The Definitive Guide
The Definitive Guide
The Definitive Guide
Define Phishing /fiSHiNG/ An attempt to acquire sensitive or confidential data by masquerading as a trustworthy entity. Phishing is the first phase in over 95% of cyber threat campaigns and takes the form of a variety of email, network, and web lures. The essential element is the misleading of an unsuspecting victim with bait such as benign-appearing files to download, links to click, or forms to complete, whereby the victim unknowingly transfers data or information needed to effect a breach or theft.
To execute a phishing attack, criminals must understand basic human behaviors and how to use psychology to mislead their intended victim into divulging sensitive information. Some attempt to instill a sense of urgency in the recipient by threatening to cut off access to an account or service, such as a bank account, or an online streaming service unless they provide specific information requested in the message to unlock their account. Alternatively, others might announce the existence of a rebate or refund, contingent on the user confirming their billing address, account number, and/or password. Either through trust or coercion, the attacker tricks their victim into providing sensitive information.
Nonetheless, the most common are phishing emails that don’t require the recipient to do much more than open the email and click on a link, such as the tracking number corresponding to the delivery of essential packages. By clicking on the link, the user infects their device with malware, specifically keylogging software which allows cybercriminals to capture the user’s online credentials covertly.
While these types of phishing attacks succeed due to the sheer volume of emails sent, spear-phishing, where criminals target specific executives, and whale phishing, which focuses on high-profile individuals with access to considerable wealth or power succeed due to the amount of personal information criminals gather and include in the email.
For example, in a spear phishing scheme, a criminal may email a company’s CFO with a request to pay a past due invoice from an established vendor. The critical element of the phish is the fact that it references a vendor known to the CFO. In that respect, the email appears routine, non-threatening, and in the spirit of maintaining a positive relationship with the vendor, merits were opening and following the instructions it provides.
Bottom line: For an attacker to establish trust and a phishing scheme to succeed, the victim must view a malicious email or website as trustworthy. Whether they use fear, the existence of a financial reward, or a false state of emergency, the goal of any phishing scheme is to lower the intended victim’s guard by sending a phishing lure that appears legitimate. With their guard lowered, they share information that otherwise they would not.
How did phishing schemes evolve? Why do attackers continue to rely on phishing to commit fraud and identity theft? How have phishing attacks evolved since the early days of the internet and what does the future hold when it comes to combating phishing attacks?
Think back to the first time you ventured online. Like millions of others, you probably used an online service provider such as America Online to do so. While they lacked the sophistication of today’s scams, even back then, phishing scams took place. Instead of committing lucrative crimes, such as bank fraud, attackers focused initially on assuming control of an individual’s email account to send spam emails. In its next iteration, criminals created emails supposedly from AOL and other companies with a burgeoning online presence to ask victims to update their billing information. Using this approach, instead of stealing login credentials associated with an email account to send spam, criminals started phishing for credit card numbers, bank accounts, and billing addresses.
Nonetheless, given the number of typographic errors criminals made coupled with their inability to create a compelling copy of a company’s website, detecting a phishing email or a phony website didn’t require a great deal of expertise. More often than not, criminals made a critical error by misspelling a simple word, or even the company’s name the email purported to come from that entity.
Today, phishing schemes involve a far more sophisticated type of perpetrator who possesses the financing and technical know-how to launch highly effective attacks on government and corporate networks. And instead of remaining the domain of foreign cybercriminals, phishing is a global phenomenon, with attacks emanating from every country on the plant.
Many names, but they’re all the same. Phish.
Adware is software that presents unsolicited advertisements to computer users, typically when using an Internet browser. The advertisements are frequently presented as pop-up windows. Adware most frequently qualifies as a nuisance as opposed to malicious software. Some forms of adware monitor users’ activities without consent and report it to the originator. This may be to track a user’s browsing habits in order to serve more targeted advertisements. Some modern adware are capable of disabling antivirus programs in order to circumvent being blocked.
An anonymous mailer is a web service that allows a user to discreetly send email through their servers with an arbitrary, user-selected sender email address without any registration or authentication. By allowing users to choose the sender email address, anonymous mailers allow users to spoof email addresses, thus allowing the user to send an email that appears to originate from another individual. Anonymous mailers generally facilitate one-way email transactions. That is, the user will not be able to receive replies for the anonymous messages. However, some anonymous mailers allow the recipient to successfully respond back to the user through pseudo-obfuscated, middle-man proxy email located in the SMTP “Reply-To” field.
A backdoor is an executable, process, or script whose primary objective is to serve as a sustained entry point for an attacker onto an infected host. Backdoors are designed to persist on the infected machine enabling remote access over covert communications to facilitate malicious operations or install secondary malware. Tools that may be included in the backdoor threat category may vary in the robustness of capabilities dependent on the attacker’s knowledge or concern of their digital footprint on the infected machine.
Business Email Compromise
Business Email Compromises (BECs) are complex phishing scams that trick individuals into performing financial transactions. The hackers start by compromising an employee’s computer, then they monitor the company’s email for weeks to learn its practices and procedures. Eventually, they’ll send an email that appears to have come from the compromised employee’s computer, requesting a wire transfer to a foreign bank account. Surprise, surprise, the money ends up in the hacker’s account.
Credential harvesters are sites set up by an attacker to deceive users into providing their login credentials. This particular attack presents the user with a page that imitates an email or other account login page. Unwitting users sometimes enter their credentials, providing attackers with the credentials to their accounts.
In this type of attack, the bad guys create a near-identical replica of an authentic email to trick a victim into sharing valuable information. The attacker swaps out an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.
If phishing attacks are the equivalent of casting a baited line in the water, drive-by attacks are akin to a booby trap in the woods. Attackers hide malware on websites and wait for victims to “drive” by – or visit those sites. When they do, the malware looks for unsecure software on the victim’s computer. If it finds any — because the victim hasn’t downloaded the latest security patch, for instance — the attacker can swoop in and take over the computer.
A dropper is a malicious executable binary whose purpose is to decrypt, unobfuscate, and/or extract a secondary malicious payload. Along with the malicious payload, the dropper may open a benign lure document to serve as distraction against the human target during the infection process. Typically, a dropper is extracted from a carrier file such as a Microsoft Office document, PDF, or other common container style document. Carrier files are usually engineered with an exploit that causes the viewing application to begin executing the attacker’s code, leading to executing of the dropper and installation of malware.
Email spoofing is when an attacker forges an email header — the “from” field — to make a phishing email look like it came from a trusted sender. If the recipient thinks they know who the email came from, they’re more likely to comply with a request to send information or click the phishing link within the email.
Extortion is commonly used in order to leverage an entity to perform a set of actions they would not otherwise normally perform. This is typically done under duress. Systems can become compromised due to the actions of an entity due to extortion. The level of extortion can lead to a wide range of compromise depending on the intentions and resources of the attacker. Failure to adhere to policies and not fall victim to extortion can result in network compromise and kill chain 4 exploitation operations, which may impact system availability and integrity and lead to follow-on kill chain activities.
Identity Deception occurs when an attacker or someone with malicious intent sends an email claiming to be someone else. The mechanisms and tactics of this widely vary; however, the intent is to trick the target into taking actions that can have deleterious effects on their business. Attackers utilizing Identity Deception send email with high fidelity verisimilitude. This is accomplished via registering domains that look similar, are spoofed, utilize display name tricks to appear to be sourced from a trusted domain. Variations on this include sending email utilizing Domain Fronting and high reputation web services platforms such as G Suite and Office 365.
A Malicious Attachment is any file attached to an email that, when opened or executed, performs a series of actions set by an attacker. The email typically contains a lure to deceive the target into opening the attachment. The motivations for including a Malicious Attachment typically involve ultimately installing the piece of malware for such intentions as ransomware or follow-on operations through backdoors and RATs. Malicious Attachments can also be used as credential harvesters.
Short for “malicious advertising,” malvertising takes advantage of the fact that people often trust online ads and are willing to click on them. It’s a popular method because malicious ads can be planted on busy websites that attract millions of visitors. Companies that run online ad networks are constantly trying to root out this type of code.
Ransomware is a type of malware that cryptographically encrypts a victim’s documents to render them useless unless the victim pays the attackers a ransom. Ransomware can be extremely damaging to a user or corporation’s data. This type of malware often attacks inserted storage devices, such as USB flash drives, and network-attached storage drives, if present. Ransomware is extremely ubiquitous and is often delivered through mass phishing campaigns and exploit kits. The most advanced intrusion detection systems and antivirus programs have shown little success in stopping these attacks.
A Scam is a broad category of Fraud. Scams have been conducted over various types of communication to include phone and mail. However, the most common scams are conducted via email. The foundation of a scam is to entice a victim to provide money under a promise of a significant sum in return. Targets are often enticed because the scam requires very little work on their part and is a way of making significant money very easily. Scams tend to have goals and indicators in common. Some of these can be described using the most prominent type of scam, the “419 Scam,” as an example. This scam is also known as the “Advance Fee” scam/fraud. In such a scam, the sender promises a large sum of money.
Snowshoeing is a technique spammers use to disguise unwanted emails, which can then be used for phishing. The emails are sent from a vast number of web addresses, in the hope of fooling spam filters and allowing at least a few of the emails to get through. Just as a real-life snowshoe spreads weight over a large area, snowshoeing spreads email delivery over a large number of servers.
Spear Phishing or Targeted Phishing
Phishing gets its name from the idea that attackers “fish” for victims using email as bait. But while normal phishing targets a vast number of random email accounts, spear phishing targets a specific victim. Emails are made to look like they came from a source the victim trusts, such as a colleague at work, and the subject line often reflects their particular interests or work. That makes phishing emails harder to spot, and therefore more dangerous.
Vishing stands for “voice phishing” and relies on phone calls instead of email. Typically, you’ll get a call that sounds like a recorded message from an institution such as your bank. The message asks you to call a number and tap in your account details and PIN. In reality, the hacker is at the other end of the line, scooping up your data.
An attack targeting a firm’s top executives is called “whaling” — because they’re the biggest fish, get it? These also tend to be highly targeted, sometimes made to look like urgent messages from a business associate. If the executive falls for the attack, by opening an attachment or clicking a link, malicious code, or “malware,” can be downloaded to their computer. That’s all it takes for a computer to be compromised. An attacker can gain access to the company’s network and infect other computers, or read files on the executive’s computer.
While phishing takes place with alarming regularity, more often than not, successful phishing attacks go unreported. There are several reasons for the lack of reporting. Organizations subject to phishing don’t want to publicize the success of an attack at the risk of attracting additional attempts. Additionally, it may take the company months, sometimes years to uncover evidence of a phishing scheme. Neither the fact that an attack occurred and took months to detect plays well in the court of public opinion – especially if cybercriminals used their access to steal sensitive customer data.
Nonetheless, attacks against notable victims including RSA, Sony, Home Depot, JP Morgan Chase, Anthem show that despite dramatic increases in the investment of cybersecurity technology and concerted efforts to educate executives, employees, and contractors of the characteristics of a phishing attack, cybercriminals continue to breach corporate networks with impunity. And it’s not just businesses that struggle to combat the threat, in the United States political arena, individuals on both sides of the aisle have found their emails posted online for public consumption.
In the fight against phishing, some organizations believe the myth that security training is the most effective way to prevent a phishing attack. While training is undoubtedly beneficial in helping individuals understand the severity of the threat, and the characteristics of a phishing email, expecting employees and executives to keep what they learned at the forefront of their mind is unrealistic.
Even if an individual paid close attention during every security training, cybercriminals design phishing attacks using all manner of psychological techniques, to cause the recipient to react and engage in the behavior specified in the email, then only after the fact, think about the wisdom of their actions. By then, the damage is done.
Simply put training matters, and it can help prevent phishing attacks, but it’s just one component of an effective anti-phishing program.
Despite the existence of perimeter defenses, spam filters, and ongoing employee education programs, phishing attacks remaining the leading cause of data breaches. Whether an attack comes via email, the web, social, or network vectors, Area 1 Security’s cloud-native solution uses various tools and techniques, including globally-distributed attack sensors, and a comprehensive suite of analytics to identify and preempt phishing attacks in their infancy. And while many mass-market solutions cannot detect low-volume, highly targeted attacks Business Email Compromise schemes often exact the most financial damage. Area 1 Security’s solution preemptive measures to thwart phishing against all attack vectors – including highly sophisticated BEC.