“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication” ^[1]. This is of use to a social engineer, as this is a way to utilizing a trusted pretext to obtain information or a tool that can be utilized to obtain the final target information.^[2]

Protection from Phishing Messages

Stereotypically phishing messages have been associated with poor English and frequent misspellings. This is not the case in modern phishing, as they are typically very realistic replicas. The best defense against phishing messages is to not follow links embedded in messages which are sent to you, or utilize log in fields embedded within the messages themselves. Instead, manually type in the trusted entities address into your browser from what you know the address to be (not just copying it from the message, or utilize a previously saved bookmark.^[3]

URL and Email Manipulation

One reason why phishing schemes work so well is that people tend to trust messages that appear to come from an important entity or look important. The attacker can easily manipulate a URL to look authentic fooling the victim to click on it. For example a URL like (http://www.company.com) looks almost identical to (http://www.cornpany.com) if the font is right and the reader scans over it. By purchasing a domain that closely resembles the legitimate URL, the attacker sets up an email account and spoofs the website, requiring very little time and effort. This seemingly simple process fools many people into clicking the link and then being hacked.

Phishing Attack Campaigns in 2016 Shatter All Previous Years’ Records – APWG

Spear Phishing

Due to the success of phishing attacks, malicious phishers have developed spear phishing. Instead of sending out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people who have something in common and who usually have higher profiles. The emails are usually sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive.

Cloudmark Survey 2016

Penetration Testers and Social Engineers

Phishing is a well used attack vector for penetration testers. Using all of the methods mentioned above, but without malicious intent, penetration testers will employ these methods to show a company how devastating these attacks can be. Many companies will spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network, but one skilled phishing attack can lead to total devastation in a company without having to hack one thing.

Examples

Banking

• People’s United Bank
• TD Bank
• Citibank
• Wells Fargo

 

Education

• University of Virginia
• University of Chicago
• University of Arizona
• University of Michigan
• UCLA
• University of Pittsburgh

 

Misc

• Social Media Phishing Scam Steals Credentials And Credit Cards
• Facebook ‘Fake Friend’ Phishing Attack

 

Real World Phishing Attacks

• Massive Phishing Attack Targets Millions of Gmail Users 
• Facebook and Google Were Victims of $100M Payment Scam
• The Homograph Attack
• SS&C Technology Loses $6 Million in BEC Scam
• Highly Effective Phishing Attack Targets Corporate Travelers
• Experts Warn of Novel PDF-Based Phishing Scam
• El Paso Loses 3.2 Million Dollars via Spear Phish
• Seagate Phish Exposes All Employee W-2’s
• Spear Phishing Attacks Breach Podesta, Powell, and the DNC