#phishing

According to a Cisco report, 90% of data breaches are caused by phishing attacks. Millions of users are affected by malware and ransomware. However, phishing attacks are no less harmful. The availability of the latest security protocols and software cannot fully protect against cyber threats. A low user knowledge level increases the risk of becoming a cybercriminals victim. It is important to ensure that all users are properly trained.

Phishing attack is a cyberattack that uses social engineering to illegally acquire sensitive data. Often the attack is carried out through malicious links and files that users are tricked into opening. Phishing attacks are also combined with malware to do more damage. To successfully implement an attack, a cybercriminal carefully studies user behavior. Thus, he selects the easiest and the most efficient way to achieve his goals.

Signs of phishing attempts:

request for personal and account data, as well as bank card information;
unreasonable threats;
urgency;
errors in the text (spelling, grammar);
suspicious URLs;
unique offers.

Cybercriminals are constantly developing new phishing methods to obtain sensitive data.

The most common types of phishing attacks are:

Email phishing is the oldest and most used type of phishing attack. Emails that imitate legitimate senders target corporate users and individuals. Using a malicious link, document, or image, an attacker forces the victim to download malicious code (for example, «verify» personal information by clicking on a link).

Signs: request for personal information; urgent problem; shortened links; suspicious URL; spelling and grammatical errors; nested files; empty image;

Spear phishing is more targeted and focused on a specific person or company. Attackers collect information from open sources and attack entire enterprises and departments.

Signs: unusual requests, links to shared drives; suspicious and unsolicited emails; reference to personal data;

Whaling – a targeted attack on a specific person or group of people from the senior management. Most often the CEO of the company becomes the victim.

Signs: invalid domain address, use of personal email; new contact requests;

Business email compromise – attackers impersonate managers in order to gain access to his account with the ability to make decisions and send internal requests to employees.

Signs: urgency, unusual behavior, lack of lawyers in correspondence;

Voice phishing – an attack using a phone to get information or money.

Signs: blocked and hidden number, requests for confidential information or money;

HTTPS (a standard traffic encryption protocol that requires TSL/SSL certificates) phishing is a URL-based attack that aims to trick people into clicking on a malicious link.

Signs: shortened links, text with hyperlinks, spelling errors in the URL.

Clone phishing – attackers copy a letter previously sent by a legitimate person or organization, forge the sender’s address and resend it to the victim with a malicious attachment or link.

Signs: duplicate emails, errors in the email address, hyperlinked text.

SMS phishing – attacks through SMS messages with malicious attachments and links.

Signs: suspicious and unsolicited messages, messages from unknown numbers, authentication request.

Pop-up phishing – an attack through pop-up windows. Attackers insert malware in the form of pop-up ads. A click starts the infection process.

Signs: Browser notifications, new tab or window, urgent message pop-ups (antivirus update, subscription renewal, etc.).

Social media phishing – using information from social networks, attackers gain access with the help social engineering to the victim’s confidential data.

Signs: suspicious links, suspicious accounts.

Angler phishing – attackers pose as customer service employees in a phishing attack by creating a fake account and contacting a potential victim. During the interaction, the cybercriminal specifies personal data, and then provides a link to solve the problem that contains malware.

Signs: unverified account, no profile history.

Evil Twin phishing – attacks consist of creating an unsecured Wi-Fi hotspot and luring users into connecting. Once the victim has connected, all incoming and outgoing data (personal information, financial data, etc.) can be intercepted by attackers. This type of attack is more likely to occur in public places with free Wi-Fi (cafes, hotels, airports, etc.). The best way to avoid becoming a victim in this case is to use a VPN.

Signs: duplicate Wi-Fi hotspots, security alerts.

Website spoofing – creation of a completely fake site identical to the legitimate one to obtain confidential information. Most often, the websites of organizations from finance, healthcare and social networks field are faked, as they contain important personal information.

Signs: errors in writing URLs, errors on the site.

Email spoofing – creating a completely fake email domain.

Signs: suspicious and unsolicited emails, errors in email addresses.

DNS spoofing (pharming attacks) is a technically more complex type of attack where a cybercriminal has to hack a domain name server (DNS) that converts domain names into IP addresses.

Signs: unsecured website, website errors.

Image-based phishing – occurs through sending an email with an image that contains hyperlinks, malicious URLs, links to infected sites.

Signs: embedded link in image, spam, large call to action buttons.

Search Engine Phishing – attackers create legitimate pages based on keywords and queries to rank in search engines (Google, Bing). The pages contain interesting suggestions to lure the victim into entering banking information. More often, such pages offer free vacations, products, investment opportunities, discounts, job offers, etc.

Signs: attractive offers that are hard to refuse, poorly designed sites.

Watering Hole phishing – an attack is aimed at a specific company or group of people by infecting a site they frequently visit. Cybercriminals find site vulnerabilities, infect it, and lure potential victims with emails to that site.

Signs: security alerts, security testing.

Man in the middle (MITM) – an attacker intercepts the communication chain, becomes an «intermediary», controls communication, intercepts data and has the ability to manipulate it to obtain personal information from both sides.

Signs: insecure sites, spelling errors in the URL, noticeably slow communication process.

Phishing is one of the oldest forms of cybercrime. Despite this, phishing still poses a serious threat to many organizations. The reason for this is the widespread usage and sophistication of phishing campaigns.

Phishing is a cyberattack type that is aimed at gaining access to users’ confidential information (login/password, bank card details (CVV, card PIN, etc.), transaction confirmation password, e-mail address, financial phone number, code word and answers to security questions and other banking information).

To carry out such attack criminals use social engineering methods. They fake emails, ads, or websites to look as close as possible to already trusted by users. For example, cybercriminals can send a letter ostensibly from the bank where clients are served and force them to provide information about their bank account. When opening such a letter and clicking on a malicious link, users get to a fake, but as close as possible to the real site. Attackers often spoof financial institutions, emails from colleagues, auction sites, social networks, and online payment systems. Phishing emails can also contain attachments to install malware (ransomware, programs to gain unauthorized access to the system and obtain confidential information, etc.).

There is a phishing kit to facilitate phishing campaigns implementation. It is a set of tools that reflect legitimate sites (Microsoft, Google, Apple, PayPal, etc.). After installing such a set on the server and acquiring a domain name for a phishing site, email attack to achieve attacker’s goals can be started. Phishing kits are available for purchase on the dark web.

Phishing targets:

Confidential information collection: suspicious emails to trick the victim into revealing login credentials and/or providing personal information;
Malware installing: emails with infected links or attachments with infected software.

Phishing attacks types:

Spear phishing is a targeted attack to obtain and use the victim’s personal information through an email or message. Cybercriminals use the victim’s personal information in a phishing message, that makes the attacks successful;
Vishing (voice phishing) – a phone call attack in order to lure out bank information, bank card details, other confidential data, as well as transfer funds to the attackers’ account;
Smishing is phishing via SMS that contains a link or a phone number. To increase a wish to click on a link or call, criminals increase the sense of urgency;
Clone phishing is a type of phishing where a previously delivered email from a legitimate source is completely cloned, but with added malicious content (attachment, link);
Whaling is spear phishing targeted at senior executives (board members, CFO and others with access to sensitive information);
Link manipulation is a form of phishing where a malicious link looks like it belongs to a legitimate organization;
Filter evasion is a phishing form using an image to avoid anti-phishing filters;
Website forgery is a phishing form where criminals use javascript commands to change the URL they lead to;
Covert redirect is a phishing form where the link looks like a legitimate one, while redirecting the victim to the phisher’s website;
Tabnabbing is an attack that uses inactive tabs to lure personal, registration data and passwords to popular websites;
Pharming is an attack that redirects users from a legitimate site to a phishing site, even if the domain name is entered correctly.

The main phishing task is to disguise yourself as a legitimate company, employee or colleague as much as possible that makes it difficult to determine authenticity. However, there are certain indicators that indicate phishing attempts:

Use of subdomains, mistakes in URLs;
Using Gmail or another provider of free email addresses rather than corporate mail; the domain name doesn’t match the incorrectly provided domain;
Message evokes a sense of fear and urgency;
Message contains a request to verify personal information (data for entering the bank, login and passwords for entering social networks or other systems);
Spelling and grammatical errors in a message text;
Message contains an unusual attachment that could be malware or ransomware;
Familiar name of the sender, but usually you don’t communicate or don’t have common job responsibilities with him;
Mismatch of the URL in the email with the URL of the misrepresented organization;
Message contains false information about winning the lottery or competitions in which you have never participated.

The popularity and high success rate of phishing attacks increases the need for methods to prevent them. The best way to prevent phishing is to study examples of phishing attempts and provide employee training.

To prevent phishing attempts, personnel should:

Identify phishing attacks;
Be careful with pop-ups;
Be careful when clicking on a link contained in an e-mail;
Make sure that the link leads to the correct address;
Make sure that the website’s SSL certificate is valid and matches the domain;
Get confirmation from a colleague or manager about sending a suspicious letter;
Beware of redirects to other sites with identical design;
Make sure the URL matches before entering confidential information;
Not disclose personal information that could be used for spear phishing and whale phishing (eg date of birth, address, telephone number, etc.);
Check letters that indicate urgency;
Avoid downloading attachments from e-mails if you are not sure about their authenticity;
Check links;
Use two-factor authentication.

To prevent phishing emails from reaching employees it’s necessary to use:

Antivirus software;
Desktop firewalls;
Network firewalls;
Antispyware software;
Antimalware software;
Mail filter;
Information security gateways;
Spam filters;
Browsers that warn users about fraudulent sites;
Two-factor authentication;
Password manager.

The most common types of phishing attacks and their signs

What is phishing and how not to fall into a trap?