Five Things to Know about Phishing

I
September 29, 2022

Phishing is the attempt to steal sensitive data through tricking a person into revealing passwords or credit card data or downloading a computer virus. In a particularly unlucky scenario, phishing may become a triple loss, as the victims lose their data, money, and potentially access to devices and applications.  

The term ‘phishing’ comes from ‘password’ and ‘fishing.’ The main difference with finishing is that phishers do not fish for fish but for sensitive data like credit card numbers, usernames, or passwords.  

Phishing can take many forms: you might receive fraudulent emails that look deceptively real or a phone call from someone trying to impersonate someone else. This latter form is called ‘vishing’ (‘voice’ + ‘phishing’). And there is also spear phishing, the crown jewel of the cybercriminal world. It is using information about a person or organization to create very authentic-looking emails. They look so real that even white hackers might occasionally swallow the bait!

Types of phishing

Type of phishing What it is
Phishing Phishing is an attempt to trick someone into revealing confidential information over the internet or by email. It is intended to steal data for malicious purposes and to install malware on an affected user’s computer.
Spear Phishing Spear phishing is a special form of cyberattack derived from traditional phishing frauds but targeted towards a specific individual or organization rather than a broad audience. Spear phishing emails are more dangerous as they are personalized to make them more plausible.
Whaling Whaling is a type of spear phishing attack in which cybercriminals go after very high-profile targets like top executives and public spokespersons.
Clone Phishing A clone phishing attack is a type of phishing that uses a known good or previously sent email containing links or attachments. The clone differs from the original in that it contains malware or a virus as a replacement to the legitimate link or attachment. The email typically claims that it is a simple re-send. If a victim swallows the bait, the adversary forwards the same compromised email to the contacts from the victim’s contact list.
Spoofing In cybersecurity, spoofing refers to adversaries pretending to be someone else to win a victim's trust. The motivation is usually to gain access to systems, steal data or money, or infect devices with malware.
Social Engineering Social engineering is a broad range of malicious activities accomplished by cybercriminals through human interactions. It uses manipulation to trick users into making security mistakes like granting access to critical resources or revealing confidential information.
Vishing Vishing, or voice phishing, is using a phone to trick victims into revealing sensitive information. In a vishing attack, the adversaries call their targets and use social engineering tactics to manipulate them into providing financial information. They often convey a sense of urgency or impersonate someone with authority.
Smishing Smishing is a form of phishing attack that uses phone numbers to send text messages aimed at tricking users. These messages typically contain a phone number for a targeted user to call or a link to an adversary-controlled website that hosts malware.
HTTPS Phishing or SSL Phishing Use of SSL certificates to lure users to visit phishing sites by presenting them as trusted sites. For this, cybercriminals obtain original SSL certificates for typo-squatting domains or steal SSL certificates.
Pop-up Phishing Pop-up phishing attacks rely on fraudulent messages that pop up for users when they are surfing the web. Malicious code on legitimate websites causes these pop-up messages to appear when people visit them. They often contain a fraudulent warning about the security of the affected user’s computer./td>
Evil Twin Phishing An evil twin attack is a cyberattack that tricks users into connecting to a fake Wi-Fi access point that mimics a legitimate network. Once a user is connected to such a network, adversaries can gain access to personal user data like bank transactions, login credentials, and credit card details. This is especially harmful to users who log in with the same credentials to multiple accounts.
Pharming Pharming ("phishing" + "farming") is an online scam where a website's traffic is manipulated. Adversaries produce a fake website and then redirect users to it to steal confidential information or install pharming malware on their devices.
Barrel Phishing or Double-Barrel Spear Phishing This cyberattack is a kind of spear phishing that uses two emails to trick their targets rather than a single email to a specific person. The first message is usually safe and establishes trust. The second email is often presented as a follow-up and contains a malicious link or attachment. Clicking the link or attachment causes credential theft or a malware infection.

Phishing attacks are the most common cause of a malicious breach, according to IBM X-Force. Despite much struggle, it is still a top entry point as a means of delivering RATS (remote access Trojans), other malware, or malicious links to recipients.

Yes, organizations must be alert and vigilant. But what precisely can businesses do to avoid falling into the ubiquitous phishers’ traps?  

1. Train your employees to boost their anti-phishing skills

Practice makes perfect. You can hire a company or security consultant to give your employees a security training. A wallet-friendlier option for those with no IT training budgets would be to do a free online phishing test. Many IT companies and universities offering IT degrees deserve gratitude for making phishing tests available to broader audiences.  

How can such online tests help you become phishing-savvy?  

They are usually worth your time. You learn by taking a quiz in which you decide whether an email (e.g., an account access request from an app) is legitimate or a phish. You have the possibility to hover your mouse over the e-mail address of the sender and the recipient, the URLs, and other elements to analyze the data. Then you decide whether these are correct, legitimate messages or they are complicated phishes with look-alike URLs that try to redirect you to some cyber grief (e.g., a fake login page).

If you guessed wrong and would like to know the hard truth, you can have it explained what characterizes the e-mail under scrutiny as a phishing message.

Recognizing a threat is a first useful step. What do you do with this knowledge? It is not enough to delete the phish. You can do more…

2. Analyze phishes to prevent them

Header Analysis: MX Toolbox

In most cases, you will notice that already the sender’s email address looks strange. It is not even remotely close to a legitimate address a company would use.  

Besides, we need to analyze the header. It provides valuable details about the email’s origin.  

The exact steps depend on the email application you are using. In Gmail, for example, you can click the three dots in the top-right corner, and then click Show original. Once your email opens in a new window, you can try to make sense of the plethora of the raw data.  

To make our analysis easier, we can use a free online tool that is very handy for email analysis:  MX Toolbox, especially the tool called Analyze Headers. You can find it on the website’s home page as the rightmost option. All you do is copy and paste the full header into the blank window for the tool to separate the data into more readable fields.  

We need to check two types of findings below the x-dmarc-info heading:  

  • SPF (Sender Policy Framework)
  • DKIM (Domain Keys Identified Mails)

If both these records display as failed in the header, chances are great that you are dealing with a phish. It means that an adversary is trying to impersonate a well-known resource, but their IP address failed the checks.  

For more details, check chapter 3 of Sam Grubb’s “How cybersecurity really works”.  

URL Analysis: VirusTotal and Joe Sandbox

VirusTool

Once you have analyzed the headers, it is time to verify the URL itself. To determine whether it is malicious, we can use the VirusTotal tool. If one of the tool’s antivirus engines flags it as malicious, it is a safe bet that your link is malicious. Now you are even more convinced that you should not click it. But we as cybersecurity experts want to satisfy our curiosity: what would happen if we clicked the suspicious link? Yet another tool comes to our rescue.  

Joe Sandbox

What this tool lets you do is use its simulated computers that act like physical machines. These are irresistible for testing malware, because your real machine stays isolated and totally protected from the cyber grief.  

Once you have created an account at Joe Sandbox, you can just copy and paste your link into the sandbox. It is important that you should not submit any personal information because the results will be made public unless you purchase a private account. After the report is ready, you are likely to learn a lot about the black hats’ plans. You might be able to determine the nature of attack – for example, a credential hijacking attack.  

The Screenshots section is particularly intriguing to look at. Any cyber-savvy person will be enchanted to see all that action documented: what opened, ran, redirected, got installed, etc. when the sandbox executed your link. You can also use the animation feature and watch the cyber events as they happen in real-time.  

Besides, the Behavior Graph features all the processes that happen when someone clicks the malicious link, like web pages that open or redirects that take place. And you can lean back, enjoy, and get the data ready for your system administrator or cybersecurity professional to help them curb the malware infection. That brings us to the next point.

3. How to act based on your analysis: configure your software and alert appropriate professionals

As we can see, our research in section 2 helped us gain some valuable insights. As we discovered:

  • The email was a phish
  • It came from someone impersonating a well-known resource
  • It attempted to steal our credentials

What do we do with this information? As it turns out, we have some options:

  1. We can configure our email program by adding rules that send any other messages from the same malicious sender to the junk folder
  1. We can alert our system administrator or other appropriate staff to boost their defense efforts.  

4. Spear phishing remains a top entry point regardless of security trainings  

Even if you take precautions, there will be times when adversaries deploy phishing attacks that are extremely hard to recognize.  

Spear phishing is using factual information about a person or organization to create very authentic-looking emails. Imagine that you receive an email from your IT administrator who addresses you by your first name and claims he needs some urgent data from you. As he is overwhelmed with some cybersecurity routines, he cannot find the time to visit you in person, so he would prefer if you could reply by email. What would you do in this case? Grab the phone and clarify. Kudos for being so vigilant! However, other colleagues might swallow the bait…

Did you know that 90% of all data leaks start with a successful spear phishing attack?

IBM X-Force IRIS has found that 84 percent of the APT groups it tracks use spear phishing as a primary infection vector. Of those, 68 percent use it as their only infection vector.

Business email compromise (BEC) is a type of spear phishing where adversaries hijack a business email account and use this access to persuade employees to send them money or information. BEC is one of the most high-impact spear phishing attacks that an organization can experience, costing businesses a total of more than $26 billion worldwide as of September 2019.  

Of all the organizational phishing attacks X-Force IRIS has observed since June 2018, 42 percent involved BEC fraud.  

Here is some practical advice to avoid falling in the traps hackers set up for us.

Listen to your inner voice and use common sense

  • Does it sound too urgent to be real?
  • Do they try to capitalize on emotions?
  • Is it unsolicited communication?
  • If you have not asked for it, it is safe to ignore it.

Always use another route to validate

  • For example, if someone impersonates your bank, tell the caller you will check with the bank and call them back later. Or simply tell them that you are busy.
  • Rather than clicking the link from the email, type the URL in your browser directly or search Google for it.
  • Use well-known DNS servers to ensure that you access the real site.
    • For example, you can change your browser to use DNS server 8.8.8.8 (Google’s DNS) or 1.1.1.1 (Cloudflare’s DNS) to avoid DNS hijacking.

5. Conduct red-teaming exercises to see whether your organization is gullible

It is extremely easy to find out how many of your employees will click that malicious link or believe an impersonator trying to steal their credentials. Test phishing campaigns are a popular assessment of an organization’s cyber resilience. Who would argue that it is better to discover your organization’s weaknesses as part of security training than in a real battle?

Here is how it works. You hire a team of white hackers to test how fast they will be able to find a way into your organization. Interestingly, such teams often spend more time gathering open-source intelligence (OSINT) than hacking. To penetrate an organization effectively, they just need to understand what might appear credible to the target’s employees in an email message. The rest is plain sailing: the hackers can craft a compelling phish that has all the chances to be opened.

Are your employees over-sharing online? Hackers are grateful. They can always investigate a business’s online footprint and then use this information to create those highly customized, authentic-looking messages.  

Statistically, about one fourth of the recipients might click the fraudulent link contained in a phish. Even more disturbingly, virtually without exceptions, at least one recipient will interact with the test phishing campaign every time (Source: X-Force Red engagements from September 2018 to September 2019, https://securityintelligence.com).

It means that beyond employee education, businesses should also focus on response.  

Related to the above, a best practice is to use a layered approach to cybersecurity that includes an advanced user behavior analytics (UBA) solution to help detect suspicious internal activity via your company’s security information and event management (SIEM) solution.

References

  • Grubb, Sam. How cybersecurity really works: A hands-on guide for total beginners, San Francisco: No Starch Press, 2021.  
  • X-Force Red engagements from September 2018 to September 2019, https://securityintelligence.com