We define phishing as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2). Phishing is one of the biggest cybercrime threats facing organizations and individuals today. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), of the 3,950 confirmed data breaches, 22% included social (i.e. phishing and email business compromise) attacks.
Phishing can involve an attachment within an email that loads malware onto a computer or a link to an illegitimate website that can trick an individual into handing over personal information. There are many different forms of attack that are commonly used via phishing. We highlight several of them. But this is by no means a complete list. Also remember that one key to phishing is for the attacker to appear to be something/someone they are not. Which ties into the topic of impersonation as well.
NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks. Additionally, this information will help organizations to mitigate against these attacks.
URL and Email Manipulation
Phishing schemes are successful because people trust messages from well-known, reputable sources. For this reason, a common phishing tactic bad actors use is to manipulate a URL. Criminals know that if the URL looks close enough to a trusted site, the odds are they can fool you to click on it. For example, when a user scans over a URL like http://www.company.com, it looks almost identical to http://www.cornpany.com if the font is right. Another example is support.amazon.com versus the more dangerous support-amazon.com. Surprisingly, URL manipulation requires very little time or effort. The bad actor purchases a domain that closely resembles the legitimate URL. Then the attacker sets up an email account and spoofs the website.
Phish get even more confusing and dangerous when you are checking your email on a smartphone or other mobile device. Why is this so? One reason is because you can’t hover over a link to see where it goes. Additionally, you are unable to see the whole email address of the sender.
Common Phishing Vectors
We outline four common phishing vectors, which we will explore in more depth. They are:
- Current Events
- Tech Support
Bad actors take advantage of current events such as disasters, large public events, holidays, or data breaches to phish large groups of targets for information. For instance, the novel coronavirus pandemic is a current event that cyber criminals quickly exploited. According to The Federal Trade Commission (FTC) from January 1, 2020 to July 19, 2020 there were 71, 026 COVID19 and Stimulus fraud cases reported with a total of $89.51M in total loses.
Another example is the 2017 Equifax data breach. Shortly after the data breach, The Better Business Bureau (BBB) issued an alert that scammers created 194 phishing websites just one day after the breach and launch of legitimate help websites. The BBB also warned about phishing emails requesting verification of transactions or to check account status.
The 2015 Anthem breach is yet another example. Just hours after Anthem announced a sophisticated attack which compromised the personal and social security information of some 80 million Americans, attackers began phishing users with a malicious link offering of free credit monitoring
The devastating Woosley and Camp fires in California in November 2018 left countless families homeless and grief-stricken. Attackers were quick to take advantage of this distressing tragedy. Agari issued an alert warning that criminals were specifically targeting workplaces. Posing as the targeted enterprise’s CEO, the attackers sent emails to employees in accounting, finance, or administration with instructions to purchase gift cards purportedly to provide financial assistance for clients who are fire victims. .
Another example is the large scale earthquake that struck Nepal in April 2015. Attackers quickly took advantage of a devastating situation. The U.S. Computer Emergency Readiness team (US-CERT) issued an alert to the public about phishing emails and websites requesting donations for fraudulent charitable organizations.
You might also see these types of phishing scams on Twitter or text/SMS as well. For more information on that check out our SMiShing page.
Tech support impersonation is a classic attack vector. The ubiquitous Microsoft tech support scam has been making the rounds in Indiana, USA. As reported by RTV6, a work at home senior received a pop-up message on her computer saying Microsoft locked her computer due to malware and spyware. Her reaction? She panicked. “I was just like ‘let’s get this taken care of so I can work.'” In another report, a woman lost over $30,000 because of the Microsoft tech support scam.
Consider another example. In 2004, students and staff of University of California received spoof emails from the technical support team. The emails said that their computers were infected with a virus. Once opened, the attachment would infect the computer with a variant of the MyDoom virus.
Compare the above example to June, 2015, when University of Michigan staff warned that malicious hackers were phishing students by sending them to fake Google Forms in order to obtain the student’s’ credentials and personal identifying information. Over 150 students fell prey to the “tech support” phish before staff were able to send out a warning to the students.
Posing as a financial institution is another common tactic of malicious attackers. Criminals may not know what bank you use. However, they do know that if they send out mass emails posing as a well-known bank, the probability that it happens to be your bank is pretty high. In some cases, they might know that it’s your bank. If that’s the case, they may include your name and address in the email. Their goal? To have you click a link or open an attachment.
Sometimes the banks themselves are the ones who are compromised like the spear phishing campaign discovered in 2015 that is credited with stealing a billion dollars from financial institutions across 30 countries.
A phishing campaign impersonating Citibank was recently spotted. The email claiming to be from Citibank, included a link to what appears to be an legitimate-looking website with ‘update-citi .com’ as the domain address. Users who received the email were requested to enter their online banking credentials as well as personal information.
Government agencies such as the IRS are commonly impersonated by criminals. Each year the IRS warns about phishing emails. In 2020, phishing once again made the IRS Dirty Dozen list for tax scams. Notably, with the novel coronavirus pandemic, numerous phishing tax scams are circulating using keywords such as, “coronavirus”, “COVID19”, and “stimulus”.
Cyber criminals are also attacking municipal government through ransomware—often spread through phishing emails that contain malicious code.
Criminals have posed as the IRS frequently enough to warrant the IRS setting up their own page to report such scams which include some great safety tips for how to avoid being defrauded.
In 2019, the IRS reported on a scam known as the Tax Account Transcript scam. In this scam, criminals send emails pretending to be from “IRS Online. ” The email contains an attachment labeled “Tax Account Transcript” as bait to entice users to open documents containing malware. When the attachment is opened, malware is unleashed. In another tax scam, attackers send phishing emails with the instruction to “update your IRS e-file immediately.” When the intended victim clicks the link, they are taken to a fake website that spoofs the official IRS website.
Criminals are targeting municipal government with ransomware, holding data and/or systems hostage, bringing city operations to a stand-still. Such was the case in Del Rio, Texas after a ransomware attack effectively closed–down City Hall servers.
Due to the success of phishing attacks, malicious phishers have developed a refined technique known as spear phishing. A spear phishing email is more targeted than a general phishing email. Instead of sending out thousands of emails hoping to catch a few random victims, spear phishing targets specific higher profile people. People who have access to something the attacker wants. Attackers conduct open source intelligence (OSINT) to craft an email that specifically caters to the recipient’s job, personal situation or preferences.
Before sharing examples of spear phishing, it’s important to discuss one of the attacker’s source for this level of information: social media. The pervasive use of social media provides a gold mine of personal data that attackers can use. Because of our culture of sharing, people are equipping attackers with all the information they need without realizing it. The smallest bit of information, sometimes even from profile pictures, can put the attacker on track to creating a solid phish.
This spear phishing campaign found making the rounds specifically targets HR employees. In this example reported by VadeSecure, an HR director in the construction industry was targeted. Posing as the COO, the criminal emailed the HR director. The request? The “COO” wanted to make changes to his Payroll Direct Deposit Account. By posing as the COO the attacker is hoping for two things; 1.) the HR director will feel pressure to respond quickly and 2.) there will be a higher payout.
Similar to spear phishing, whaling is a highly-targeted attack vector. It’s designed to strike at an organization’s “big phish”. A big phish is a high-value individual. Such as a senior executive, a high-level official in private business, or anyone with privileged access to government (or top secret) information. These high value targets have credentials or access that if compromised, could endanger the entire business. Similar to spear phishing, these attacks can be more difficult to detect because of their stealth and because they are generally sent on a one-time basis.
Because the target is so high value, it’s important for the attacker to do their research on the intended target in order to identify possible interests to craft the right phish. An attacker will stop at nothing, even if it means tugging on heart strings, to get a click. Prime whaling targets would be senior executives, high-level officials in private businesses, or even those with privileged access to government (or top secret) information.
The City Treasurer of Ottawa, Marian Simulik became a victim of a whaling attack. On July 6, 2018, she received the following email purportedly from her boss, city manager Steve Kanellakos and approved the transfer of $97,797.20 in funds. The email reads in part:
“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which will be $97,797.20. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”
Penetration Testers and Social Engineers
Phishing is a well-used social engineering attack vector for penetration testers (or pentesters). Penetration testers should employ these methods without the malicious intent to show a company how devastating these attacks can be. Professional pentesters primarily use phishing for the following purposes:
- As part of a pentest. Usually leading to a controlled compromise of the organization’s digital or human network. The exposed vulnerabilities are reported in detail to allow the organization to strengthen their security.
- As part of a security awareness program throughout the year. With the focus on educating users on the different levels of phishing.
- To set a baseline for assessing user susceptibility to phishing attacks and to justify future training on the topic.
Companies spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network. However just one skilled phishing attack can lead to total devastation in a company. Technical solutions exist to stop phishing attacks. However, there is no practical way to prevent an employee from clicking links, opening attachments, or filling out forms. The best defense is to educate employees and ensure they understand the threats posed by phishing attacks. As a result they are less likely to click malicious links, and more likely to report suspicious activity. To this end, security awareness training equips leadership to know how their organization will respond to phishing attacks.
Hadnagy, Christopher, and Michele Fincher.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails. Indianapolis: John Wiley & Sons, 2015. Print.