By: Unnati Guha
May 6, 2020
The Phishing Tale
By: Unnati Guha
May 6, 2020
Long ago, fishermen used fishnets for catching fish. These nets would catch every fish that would swim through it. A little later, they started using spear-like weapons to aim at the desired kind of fish. This allowed them to select the type of fish species they wanted to catch. And then, they went on to catch big fish like whales using different, highly targeted techniques. Do these terms in this story look familiar to you as an information security enthusiast? Great! This is precisely similar chronology of how phishing as an attack has evolved. Allow me to take you on a quick flashback of this extremely fantastic evolution. Towards the end of the tale, we will also try to point out the gaps in our system that make phishing the most prominent and a very easy door opener for an attacker.
In simple terms, anyone would define phishing as a social engineering-based technique of sending legitimate-looking and luring emails that would attract the users to click on the malicious links, images, ads, buttons, etc. Back in 1995, the warez community consisted of hackers and people who shared pirated software over the internet. Similarly, today's dark web groups randomly generated credit card numbers to create their accounts on AOL(America Online) to send spam emails to legitimate users aiming to gain passwords and other things. Little did they know that they were paving way towards an attack-type called 'Phishing' that would be known and considered as a big threat for years to come.
Legitimate looking Emails
After AOL enhanced its security features and disallowed accounts with randomly generated credit card numbers, the people from this community found other ways to fulfill their desires. They then started sending spam mail disguised as AOL employees asking end users to verify their accounts by clicking on the links sent in the emails. And this marked the actual beginning of the traditional phishing attacks.
Even today, this method is used to lure users into clicking certain links and buttons which claim to verify the user's accounts or enabling them to claim their rewards won in a lottery but instead, in the background, getting malware or a backdoor installed in their systems. The irony is that people still believe in such misleads and become victims compromising not just their confidential assets but even their organizations.
Today, as our world fights with the pandemic COVID-19, attackers are using legitimate-looking spam emails, covering under the name and signatures of the US defense departments and other government-aided health organization's names, claiming to spread information or awareness about the coronavirus. In contrast, in reality, it spreads malicious malware and spyware, such as the Lokibot hidden in the background.
Also, amidst the fear of an outbreak, when all of us need to be socially distant to be safe from getting infected with the virus, we are witnessing businesses operating from homes. In such conditions, the critical assets of an organization come at stake. And attackers are always on the lookout for vulnerable wifi, networks, and people who can fall prey to their phishing scams.
Tips to be cautious from Phishing
These are some precautions you could take on your personal mailboxes:
- Spread awareness in the organization/family/friends regarding such scams and recommend people to avoid clicking on links coming with emails that have words like "verify, claim, free, offer, "etc.
- You can use the bookmarked sites, instead of clicking on links.
- Alternatively, you may check the headers and the content of the email for misspellings and incorrect names to ensure the authenticity of the email.
For an organization, the following controls can be put in place to protect spam mails from circulating in the network:
- Have a look at your business email provider's spam or junk folder settings and set proper filtering level as per your organization's need.
- You can choose to unsubscribe from advertising emails to clear the clutter and reduce your chances of being exposed to a phishing link that one of the advertisement emails could be carrying.
- If you receive dozens of newsletters and advertisements and cannot unsubscribe to each one manually, you could alternatively use services such as unroll me, which was very famous around 2015. Still, then, there was news that said the user data was sold to advertisers in order to support their marketing campaigns. This certainly should be used on your discretion considering the criticality of your email account.
- There are other similar and much more secure services too such as the cleanfox to help you extend support to mobile email application as well.
- Last but not least, spread awareness to your employees regarding the existence of such an attack and train them in verifying the authenticity of suspicious emails and train them often on this.
Until now, we saw how luring mass emails that look like coming from a legitimate source can lead to a successful phishing attack. But in email-based phishing attacks, the phishers have to be satisfied with whoever was compromised.
Hence, to increase their chances of being benefited from the compromise, phishers started targeting groups of people who could give them some valuable information of their interest. For example, users of net banking websites and payment gateways are being targeted specifically because they belong to a particular group, for example, the customers of a certain bank or people interested in online shopping, etc. This kind of targeted phishing is aimed at the group of users who belong to the phisher's desired background; this is called spear phishing.
Recently, there have been cases of very famous companies being attacked using the spear phishing technique. Also, during an outbreak like this one, the business email compromise BEC attacks have been on a rise.
Business Email Compromise (BEC)
The BEC attack is where an attacker targets a group of specific roles in the organization and sends them emails that make them look like they are coming from the authorities from within that organization intending to extract essential details or to get some unwanted things done. For example, an employee would receive an email impersonating the CEO or the CTO asking that employee to make a payment or to send over some critical data. The employee, considering the sender's mail id and the language used to address him or her, would come into the trap without even bothering to verify and put a critical asset of the organization at risk. You can read the latest incidents of business email compromise attacks in the link below. Virgin Media phishing attack is one such example: https://www.metacompliance.com/blog/virgin-media-customers-targeted-with-phishing-emails
New ways of looking legitimate were invented, and phishers started to hide their intentions behind the links having domains that looked legitimate. For example:
https://www.cybrary.it/ - Here, cybrary is the main domain
https://www.cybrary.users.it/ - But, though this link might look legitimate to your eyes, here, "users" is the main domain, whereas cybrary is the sub-domain. An attacker may purchase this domain and create a fake login page (mostly similar to the targeted webpage) that would capture the legitimate user's credentials in the background.
This is just one example of domain spoofing; there are several different methods to alter domain addresses and make them look legitimate. Homoglyph URLs, also known as homograph URLs, is another interesting method.
This is a more advanced way of making the links look legitimate. It is the same as replacing the letter O with the number 0. A more sophisticated way of doing this would be replacing the traditional ASCII characters in the URL with identical Cyrillic characters, as shown below:
Notice the 'b' in both the URLs? A good chance that it will go unnoticed by a naive user. And it is effortless to create such URLs. I have used an open-source tool - https://www.irongeek.com/phomoglyph-attack-generator.php to play with alphabets and generate a homoglyph URL. An attacker, then, would just need to register this domain and could use it to launch phishing attacks on the users of the original website.
Here are two recent cases from India, where this method was recently used to target users of a famous airline company, jet airways. Read the case study at https://www.esds.co.in/blog/jet-airways-phishing-attack/#sthash.QYvyI5pR.dpbs.
After this, it was also used to target users of a leading retail chain D-mart https://www.esds.co.in/blog/jet-airways-phishing-attack/#sthash.QYvyI5pR.dpbs
Smishing and Vishing
Smishing is nothing but SMS-based phishing. Smishing is similar to sending legitimate-looking emails. Have you ever received promotional bulk SMS from companies where you have purchased something, or SMS having your bank's name as the sender? Congratulations! You were a potential victim of smishing attempts at least once. Nowadays, phishers steal the database of the companies/banks/websites and send bulk SMS to their users and customers with an embedded aim of taking useful data from them.
Vishing is nothing but voice-based phishing. First, the attacker calls you to gain your trust. Gains your interest in a particular policy, service, or product. And then, send you a link on your "registered number" to get your details or make a payment. The attackers have built advanced levels of social engineering skills in this manner.
Tips to be cautious from Spear Phishing
Follow these precautions:
- You can purchase domain privacy for your organization's domain from a publicly available 'Whois' database. More information can be found at https://www.namecheap.com/security/whoisguard/
- Carefully examine the links before clicking on them
- Best method is to avoid the links sent through forwarding messages
- You can even check the links authenticity by pasting links on Whois domain lookup websites
- Don't fall prey to promotional scams sent via SMS
- Don't give any kind of personal information like Social Security Number (United States), Aadhar (India), etc. and financial information like card numbers, CVV, etc. to customer care. Any legitimate customer care will never ask for such information.
Attackers use the method of whaling to create maximum benefits. This is done by putting the focus on people who could be of real help in giving them the real juicy information, the high profile employees (whales) of the target company, with access to the most valuable information.
After all, no one would want to ignore messages from their CEOs and the CTOs(The big fishes). Moreover, taking over just one account was easier than running a full-fledged phishing scam.
Given the security policies applied to workstations, there continues to be a gap in security that makes defense-in-depth challenging to achieve for even the most valued targets in an organization
Nowadays, when a suspicious email comes to our inbox, it directly lands in the spam folder. Email spoofing is done to escape this procedure. By this method, the attackers manipulate the headers in the email so that they look legitimate. In the context of whaling, they even modify the content to match the language of the targeted manager. This makes emails look believable and convincing enough to trick the victim into giving out details that are requested with little hesitation.
Apart from email spoofing, whaling can also be achieved through Smishing and Vishing. There have been cases where employees have received calls and SMS's from the CEO or their managers, asking them to make payments or reveal passwords by showing urgency.
CISOs around the world identify whaling as the next significant threat to an organization.
Tips to be cautious from whaling
- Implement SPF (Sender Policy Framework) to keep a check on your incoming emails. You can find more information on SPF and how to implement it at https://postmarkapp.com/guides/spf
- Also, you can deploy the DMARC (Domain-based Message Authentication, Reporting & Conformance) that keeps spammers from using your domain to send spam emails. More information on how a DMARC can be implemented can be found here: https://postmarkapp.com/guides/dmarc
- Domain names should not be used in email ids. Use a subdomain instead of a domain.
- In the case of calls or messages, it is always a good idea to double-check the crucial request made by the manager. Requests should come through the organization's email.
- Security policies and procedures must be deployed, implemented, and monitored for all. A defense-in-depth approach should be strictly followed.
You can't catch a phishing attack in an intercept. You can't even brute force it, nor can you predict it to prevent intrusion. Phishing, since the time of its first execution, has and will always be an easy door to allow an attacker into a network. Unlike most of the cybersecurity attacks, a phishing attack isn't always the result of a technical misconfiguration. Launching a phishing campaign doesn't even require an attacker to have technical skills. An attacker needs just to have excellent social engineering skills.
It is similar to stealing the key and entering. Phishing attempts, if identified in your organization, can be precursors to an even more massive attack such as leaking of sensitive information, generally considered a data breach that could incur a huge loss and, therefore, must never be taken lightly. It is always recommended to spread awareness regarding phishing to all the employees within an organization. Don't forget to include training and testing your employees on mock phishing scenarios. With a little awareness and precaution, we can indeed be sure to stay safe in the cyber world!
Get Skilled In Cybersecurity With These Courses: