Extended Definition of Phishing
Define Phishing /fiSHiNG/ An attempt to acquire sensitive or confidential data by masquerading as a trustworthy entity. Phishing is the first phase in over 95% of cyber threat campaigns and takes the form of a variety of email, network, and web lures. The essential element is the misleading of an unsuspecting victim with bait such as benign-appearing files to download, links to click, or forms to complete, whereby the victim unknowingly transfers data or information needed to effect a breach or theft.
To execute a phishing attack, criminals must understand basic human behaviors and how to use psychology to mislead their intended victim into divulging sensitive information. Some attempt to instill a sense of urgency in the recipient by threatening to cut off access to an account or service, such as a bank account, or an online streaming service unless they provide specific information requested in the message to unlock their account. Alternatively, others might announce the existence of a rebate or refund, contingent on the user confirming their billing address, account number, and/or password. Either through trust or coercion, the attacker tricks their victim into providing sensitive information.
Nonetheless, the most common are phishing emails that don’t require the recipient to do much more than open the email and click on a link, such as the tracking number corresponding to the delivery of important package. By clicking on the link, the user infects their device with malware, specifically keylogging software which allows cybercriminals to capture the user’s online credentials covertly.
While these types of phishing attacks succeed due to the sheer volume of emails sent, spear-phishing, where criminals target specific executives, and whale phishing, which focuses on high-profile individuals with access to considerable wealth or power succeed due to the amount of personal information criminals gather and include in the email.
For example, in a spear phishing scheme, a criminal may email a company’s CFO with a request to pay a past due invoice from an established vendor. The critical element of the phish is the fact that it references a vendor known to the CFO. In that respect, the email appears routine, non-threatening, and in the spirit of maintaining a positive relationship with the vendor, merits opening and following the instructions it provides.
Bottom line: In order for an attacker to establish trust and a phishing scheme to succeed, the victim must view a malicious email or website as trustworthy. Whether they use fear, the existence of a financial reward, or a false state of emergency, the goal of any phishing scheme is to lower the intended victim’s guard by sending a phishing lure that appears legitimate. With their guard lowered, they share information that otherwise they would not.
A Brief History of Phishing Attacks
How did phishing schemes evolve? Why do attackers continue to rely on phishing to commit fraud and identity theft? How have phishing attacks evolved since the early days of the internet and what does the future hold when it comes to combating phishing attacks?
Think back to the first time you ventured online. Like millions of others, you probably used an online service provider such as America Online to do so. While they lacked the sophistication of today’s scams, even back then, phishing scams took place. Instead of committing lucrative crimes, such as bank fraud, attackers focused initially on assuming control of an individual’s email account to send spam emails. In its next iteration, criminals created emails supposedly from AOL and other companies with a burgeoning online presence to ask victims to update their billing information. Using this approach, instead of stealing login credentials associated with an email account to send spam, criminals started phishing for credit card numbers, bank accounts, and billing addresses.
Nonetheless, given the number of typographic errors criminals made coupled with their inability to create a compelling copy of a company’s website, detecting a phishing email or a phony website didn’t require a great deal of expertise. More often than not, criminals made a critical error by misspelling a simple word, or even the company’s name the email purported to come from that entity.
Today, phishing schemes involve a far more sophisticated type of perpetrator who possesses the financing and technical know-how to launch highly effective attacks on government and corporate networks. And instead of remaining the domain of foreign cybercriminals, phishing is a global phenomenon, with attacks emanating from every country on the plant.
Common Phishing Methods
Many names, but they're all the same. Phish.
Business Email Compromises (BECs) are complex phishing scams that trick individuals into performing financial transactions. The hackers start by compromising an employee’s computer, then they monitor the company’s email for weeks to learn its practices and procedures. Eventually, they’ll send an email that appears to have come from the compromised employee’s computer, requesting a wire transfer to a foreign bank account. Surprise, surprise, the money ends up in the hacker’s account.
Phishing gets its name from the idea that attackers “fish” for victims using email as bait. But while normal phishing targets a vast number of random email accounts, spear phishing targets a specific victim. Emails are made to look like they came from a source the victim trusts, such as a colleague at work, and the subject line often reflects their particular interests or work. That makes phishing emails harder to spot, and therefore more dangerous.
This is a type of malware that’s usually delivered via a phishing email. The code encrypts the files on your computer and the hacker demands a ransom to set them free. Payments often must be made in an untraceable digital currency like bitcoin.
Email spoofing is when an attacker forges an email header — the “from” field — to make a phishing email look like it came from a trusted sender. If the recipient thinks they know who the email came from, they’re more likely to comply with a request to send information or click the phishing link within the email.
Much like predators in the wild hang out near watering holes to catch their prey, this type of attack involves hiding malware on websites where potential victims gather. For example, attackers targeting bankers might hide malware on websites that provide financial news.
- An attack targeting a firm’s top executives is called “whaling” — because they’re the biggest fish, get it? These also tend to be highly targeted, sometimes made to look like urgent messages from a business associate. If the executive falls for the attack, by opening an attachment or clicking a link, malicious code, or “malware,” can be downloaded to their computer. That’s all it takes for a computer to be compromised. An attacker can gain access to the company’s network and infect other computers, or read files on the executive’s computer.
Snowshoeing is a technique spammers use to disguise unwanted emails, which can then be used for phishing. The emails are sent from a vast number of web addresses, in the hope of fooling spam filters and allowing at least a few of the emails to get through. Just as a real-life snowshoe spreads weight over a large area, snowshoeing spreads email delivery over a large number of servers.
In this type of attack, the bad guys create a near-identical replica of an authentic email to trick a victim into sharing valuable information. The attacker swaps out an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.
If phishing attacks are the equivalent of casting a baited line in the water, drive-by attacks are akin to a booby trap in the woods. Attackers hide malware on websites and wait for victims to “drive” by – or visit those sites. When they do, the malware looks for unsecure software on the victim’s computer. If it finds any — because the victim hasn’t downloaded the latest security patch, for instance — the attacker can swoop in and take over the computer.
Short for “malicious advertising,” malvertising takes advantage of the fact that people often trust online ads and are willing to click on them. It’s a popular method because malicious ads can be planted on busy websites that attract millions of visitors. Companies that run online ad networks are constantly trying to root out this type of code.
Vishing stands for “voice phishing” and relies on phone calls instead of email. Typically, you’ll get a call that sounds like a recorded message from an institution such as your bank. The message asks you to call a number and tap in your account details and PIN. In reality, the hacker is at the other end of the line, scooping up your data.
Any Firm Can Fall Victim to a Phishing Attack
While phishing takes place with alarming regularity, more often than not, successful phishing attacks go unreported. There are several reasons for the lack of reporting. Organizations subject to phishing don’t want to publicize the success of an attack at the risk of attracting additional attempts. Additionally, it may take the company months, sometimes years to uncover evidence of a phishing scheme. Neither the fact that an attack occurred and took months to detect plays well in the court of public opinion – especially if cybercriminals used their access to steal sensitive customer data.
Nonetheless, attacks against notable victims including RSA, Sony, Home Depot, JP Morgan Chase, Anthem show that despite dramatic increases in the investment of cybersecurity technology and concerted efforts to educate executives, employees, and contractors of the characteristics of a phishing attack, cybercriminals continue to breach corporate networks with impunity. And it’s not just businesses that struggle to combat the threat, in the United States political arena, individuals on both sides of the aisle have found their emails posted online for public consumption.
What Most Companies Get Wrong About Phishing
In the fight against phishing, some organizations believe the myth that security training is the most effective way to prevent a phishing attack. While training is undoubtedly beneficial in helping individuals understand the severity of the threat, and the characteristics of a phishing email, expecting employees and executives to keep what they learned at the forefront of their mind is unrealistic.
Even if an individual paid close attention during every security training, cybercriminals design phishing attacks using all manner of psychological techniques, to cause the recipient to react and engage in the behavior specified in the email, then only after the fact, think about the wisdom of their actions. By then, the damage is done.
Simply put training matters, and it can help prevent phishing attacks, but it’s just one component of an effective anti-phishing program.
The Best Way to Secure Your Employees Against Phishing
Despite the existence of perimeter defenses, spam filters, and ongoing employee education programs, phishing attacks remaining the leading cause of data breaches. Whether an attack comes via email, the web, or a network, Area 1 Security’s cloud-based solution uses various tools and techniques, including globally-distributed attack sensors, and a comprehensive suite of analytics to identify and preempt phishing attacks in their infancy. And while many mass-market solutions cannot detect low-volume, highly targeted attacks spear phishing schemes often exact the most damage. Area 1 Security’s solution preemptive measures to thwart phishing against all attack vectors – including highly sophisticated spear phishing.
Phish of the Week
By. Area 1 Security
Area 1 Security dives deep into an interesting phish and how it was caught it. In this ‘Phish fo the Week’ we take a look at how a phish from a compromised address was caught after slipping past other security tools.