We define phishing as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2).
An estimated 98% of social attacks are phishing, or pretexting, and 96% of social attacks involve email according to the 2018 Verizon Data Breach Report. Phishing can involve an attachment within an email that loads malware onto a computer or a link to an illegitimate website that can trick an individual into handing over personal information. There are many different forms of attack commonly used via phishing. We have highlighted several, but this is by no means a complete list. Also remember that one key to phishing is for the attacker to appear to be something/someone they are not, which ties into the topic of impersonation as well.
NOTICE: This information should never be used to perform illegal acts! We discuss these details to help organizations think offensively about possible social engineering attacks and to help mitigate against these attacks.
URL and Email Manipulation
One reason why phishing schemes work so well is that people tend to trust messages that appear to come from an important entity or one that appears legitimate. The attacker can easily manipulate a URL to look very close to a name-brand, fooling the victim into clicking on it. For example, when a user scans over a URL like http://www.company.com, it looks almost identical to http://www.cornpany.com if the font is right. Another example would be a slight difference that still looks legitimate, such as support.amazon.com versus the more dangerous support-amazon.com. Chances are slim that the average user would be able to determine which is safe. By purchasing a domain that closely resembles the legitimate URL, the attacker sets up an email account and spoofs the website with very little time or effort involved.
Phish can get even more confusing when you are checking your email on the tiny screen of a smartphone or other mobile device because you can’t hover over a link (to see where it goes) or see the whole email address of the sender. Criminals are smart and have figured out a few ways around those common safety tips but there are still plenty who count on you not performing these simple checks and given the amount of people who check their email on their phone, they are correct.
Common Phishing Vectors
We’ve outlined four common phishing vectors, which we will explore in more depth. They are:
- Current Events and Charities
- Tech Support
Current Events and Charities
Often attackers will take advantage of natural disasters, large public events, holidays, or even massive data breaches to phish large groups of targets for information. An example of this is the 2017 Equifax data breach. Shortly after the data breach, The Better Business Bureau (BBB) issued an alert that scammers created 194 phishing websites just one day after the breach and launch of legitimate help websites. The BBB also warned about phishing emails requesting verification of transactions or to check account status.
Another example took place after the devastating Woosley and Camp fires in California that left countless families homeless and grief-stricken. Attackers were quick to take advantage of this distressing tragedy. Agari issued an alert warning that criminals were specifically targeting workplaces. Posing as the targeted enterprise’s CEO, the attackers sent emails to employees in accounting, finance, or administration with instructions to purchase gift cards purportedly to provide financial assistance for clients who are fire victims.
These scams are not limited to email and you might see them on Twitter or text/SMS as well. For more information on that check out: SMiShing
Impersonating tech support is an example of a classic attack vector that hasn’t changed much over time because it still works. The ubiquitous Microsoft tech support scam has been making the rounds in Indiana, USA. As reported by RTV6, a work at home senior received a pop-up message on her computer saying Microsoft had locked her computer due to malware and spyware. Her reaction? She panicked. “I was just like ‘let’s get this taken care of so I can work.'” In another report, a woman lost over $30,000 because of the Microsoft tech support scam.
Posing as a financial institution is a common tactic of malicious attackers. Criminals may not know what bank you use but they do know that if they send out a round of emails posing as one of the well-known banks, the probability that it happens to be your bank is pretty high. In some cases, they might know that it’s your bank and have your name or even address to include in the email. All they need you to do is click that link or sometimes even open an attachment.
A phishing campaign impersonating Bank of America was recently spotted. Small to medium sized businesses appear to be the primary target. Some of the email subject lines are “Notice Concerning your CardMember Account”, “Reminder – We’ve issued a security concern (Action Required)”, and “REMINDER: A concern that requires your action.” The recipient is prompted to open an attached HTML phishing form requesting online account credentials, card number, security code, expiration date, mother’s maiden name, mother’s birth date, birth year, first elementary school name, and security pin.
Phishing emails and ransomware can look like they come from government agencies such as the IRS or law enforcement agencies.
Criminals have posed as the IRS frequently enough to warrant the IRS setting up their own page to report such scams which include some great safety tips for how to avoid being defrauded. In this tax scam currently making the rounds, attackers pretend to be from “IRS Online” and send emails with an attachment labeled “Tax Account Transcript.” When the attachment is opened, malware is unleashed. In another tax scam, attackers send phishing emails with the instruction to “update your IRS e-file immediately.” When the intended victim clicks the link, they are taken to a fake website that spoofs the official IRS website.
Criminals are also targeting municipal government with ransomware, holding data and/or systems hostage, bringing city operations to a stand-still. Such was the case in Del Rio, Texas after a ransomware attack effectively closed–down City Hall servers.
Due to the success of phishing attacks, malicious phishers have developed a refined technique known as spear phishing. A spear phishing email is far more targeted than a general phishing email. Instead of sending out thousands of emails randomly hoping a few victims will bite, spear phishers target higher profile people who have access to something the attacker wants. Often attackers will spend some time conducting OSINT to craft an email that specifically caters to the recipient’s job, personal situation or preferences. Spear phishing emails leverage a certain level of information about an individual that makes the phish very difficult to detect or resist.
The pervasive use of social media has provided a gold mine of personal data to be used by attackers. Because of our culture of sharing, individuals are equipping attackers with all the information they need without realizing it. The tiniest bit of information, sometimes even apparent in profile pictures, can put the attacker on track to creating a solid phish.
A spear phishing campaign that is making the rounds specifically targets HR employees. In one example as reported by VadeSecure, an HR director in the construction industry was targeted. Posing as the COO, the criminal initiated contact with the HR director. The request? The “COO” wants to make changes to his Payroll Direct Deposit Account. By posing as the COO the attacker is hoping for two things; the HR director will feel pressure to respond quickly, and there will be a higher payout.
Whaling is a highly-targeted attack vector that is designed to strike at an organization’s “big phish.” A big phish is a high-value individual whose credentials or access to resources, if compromised, could endanger the entire business. Whaling attacks typically select targets specifically because of their position within the organization. Similar to spear phishing, these attacks can be more difficult to detect because of their stealth and because they are generally sent on a one-time basis. Because the target is so high value, it’s important for the attacker to do their research on the intended target in order to identify possible interests to craft the right phish. Prime whaling targets include senior executives, high-level officials in private businesses, or even those with privileged access to government (or top secret) information.
The City Treasurer of Ottawa, Marian Simulik became a victim of a whaling attack. On July 6, 2018, she received the following email purportedly from her boss, city manager Steve Kanellakos and approved the transfer of funds.
“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which will be $97,797.20. An announcement is currently being drafted and will be announced next week, once the deal has been executed, for now I don’t want to go into any more details. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”
Penetration Testers and Social Engineers
Phishing is a well-used social engineering attack vector for penetration testers (or pentesters). Penetration testers should employ these methods without the malicious intent to show a company how devastating these attacks can be. Many companies will spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network, but one skilled phishing attack can lead to total devastation in a company without having to employ technical hacks.
Pentesters primarily use phishing for three different purposes.The first reason would be as part of a pentest which usually leads to a controlled compromise of the organization’s digital or human network. Any vulnerabilities are then reported in detail to allow the organization to harden their security. The second purpose of phishing would be as part of a security awareness program throughout the year that is focused on educating users on the different levels of phishing. The third purpose for which pentesters use phishing, is to set a baseline for assessing user susceptibility to phishing attacks and to justify future training on the topic.
Hadnagy, Christopher, and Michele Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails. Indianapolis: John Wiley & Sons, 2015. Print.