All You Need to Know About Phishing
What is phishing?
Phishing could be defined as a fraudulent attempt made by hackers, to lure a person into divulging their sensitive information such as username, password, credit/debit card details, etc., by themselves as a trustworthy and legitimate entity. Unlike other cyberthreats phishing has will continue to be a prominent issue as it is the prime mode of delivery for most malware infections. A Phishing attack by itself does not harm your system nor benefits the threat actors much, but what comes after, based on the success of this attack. Successful phishing attacks are followed by other attacks, such as malware and ransomware, that can harm your system and yield financial gains.
How does phishing work?
Phishing attacks rely on different informational aspects, ranging from personal to political. Even the current COVID-19 pandemic is seen by them as an opportunity to gain financial benefits. As the public is extensively relying on the digital media for information and advice about this pandemic, they unknowingly tend to fall victim to phishing attacks designed by threat actors. For example, utilize hot and latest news bytes to lure victims click on the link, download attachments, which install malware onto their systems. The number of steps involved in these processes differs concerning the type of phishing attack. The most advanced methods involve the use of AI (Artificial Intelligence) which for example, could record and analyze the voice pattern of the head of an organization and recreate a call with unlimited responses to authorize and order an immediate transfer of the huge sum of money.
Types of phishing attacks
Based on the different modes it utilizes and the different methods involved, any phishing attack could be classified into one of the below categories:
1. Spear phishing
This type of phishing involves customized emails/campaigns, tailor-made to match the interest of a specific target to make it seem more relatable and less suspicious. To attempt this a through reconnaissance is required on the part of the attacker, to obtain as much information as possible related to the victim. The usable information from the reconnaissance can include aspects such as names and emails of people, whom the target is familiar with to give the target a false belief that they know the origin of the mail.
This type of phishing involves SMS phishing (thus, named Smishing). This is more common with mobile-based phishing attacks. It is one of the oldest and commonly known scams where the threat actor lures the lesser educated victims via lottery schemes.
Whaling is a type of spear-phishing attack that targets a probable victim who could yield larger financial gains. for example, senior executives and other high-profile people whose level of trust, access, and authority is higher within an organization. For example, C-Suite executives. The above-described example of the use of artificial intelligence (AI) could also be classified in this category.
4. Clone phishing
Clone phishing could exclusively be defined as an email-based phishing attack that involves extensive reconnaissance, and the phishing being email is developed upon its output. For example, a previously delivered legitimate email between two parties, if leaked, could have its contents used to create an identical or cloned email. The attachment or link from the previous email is then replaced with malicious URLs or attachments and then sent to the target from an email ID containing a similar domain address as that of the original counterpart. This mail would generally appear as a resend of the original or follow-up
5. Uplink manipulation
Link manipulation is a part of most of the classic phishing mails, where the original link in the mail is replaced by a malicious one. This could also be further developed into website forgery. Misspelling the URLs or using subdomains is commonly used in the phishing process, and the major part of the link is kept intact. The attack crashes onto the common human habit of not reading the complete link and its decryption.
6. Filter evasion
Phishing emails need to bypass mail filters (also known as spam filters) that generally mark them as spam and move them to trash/spam box. Some of the less sophisticated evasion methods involve the use of images embedded with malicious links, instead of text, hence making it harder to detect them, as basic spam filters rely on distinct (spam) words in their repository to recognize and classify whether a mail is genuine or spam.
7. Website forgery
8. Covert redirect
Covert redirect is a more sophisticated and evolved form of website forgery, that makes use of a legitimate website at initial stages, but eventually redirects the user to a malicious website. Sometimes the malicious browser extensions/cookies are used to redirect users to phishing websites covertly. This is only possible if the attacker has already gained control of the actual webpage.
9. Social engineering
Though social engineering is a wide topic, the degree of its use in phishing attacks has led it to be classified as one of its many types. Social engineering uses psychological manipulation to trick a person into divulging sensitive information or to onto a malicious link or downloading an attachment. For example, the recent COVID-19 pandemic has aroused the interest of many people in reading news and updates related to healthcare. As a result, many threat actors have developed fake news, blog, health update, or maps to lure people into clicking those links.
10. Voice phishing
Not all phishing attacks require a fake website or email. Calls that claim to be from a bank or a legitimate organization prompting the users to reveal their sensitive and financial damaging information such as account numbers, PIN, password, etc. could be termed as voice phishing or Vishing. As described above, the use of AI (artificial intelligence) has made some jaw-dropping advances in this topic.
What is the aim of the attackers?
The reason for any hacker to attempt a cybercrime may vary from being financially motivated to that of state-sponsored, where the former contributes to 71% of the total cases. The top three industries that are the most affected by phishing are public, information, and financial services. As described earlier that the phishing attacks are merely the first stage of a sophisticatedly designed larger attack, and the follow-up attacks like malware deployment, ransomware, etc. form an important part of the cyberattack. Nevertheless, the ability of these follows up attacks, to deal with the damage to a system depends upon the success of a phishing attack. Thus, it is not uncommon to see Google blocks more than 100 million phishing emails, each day as hackers try to steal sensitive information and deploy malicious software.
How common are phishing attacks?
The year 2019 saw a sharp increase in these attacks, and reports state that 94% of malware was delivered via email. A spike in phishing cases and the corresponding hacker activity was noted in comparison with those previous years. As phishing attacks are not in malware themselves, the ability of cybersecurity tools and techniques drops sharply, as the latter is predicated on the technical concepts and functioning of cyberattacks and is engineered to find and provide technical solutions. Let us consider the basic example of spam filters that are based on and utilize Bayes theorem (like Naïve Bayes spam filter) to determine the probability of a particular mail being spam. The filter matches the words in the mail against the words generally used for spam emails and based on its match percentage declares the authenticity of the mail. However, the same could not be said for phishing emails, as we have described earlier that spear and clone phishing is designed sophisticatedly to appear legitimate.
COVID-19 and phishing
With coronavirus pandemic affecting everything and everyone from individuals to major corporate firms, its impact upon the cybersecurity landscape cannot be ignored. Many regional and global cybersecurity institutions have reported a spike in cybercrime throughout the globe. A sharp rise in multiple phishing cases and hacker activity has been noted during the global strike of the novel coronavirus.
These attacks imply that the threat actors tend to exploit such situations to satisfy their financial gains or other malicious cause. The current COVID-19 pandemic is being exploited by these attackers to cash onto the fear and curiosity of people to spread false and misleading information.
Though the occurrence of phishing was not uncommon before the havoc of Covid-19, now that many organizations are busy combating the spread of this pandemic, threat actors are trying to exploit the constrained manpower and resources committed to combating cyberattacks. Cybersecurity is also dependent on many other branched sources and processes to form a network of security operations; thus, even the closure of any one vertical will hit the efficiency of the entire network. Currently, the major sector that is being targeted is the business sector which is already slumping due to market conditions. In many countries, due to the lockdown and self-quarantine rules, employees are working remotely and are away from the organization’s security infrastructure. These endpoints are vulnerable to phishing emails, as generally there would exist many security measures against phishing that an organization would normally incorporate into its security infrastructure, but during this crisis, many organizations and government bodies majorly focus their attention towards fighting the spread of the disease. Hence, the manpower and resources committed to cybersecurity are stretched thin, and like any other business process, cybersecurity is also dependent on many other branched sources and processes to form the network of the security operation, the closure of even one vertical will hit the efficiency of the entire network.
Irrespective of the available security measures in place, even a well-secured network could still be hacked if the user himself is not aware of cybersecurity threats and its preventions. Looking at the examples above wherein the phishing attacks prompted users to log into the malicious OneDrive; hence, siphoning their username and password to access their system. Once the phishing attack is successful, the credentials for both cloud and VPN could be obtained easily by dropping sniffers and decryption tools into the user’s system. Where the sniffers try to search for logs or files in which the credentials might have been stored, and the decryption tools try to work on the weak symmetric ciphers. Thus, supporting the point of security experts who believe that the users are the first line of defense to combat phishing attacks.
As discussed earlier that the mitigation of phishing attacks cannot be based solely on technical solutions and needs a more flexible and robust solution. As the user could be considered as the first line of defense against any cyberattack, the knowledge on how to tackle phishing attacks is the most prominent. The measures that can help individuals and organization prevent phishing could be listed as:
Only knowing about phishing theoretically may not be entirely sufficient because, even if a person knows that email phishing is done via sending malicious/spam e-mails, the individual may not be able to still differentiate between a benign and malicious e-mail when faced with an actual phishing email. Thus, it is important to have practical experience in dealing with phishing attacks.