phishing

All You Need to Know About Phishing

June 17, 2020

What is phishing?

Phishing could be defined as a fraudulent attempt made by hackers, to lure a person into divulging their sensitive information such as username, password, credit/debit card details, etc., by themselves as a trustworthy and legitimate entity. Unlike other cyberthreats phishing has will continue to be a prominent issue as it is the prime mode of delivery for most malware infections. A Phishing attack by itself does not harm your system nor benefits the threat actors much, but what comes after, based on the success of this attack. Successful phishing attacks are followed by other attacks, such as malware and ransomware, that can harm your system and yield financial gains.

How does phishing work?

Phishing attacks rely on different informational aspects, ranging from personal to political. Even the current COVID-19 pandemic is seen by them as an opportunity to gain financial benefits. As the public is extensively relying on the digital media for information and advice about this pandemic, they unknowingly tend to fall victim to phishing attacks designed by threat actors. For example, utilize hot and latest news bytes to lure victims click on the link, download attachments, which install malware onto their systems. The number of steps involved in these processes differs concerning the type of phishing attack. The most advanced methods involve the use of AI (Artificial Intelligence) which for example, could record and analyze the voice pattern of the head of an organization and recreate a call with unlimited responses to authorize and order an immediate transfer of the huge sum of money.

Types of phishing attacks

Based on the different modes it utilizes and the different methods involved, any phishing attack could be classified into one of the below categories:

1. Spear phishing

This type of phishing involves customized emails/campaigns, tailor-made to match the interest of a specific target to make it seem more relatable and less suspicious. To attempt this a through reconnaissance is required on the part of the attacker, to obtain as much information as possible related to the victim. The usable information from the reconnaissance can include aspects such as names and emails of people, whom the target is familiar with to give the target a false belief that they know the origin of the mail.

2. Smishing

This type of phishing involves SMS phishing (thus, named Smishing). This is more common with mobile-based phishing attacks. It is one of the oldest and commonly known scams where the threat actor lures the lesser educated victims via lottery schemes.

3. Whaling

Whaling is a type of spear-phishing attack that targets a probable victim who could yield larger financial gains. for example, senior executives and other high-profile people whose level of trust, access, and authority is higher within an organization. For example, C-Suite executives. The above-described example of the use of artificial intelligence (AI) could also be classified in this category.

4. Clone phishing

Clone phishing could exclusively be defined as an email-based phishing attack that involves extensive reconnaissance, and the phishing being email is developed upon its output. For example, a previously delivered legitimate email between two parties, if leaked, could have its contents used to create an identical or cloned email. The attachment or link from the previous email is then replaced with malicious URLs or attachments and then sent to the target from an email ID containing a similar domain address as that of the original counterpart. This mail would generally appear as a resend of the original or follow-up

5. Uplink manipulation

Link manipulation is a part of most of the classic phishing mails, where the original link in the mail is replaced by a malicious one. This could also be further developed into website forgery. Misspelling the URLs or using subdomains is commonly used in the phishing process, and the major part of the link is kept intact. The attack crashes onto the common human habit of not reading the complete link and its decryption.

6. Filter evasion

Phishing emails need to bypass mail filters (also known as spam filters) that generally mark them as spam and move them to trash/spam box. Some of the less sophisticated evasion methods involve the use of images embedded with malicious links, instead of text, hence making it harder to detect them, as basic spam filters rely on distinct (spam) words in their repository to recognize and classify whether a mail is genuine or spam.

7. Website forgery

As the name suggests, the scammers create fake websites that look exactly like the original or sometimes using the JavaScript commands to alter the address bar of the malicious website to make it look legitimate. Sometimes existing flaws in an original website's scripts can also be exploited by the attackers to hijack the webpage itself. This type of attack is also known as cross-site scripting and prompts the user to sign in (which is common behavior of the original site). Everything from the web address to the security certificates appears to be correct but in reality, the website has been injected with malicious scripts, making it very difficult to identify without professional knowledge.

8. Covert redirect

Covert redirect is a more sophisticated and evolved form of website forgery, that makes use of a legitimate website at initial stages, but eventually redirects the user to a malicious website. Sometimes the malicious browser extensions/cookies are used to redirect users to phishing websites covertly. This is only possible if the attacker has already gained control of the actual webpage.

9. Social engineering

Though social engineering is a wide topic, the degree of its use in phishing attacks has led it to be classified as one of its many types. Social engineering uses psychological manipulation to trick a person into divulging sensitive information or to onto a malicious link or downloading an attachment. For example, the recent COVID-19 pandemic has aroused the interest of many people in reading news and updates related to healthcare. As a result, many threat actors have developed fake news, blog, health update, or maps to lure people into clicking those links.

10. Voice phishing

Not all phishing attacks require a fake website or email. Calls that claim to be from a bank or a legitimate organization prompting the users to reveal their sensitive and financial damaging information such as account numbers, PIN, password, etc. could be termed as voice phishing or Vishing. As described above, the use of AI (artificial intelligence) has made some jaw-dropping advances in this topic.

What is the aim of the attackers?

The reason for any hacker to attempt a cybercrime may vary from being financially motivated to that of state-sponsored, where the former contributes to 71% of the total cases. The top three industries that are the most affected by phishing are public, information, and financial services. As described earlier that the phishing attacks are merely the first stage of a sophisticatedly designed larger attack, and the follow-up attacks like malware deployment, ransomware, etc. form an important part of the cyberattack. Nevertheless, the ability of these follows up attacks, to deal with the damage to a system depends upon the success of a phishing attack. Thus, it is not uncommon to see Google blocks more than 100 million phishing emails, each day as hackers try to steal sensitive information and deploy malicious software.

How common are phishing attacks?

The year 2019 saw a sharp increase in these attacks, and reports state that 94% of malware was delivered via email. A spike in phishing cases and the corresponding hacker activity was noted in comparison with those previous years. As phishing attacks are not in malware themselves, the ability of cybersecurity tools and techniques drops sharply, as the latter is predicated on the technical concepts and functioning of cyberattacks and is engineered to find and provide technical solutions. Let us consider the basic example of spam filters that are based on and utilize Bayes theorem (like Naïve Bayes spam filter) to determine the probability of a particular mail being spam. The filter matches the words in the mail against the words generally used for spam emails and based on its match percentage declares the authenticity of the mail. However, the same could not be said for phishing emails, as we have described earlier that spear and clone phishing is designed sophisticatedly to appear legitimate.

Phishing statistics

  • The year 2019 has seen a sharp rise in phishing activities, with nearly 71% of phishing attacks were financially motivated as reported by security experts. Nearly 29% of breaches involved the use of stolen credentials and nearly 33% of breaches used social engineering. Opposite to general assumptions that large organizations are frequently targeted by phishing attacks, nearly 43% of breaches involve small scale businesses and industries.
  • Spear phishing is surging in use with 65% cases using spear-phishing as the primary vector for malware deployment, and 0.5% of URLs used in mails being identified as malicious. Smaller organizations again are found to be highly targeted, with nearly 2% of employees being the target of sophisticated phishing attacks, and with 1 in every 323 mails received was identified as phishing mail, the need for awareness among employees has become necessary.
  • The threat of phishing in corporate sectors is intense, with 48% of the identified malicious email attachments being Office files and scripts, and nearly 22% of these organizations recognizing phishing as their greatest security threat. Organizations understand the losses end of phishing threats with nearly 34% of organizations seeing unawareness and carelessness of the employees as a potential vulnerability.

COVID-19 and phishing

With coronavirus pandemic affecting everything and everyone from individuals to major corporate firms, its impact upon the cybersecurity landscape cannot be ignored. Many regional and global cybersecurity institutions have reported a spike in cybercrime throughout the globe. A sharp rise in multiple phishing cases and hacker activity has been noted during the global strike of the novel coronavirus.

  • ‘Skynew’ reported the targeting of health care workers by cybercriminals via email scams, luring them to register for a (fake) survey on coronavirus, and is aimed at obtaining their personal information.
  • ‘Check Point’ reported in its research that a Mongolian public sector was targeted with phishing emails trying to appear as coronavirus briefings published by the Mongolian Health Ministry.
  • Illinois public health agency reported a ransomware attack by relatively new ransomware called the ‘NetWalker’ resulting in its main website being disabled.
  • ‘The Sydney Morning Herald’ also reported a 130% increase in Smishing messages and a substantial rise in email scams meant to target health care workers to obtain personal and financially damaging information.

These attacks imply that the threat actors tend to exploit such situations to satisfy their financial gains or other malicious cause. The current COVID-19 pandemic is being exploited by these attackers to cash onto the fear and curiosity of people to spread false and misleading information.

Though the occurrence of phishing was not uncommon before the havoc of Covid-19, now that many organizations are busy combating the spread of this pandemic, threat actors are trying to exploit the constrained manpower and resources committed to combating cyberattacks. Cybersecurity is also dependent on many other branched sources and processes to form a network of security operations; thus, even the closure of any one vertical will hit the efficiency of the entire network. Currently, the major sector that is being targeted is the business sector which is already slumping due to market conditions. In many countries, due to the lockdown and self-quarantine rules, employees are working remotely and are away from the organization’s security infrastructure. These endpoints are vulnerable to phishing emails, as generally there would exist many security measures against phishing that an organization would normally incorporate into its security infrastructure, but during this crisis, many organizations and government bodies majorly focus their attention towards fighting the spread of the disease. Hence, the manpower and resources committed to cybersecurity are stretched thin, and like any other business process, cybersecurity is also dependent on many other branched sources and processes to form the network of the security operation, the closure of even one vertical will hit the efficiency of the entire network.

Irrespective of the available security measures in place, even a well-secured network could still be hacked if the user himself is not aware of cybersecurity threats and its preventions. Looking at the examples above wherein the phishing attacks prompted users to log into the malicious OneDrive; hence, siphoning their username and password to access their system. Once the phishing attack is successful, the credentials for both cloud and VPN could be obtained easily by dropping sniffers and decryption tools into the user’s system. Where the sniffers try to search for logs or files in which the credentials might have been stored, and the decryption tools try to work on the weak symmetric ciphers. Thus, supporting the point of security experts who believe that the users are the first line of defense to combat phishing attacks.

Mitigations

As discussed earlier that the mitigation of phishing attacks cannot be based solely on technical solutions and needs a more flexible and robust solution. As the user could be considered as the first line of defense against any cyberattack, the knowledge on how to tackle phishing attacks is the most prominent. The measures that can help individuals and organization prevent phishing could be listed as:

  1. The basic prevention for phishing attacks can be achieved through anti-phishing education, training, and awareness like:
    • Do not open any suspicious emails or the email that you have not subscribed to
    • Training simulation with the employees to increase their security awareness surrounding the issue
    • Spreading awareness through social media and other platforms (mostly carried out by government bodies) against fraudulent messages and emails promising lucrative benefits
    • Check the domain name of sender’s email
    • Do not visit any website that is not secure with HTTPS
    • Ensure that your antivirus software is up-to-date and scan your computer regularly for threats
    • Reconfirm all money-related emails or calls with appropriate authorities such as banks or government helpdesks
  2. Corporate organizations can acquire and incorporate phishing simulations and awareness training into their security infrastructure to help employees defend against phishing attacks. Such as:
    • Precautions to follow for remote workers on cloud and VPN access
    • Compilation of security policies and guidelines that help in educating employees on phishing
    • Educating IT security professionals on handling and mitigating phishing attacks.
    • Training for security responsibilities in the event of phishing attacks
    • Training through demo phishing simulations that mimic real-life attack scenarios by sending employees phishing emails to gauge their level of susceptibility to phishing results. Based on those results, tailored education and mitigation knowledge will be provided to a user who has failed the phishing test.
    • The incorporating solution from third party vendors having expertise in anti-phishing training, where they teach users how to identify and avoid such attacks

Only knowing about phishing theoretically may not be entirely sufficient because, even if a person knows that email phishing is done via sending malicious/spam e-mails, the individual may not be able to still differentiate between a benign and malicious e-mail when faced with an actual phishing email. Thus, it is important to have practical experience in dealing with phishing attacks.