Phishing-scams-on-the-rise-in-Singapore

Phishing scams on the rise in Singapore

ST logistics, a private vendor for Singapore Armed forces (SAF) responsible for providing third party logistics such as equipping services and e-mart retailers, as well as HMI Institute of Health Science have both reported recent cybercrime incidents. In December 2019, SAF confirmed that as a result of Phishing activity, the personal data of 2,400 SAF employees could have been compromised, with projected data based on the total data present in the system possibly affected.

In an unrelated incident HMI Institute of Health Science reported a probable compromise of 120,000 individuals’ records, which also included 9,8000 records of SAF employees due to a ransomware attack on one of its servers. The SAF servicemen, whose personal information was affected, had attended cardiopulmonary resuscitation and automated external defibrillation courses conducted by the HMI.

Both HMI and ST Logistics carried out extensive forensic investigation probes into these activities with the assistance of both their own cybersecurity team and with the support of external cybersecurity experts. The affected data consisted of personal information such as name, email id, contact numbers, NRIC numbers, birth dates, and address. Though none of the organizations provided the exact details regarding the breaches, one common element in both the incidents was the occurrence of Phishing.

Phishing

Phishing attacks are the foundation for a majority of advanced and potent malware attacks. Though follow up attacks form the important part of any cyberattack, their ability to cause damage to a system depends upon the success of the Phishing scam. There exist different types of Phishing attack.

Phishing-scams-Singapore

Phishing types

  • Spear Phishing: Personalized Phishing attempts created for a specific person or organization are called spear Phishing. Unlike regular Phishing, threat actors generally conduct reconnaissance gathering information about their victim in order to look less suspicious and increase their probability of success.
  • Whaling: Whaling is the next step up in spear Phishing attacks, targeting senior executives and other high-profile employees in an organization, such as managers or above.
  • Clone Phishing: Clone Phishing is a type of Phishing attack involving extensive reconnaissance into previously delivered emails or attachments, and the Phishing email is developed based on that. Once leaked, the email or documents are used to create an identical or cloned email. The attachment or link from the previous email is then replaced with a malicious URL or malware, and then sent from an email address similar to the original domain. It appears as a resend of the original or a follow up.
  • Link manipulation: As mentioned above, the method of using technical deception to make a link appearing to belong to the legitimate organization is defined as link manipulation. Misspelling the URLs or using subdomains are the most common ways to administer malicious websites into the Phishing process. Another common trick is to make the displayed text for any link as legitimate using hypertext markup language, i.e. when you scroll over to the link it displays the trusted website name.
  • Filter evasion: it is essential for Phishing emails to evade mail filters that generally mark them as spam. The general evasion method involves clone Phishing or use of images instead of text, hence making it harder for anti-Phishing filters to detect them, as they commonly rely on the word in their repository classified for Phishing and spams.
  • Website forgery: As the name suggests when scammers create fake websites that look exactly like the original or sometimes using the JavaScript commands to alter the address bar of the malicious website to that of the original. Sometimes existing flaws in a trusted website's scripts are used against it by the attackers to hijack the webpage. These types of attacks are also known as cross-site scripting and prompt the user to sign in at the legitimate web page, where everything from the web address to the security certificates appears correct but in reality the website is embedded with malicious software, making it very difficult to identify without professional knowledge.
  • Covert redirect: Covert redirect is a more sophisticated method of Phishing attacks that makes use of a legitimate website, but eventually redirects the user to a malicious website. Sometimes the malicious browser extensions are used to redirect users to Phishing websites covertly.
  • Covert redirect: Unlike normal Phishing websites, which are relatively easy to spot due to the anomalies present in the URL or the website itself, the covert redirection involves an authentic website corrupted with nothing but a simple popup box that prompts the users to login, thus, stealing their login credentials and simultaneously redirecting them to the malicious website. Some of the more sophisticated techniques involve using flaws or the default behavior of a website towards a third party link (which is fairly common and least suspicious), such as the prompt for simple authorization of application or website. For example, if you click onto any malicious link embedded into a website page, the page asks you, whether or not you would like to authorize that specific app or website related to that link. If the user does choose to authorize, a "token" will be sent to the attacker, which may contain the user's personal and sensitive information. Information such as email address, birth date, contacts, search history, name, username, password could be compromised, and depending upon the privileged status of the “token” the threat actor may also be able to control the account access of the user.
  • Social engineering: Social engineering involves social reasons to prompt a person to click on malicious links or attachments. For example the recent pandemic of COVID-19 has aroused the interest of many people in reading news and updates related to healthcare, and in response, many threat actors have developed fake news, blogs, health updates or maps to lure people into clicking those links.
  • Voice Phishing: Not all Phishing attacks require a fake website or email. Calls or messages that claim to be from a bank or a legitimate organization prompting the users to reveal their account numbers, PIN, password, etc. could be termed as Vishing or voice Phishing.

Solution

The prevention of Phishing for a non-technical person is improved with anti Phishing education and awareness provided by many reputable organizations such as OhPhishKnowB4, Infosec, etc, which provide education and training for an organization’s employees against Phishing attacks. Only understanding Phishing theoretically is not sufficient because, even if a person knows Phishing is done via malicious/spam emails, one cannot possibly differentiate between a benign and malicious email. Thus, practical experience of Phishing attacks and how to tackle them is very helpful. OhPhish solutions provide virtual simulations for Phishing attacks by sending employees Phishing emails and monitoring their response to it, based on their result-tailored education and mitigation knowledge.

As the user her/himself is the first line of defense against any cyberattack, the knowhow to tackle Phishing attacks is highly important. Anti-Phishing education organizations could not only help to educate the employees of any organization, on ways to recognize and tackle Phishing emails, but offer the advice and training of security experts along the way. The training the of IT people regarding different types of Phishing modes can be done as:

  • Precautions to follow for remote workers on cloud and VPN access
  • Compilation of security policies and guidelines that help in educating the workers on Phishing
  • Educating IT security professional on handling and mitigating Phishing attacks
  • Training for security responsibilities in event of Phishing attacks
  • Training assistance through demo simulation for real time Phishing attacks
  • Education and awareness regarding different types of Phishing and its prevention method for both technical and non-technical personals

FAQs

Q. What spear Phishing?

A. Spear Phishing is a targeted attack where the attacker conducts research on the victims before sending a personalized message or email

Read more at: https://blog.eccouncil.org/4-types-of-cyberattacks-that-youre-most-likely-to-face/

Q. How spear Phishing is different from Phishing?

A. While Phishing is a broader term, Spear Phishing emails are a targeted approach, where the attacker targets either a single recipient or a bulk of recipients based on the same characteristics.

Read more at: https://blog.eccouncil.org/spear-Phishing-101-how-it-differs-from-Phishing/

Q. What are different Phishing scams?

A. There are multiple types of Phishing attacks like Email Phishing, Spear Phishing, Whaling, Angler Phishing, Smishing and Vishing.

Read more at: https://blog.eccouncil.org/5-Phishing-scams-that-keep-cybersecurity-professionals-up-at-night/

References:

https://www.straitstimes.com/Singapore/personal-data-of-2400-mindef-saf-staff-may-have-been-leaked