Phishing is recognized as one of the biggest cybercrime threats facing organizations and individuals today. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), of the 2,013 confirmed data breaches, 32% included phishing attacks.
We define phishing as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2). To that end, attackers often impersonate well known institutions, such as the IRS, banks, or businesses. In addition, attackers impersonate individuals such as your boss, a co-worker, or perhaps your real estate agent. The goal of the phishing email is to lure you into opening an attachment that contains malware, or clicking a link to a spoofed website. Of course, there are many different types of phishing attacks and we will highlight several. However, this is by no means a complete list. In this article we’ll discuss URL and email manipulation, common phishing vectors, spear phishing, whaling, and how pentesters use phishing in security audits.
NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks. Additionally, this information will help organizations to mitigate against these attacks.
URL and Email Manipulation
Phishing schemes are successful because people trust messages from well-known, reputable sources. For this reason, a common phishing tactic bad actors use is to manipulate a URL. Criminals know that if the URL looks close enough to a trusted site, the odds are they can fool you to click on it. For example, when a user scans over a URL like http://www.company.com, it looks almost identical to http://www.cornpany.com if the font is right. Another example is support.amazon.com versus the more dangerous support-amazon.com. Surprisingly, URL manipulation requires very little time or effort. The bad actor purchases a domain that closely resembles the legitimate URL. Then the attacker sets up an email account and spoofs the website.
Phish get even more confusing and dangerous when you are checking your email on a smartphone or other mobile device. Why is this so? One reason is because you can’t hover over a link to see where it goes. Additionally, you are unable to see the whole email address of the sender.
Common Phishing Vectors
We outline four common phishing vectors, which we will explore in more depth. They are:
- Current Events
- Tech Support
Bad actors take advantage of current events such as disasters, large public events, holidays, or data breaches to phish large groups of targets for information. For instance, the novel coronavirus pandemic is a current event that cyber criminals quickly exploited. According to The Federal Trade Commission (FTC) from January 1, 2020 to July 19, 2020 there were 71, 026 COVID19 and Stimulus fraud cases reported with a total of $89.51M in total loses.
Another example is the 2017 Equifax data breach. Shortly after the data breach, The Better Business Bureau (BBB) issued an alert that scammers created 194 phishing websites just one day after the breach and launch of legitimate help websites. The BBB also warned about phishing emails requesting verification of transactions or to check account status.
The devastating Woosley and Camp fires in California in November 2018 left countless families homeless and grief-stricken. Attackers were quick to take advantage of this distressing tragedy. Agari issued an alert warning that criminals were specifically targeting workplaces. Posing as the targeted enterprise’s CEO, the attackers sent emails to employees in accounting, finance, or administration with instructions to purchase gift cards purportedly to provide financial assistance for clients who are fire victims. You might also see these types of phishing scams on Twitter or text/SMS as well. For more information on that check out: SMiShing
For more information on charity scams, please check out our newsletter here.
Tech support impersonation is a classic attack vector. The ubiquitous Microsoft tech support scam has been making the rounds in Indiana, USA. As reported by RTV6, a work at home senior received a pop-up message on her computer saying Microsoft locked her computer due to malware and spyware. Her reaction? She panicked. “I was just like ‘let’s get this taken care of so I can work.'” In another report, a woman lost over $30,000 because of the Microsoft tech support scam.
Posing as a financial institution is another common tactic of malicious attackers. Criminals may not know what bank you use. However, they do know that if they send out mass emails posing as a well-known bank, the probability that it happens to be your bank is pretty high. In some cases, they might know that it’s your bank. If that’s the case, they may include your name and address in the email. Their goal? To have you click a link or open an attachment.
A phishing campaign impersonating Citibank was recently spotted. The email claiming to be from Citibank, included a link to what appears to be an legitimate-looking website with ‘update-citi .com’ as the domain address. Users who received the email were requested to enter their online banking credentials as well as personal information.
Government agencies such as the IRS are commonly impersonated by criminals. Each year the IRS warns about phishing emails. In 2020, phishing once again made the IRS Dirty Dozen list for tax scams. Notably, with the novel coronavirus pandemic, numerous phishing tax scams are circulating using keywords such as, “coronavirus”, “COVID19”, and “stimulus”.
Cyber criminals are also attacking municipal government through ransomware—often spread through phishing emails that contain malicious code.
Criminals have posed as the IRS frequently enough to warrant the IRS setting up their own page to report such scams which include some great safety tips for how to avoid being defrauded. Our April, 2019 blog discussed several tax scams such as the Tax Account Transcript scam. In this scam, criminals send emails pretending to be from “IRS Online” with an attachment labeled “Tax Account Transcript” as bait to entice users to open documents containing malware. When the attachment is opened, malware is unleashed. In another tax scam, attackers send phishing emails with the instruction to “update your IRS e-file immediately.” When the intended victim clicks the link, they are taken to a fake website that spoofs the official IRS website.
Criminals are targeting municipal government with ransomware, holding data and/or systems hostage, bringing city operations to a stand-still. Such was the case in Del Rio, Texas after a ransomware attack effectively closed–down City Hall servers. To learn more about ransomware and how to mitigate the risks to your org, please see this blog.
Due to the success of phishing attacks, malicious phishers have developed a refined technique known as spear phishing. A spear phishing email is more targeted than a general phishing email. Instead of sending out thousands of emails hoping to catch a few random victims, spear phishing targets specific higher profile people who have access to something the attacker wants. Attackers conduct open source intelligence (OSINT) to craft an email that specifically caters to the recipient’s job, personal situation or preferences.
The pervasive use of social media provides a gold mine of personal data that attackers can use. Because of our culture of sharing, individuals are equipping attackers with all the information they need without realizing it. The smallest bit of information, such as profile pictures, can put the attacker on track to creating a solid phish.
This spear phishing campaign found making the rounds specifically targets HR employees. In this example reported by VadeSecure, an HR director in the construction industry was targeted. Posing as the COO, the criminal emailed the HR director. The request? The “COO” wanted to make changes to his Payroll Direct Deposit Account. By posing as the COO the attacker is hoping for two things; 1.) the HR director will feel pressure to respond quickly and 2.) there will be a higher payout.
Whaling is a highly-targeted attack designed to strike at an organization’s “big phish.” A big phish is a high-value individual such as a senior executive, a high-level official in private business, or anyone with privileged access to government (or top secret) information. These high value targets have credentials or access that if compromised, could endanger the entire business. Similar to spear phishing, these attacks can be more difficult to detect because of their stealth and because they are generally sent on a one-time basis.
The City Treasurer of Ottawa, Marian Simulik became a victim of a whaling attack. On July 6, 2018, she received the following email purportedly from her boss, city manager Steve Kanellakos and approved the transfer of $97,797.20 in funds. Part of the email reads in part:
“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which will be $97,797.20. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”
Why Pentesters Use Phishing in Security Audits
Professional pentesters primarily use phishing for the following purposes:
- As part of a pentest. Usually leading to a controlled compromise of the organization’s digital or human network. The exposed vulnerabilities are reported in detail to allow the organization to strengthen their security.
- As part of a security awareness program throughout the year. With the focus on educating users on the different levels of phishing.
- To set a baseline for assessing user susceptibility to phishing attacks and to justify future training on the topic.
Companies spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network. However just one skilled phishing attack can lead to total devastation in a company. While technical solutions exist to stop phishing attacks, there is no practical way to prevent an employee from clicking links, opening attachments, or filling out forms. The best defense is to educate employees and ensure they understand the threats posed by phishing attacks. As a result they are less likely to click malicious links, and more likely to report suspicious activity. To this end, security awareness training such as PHaaS equips leadership to know how their organization will respond to phishing attacks.
Hadnagy, Christopher, and Michele Fincher.
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails. Indianapolis: John Wiley & Sons, 2015. Print.