We define phishing as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2).
Accounting for an estimated 77% of all social based attacks with over 37 million user reports in 2013, the most prolific form of social engineering is phishing. Phishing can involve an attachment within an email that loads malware onto a computer or a link to an illegitimate website that can trick an individual into handing over personal information. There are many different forms of attack that are commonly used via phishing. We have highlighted several of them but this is by no means a complete list. Also remember that one key to phishing is for the attacker to appear to be something/someone they are not, which ties into the topic of impersonation as well.
NOTICE: This information should never be used to perform illegal acts! We discuss these details to help organizations think offensively about possible social engineering attacks and to help mitigate against these attacks.
URL and Email Manipulation
One reason why phishing schemes work so well is that people tend to trust messages that appear to come from an important entity or one that appears legitimate. The attacker can easily manipulate a URL to look very close to a name-brand, fooling the victim into clicking on it. For example, when a user scans over a URL like http://www.company.com, it looks almost identical to http://www.cornpany.com if the font is right. Another example would be a slight difference that still looks legitimate, such as support.amazon.com versus the more dangerous support-amazon.com. Chances are slim that the average user would be able to determine which is safe. By purchasing a domain that closely resembles the legitimate URL, the attacker sets up an email account and spoofs the website with very little time or effort involved.
Phish can get even more confusing when you are checking your email on the tiny screen of a smartphone or other mobile device because you can’t hover over a link (to see where it goes) or see the whole email address of the sender. Criminals are smart and have figured out a few ways around those common safety tips but there are still plenty who count on you not performing these simple checks and given the amount of people who check their email on their phone, they are correct.
Common Phishing Vectors
Current Events and Charities
Often attackers will take advantage of natural disasters, large public events, holidays, or even massive data breaches to phish large groups of targets for information. An excellent example of this is the 2015 Anthem breach. Just hours after Anthem announced a sophisticated attack which compromised the personal and social security information of some 80 million Americans, attackers began phishing users with a malicious link offering of free credit monitoring.
Another example is when a large scale earthquake struck Nepal in April 2015. Attackers quickly took advantage of a devastating situation. The U.S. Computer Emergency Readiness team (US-CERT) issued an alert to the public about phishing emails and websites requesting donations for fraudulent charitable organizations.
These scams are not limited to email and you might see them on Twitter or text/SMS as well. For more information on that check out: SMiShing
Impersonating tech support is an example of a classic attack vector that hasn’t changed much over time because it still works. For example, in 2004, students and staff of University of California received spoof emails from the technical support team saying that their computers were infected with a virus. Once opened, the attachment would infect the computer with a variant of the MyDoom virus.
Compare the above example to June, 2015, when University of Michigan staff warned that malicious hackers were phishing students by sending them to fake Google Forms in order to obtain the student’s’ credentials and personal identifying information. Over 150 students fell prey to the “tech support” phish before staff were able to send out a warning to the students.
Posing as a financial institution is a common tactic of malicious attackers. Criminals may not know what bank you use but they do know that if they send out a round of emails posing as one of the well-known banks, the probability that it happens to be your bank is pretty high. In some cases, they might know that it’s your bank and have your name or even address to include in the email. All they need you to do is click that link or sometimes even open an attachment. But the customer isn’t the only target. Sometimes the banks themselves are the ones who are compromised like the spear phishing campaign discovered in 2015 that is credited with stealing a billion dollars from financial institutions across 30 countries.
Phishing emails (and Ransomware) can look like they come from government or law enforcement agencies. Criminals have posed as the IRS frequently enough to warrant the IRS setting up their own page to report such scams which include some great safety tips for how to avoid being defrauded. You may not even get to the point where you provide login or identifying information. One 2015 IRS scam simply got users to click the link which sent them to a gambling site and downloaded malware before the user could stop it. But again, the “client” isn’t the only target. Criminals have also targeted police computers via phishing and then loaded ransomware to extort money.
Due to the success of phishing attacks, malicious phishers have developed a refined technique known as spear phishing. Instead of sending out thousands of emails randomly hoping a few victims will bite, spear phishers target select groups of usually higher profile people who have something in common or access to something the attacker wants. A spear phishing email is far more targeted than a general phishing email. Often attackers will spend some time conducting OSINT to craft an email that specifically caters to the recipient’s job, personal situation or preferences. Spear phishing emails leverage a certain level of information about an individual that makes the phish very difficult to detect or resist.
Before going into examples of spear phishing, it’s important to discuss one of the attacker’s source for this level of information: social media. The pervasive use of social media has provided a gold mine of personal data to be used by attackers. Because of our culture of sharing, individuals are equipping attackers with all the information they need without realizing it. The tiniest bit of information, sometimes even apparent in profile pictures, can put the attacker on track to creating a solid phish.
Similar to spear phishing, whaling is a highly-targeted attack vector that is designed to strike at an organization’s “big phish.” A big phish is a high-value individual whose credentials or access to resources, if compromised, could endanger the entire business. Whaling attacks typically select targets specifically because of their position within the organization. Similar to spear phishing, these attacks can be more difficult to detect because of their stealth and because they are generally sent on a one-time basis. Because the target is so high value, it’s important for the attacker to do their research on the intended target in order to identify possible interests to craft the right phish. An attacker will stop at nothing, even if it means tugging on heart strings, to get a click. Prime whaling targets would be senior executives, high-level officials in private businesses, or even those with privileged access to government (or top secret) information.
Penetration Testers and Social Engineers
Phishing is a well-used social engineering attack vector for penetration testers (or pentesters). Penetration testers should employ these methods without the malicious intent to show a company how devastating these attacks can be. Many companies will spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network, but one skilled phishing attack can lead to total devastation in a company without having to employ technical hacks.
Pentesters primarily use phishing for three different purposes.The first reason would be as part of a pentest which usually leads to a controlled compromise of the organization’s digital or human network. Any vulnerabilities are then reported in detail to allow the organization to harden their security. The second purpose of phishing would be as part of a security awareness program throughout the year that is focused on educating users on the different levels of phishing. The third purpose for which pentesters use phishing, is to set a baseline for assessing user susceptibility to phishing attacks and to justify future training on the topic.
Hadnagy, Christopher, and Michele Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails. Indianapolis: John Wiley & Sons, 2015. Print.