual keyboard.

Anti-Phishing Practices

As phishing has become more sophisticated in recent years, so too have the
techniques which have been developed to counter the attacks. Many
organisations have been set up, both by government organisations and
private individuals, to try and prevent attacks and to help those who have
fallen victim to scammers.

The most common way these organisations try to help potential victims is by
arming them with knowledge as to what the most recent scams look like. They
often spread messages on what the latest emails look like on social media,
and by raising awareness, they hope to prevent people from accidentally
giving the phishers the information which they want. This can prove to be
very effective; knowledge of the Google Docs phishing attack in 2017
quickly spread on social media, which helped in it being shut down
relatively shortly after it started.

As well as alerting potential victims to the latest scams, these
organisations train people to look for the generic signs of a fraudulent
email. Many people know the signs of basic phishing emails; they are poorly
written, ask for personal information very directly and contain no obvious
indicators that they are from a legitimate company. These organisations
teach the public that in recent years, phishers have become more creative
with their emails. Their operation relies on their emails being difficult
to distinguish from well-known companies, so they will often include logos,
signature graphics, and background data collected from internet searches of
their victim to fool them into thinking they are being contacted by the
real corporation.

According to several anti-phishing authorities, nearly all legitimate
emails companies address their customers by name or by username. A common
way to spot phishing emails is if a generic opening is used, such as “Dear
PayPal customer”. Furthermore, legitimate emails will be sent from the
company’s real email address, such as @paypal.com. Fake emails may be sent
from a similar email address, such as [email protected]. Carefully checking
the sender’s email address can help discern fake emails from real emails.

The website to which the victims are directed to from the fake email will
also closely resemble that of the organisation being spoofed. The use of
subdomains or misspelled URLs are common tricks used in scamming. Some
phishing scams use JavaScript to place a picture of a legitimate URL over a
browser’s address bar, making the scam even more difficult to notice.
Furthermore, the URL shown when however, over an embedded link may also be
disguised using JavaScript.

Therefore, users are advised not to follow links in the email, but instead
open a new tab and search for the website independently. By logging in
through this route, the user can see if there is something really wrong
with their account, as they will be alerted on login.

Internet service providers (ISPs) have also deployed anti-phishing
techniques. Gmail has “report scam” and “report phishing” options on the
drop-down options list when the email is opened. Similarly, Outlook’s email
service has a “report phishing” button on its page. If the scam email came
from a Yahoo! account, then it must be forwarded on to [email protected]
for further investigation. The ISP has the power to close the account from
which the email was sent, thus locking the phisher out of their operation.

Organisations which are often spoofed, such as PayPal or Google, have also
taken steps to help protect their customers against malevolent scammers.
Many companies have action plans ready in anticipation of the event that
they are spoofed by scammers. They have the capability to warn their
customers or client list about the scam. The company may put notices on
their website, social media pages, or even tell local news outlets to raise
awareness and prevent their customers from falling victim to fraud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180713/22f3a0a6/attachment.html>