Phishing Attacks & Mitigation – part 1
As more and more of our everyday professional (and personal) lives take place online, so do increase the nefarious activities of those actors who want to abuse this fact and profit by extracting privileged information or influence us into taking an action that may or may not be in our best interest.
Various organisations which deal with cybersecurity in a professional capacity and comprise their annual reports on this subject all agree that phishing and related activities have been steadily increasing in volume and sophistication in recent years and they agree that this trend will keep its course in the time to come.
What are the most common types of ‘phishing family’ attacks?
What is phishing, smishing, vishing?
Phishing is a social engineering technique where malicious actors (aka hackers) ‘fish’ for ‘prey‘. Prey can be anything from specific information such as login credentials which will be used in later stages of an attack, through tricking the user into following a malicious link that might install ransomware on their computer to emails calling for action to transfer money into fraudulent accounts. The ‘bait’ comes in the form of an email intended to look credible and deceive you into acting on it (usually by clicking a link but it could be a call for action to be executed in a different way). A phishing technique that uses text messages following the same rules is called ‘smishing’ and the fraudulent practice of making phone calls for the same purpose is called ‘vishing’.
All the three above, plus impersonation – when somebody physically pretends to be somebody else – are known as social engineering vectors. In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information rather than by breaking in or using technical cracking techniques.
According to various studies, it is the human factor that is quoted as the main reason for cybersecurity breaches. This would confirm the statement made by one of the most (in)famous hackers Kevin Mitnick. In his 2002 book ‘The Art of Deception’, Mitnick shared that he compromised computers merely by using passwords and codes obtained by social engineering.
And no doubt, as time passes, we will hear about new social engineering techniques emerging as the online environment evolves alongside human ingenuity of improving means of deception.
Phishing, spear-phishing, whaling
Phishing – sometimes referred to as bulk phishing – is the most common attack in this attack family. Here, the attacker creates an email message seemingly from a well-known legitimate business or organisation and sends it blindly to a large number of recipients.
Spear phishing – in this variation, emails are sent targeting specific individuals, usually with privileged access to sensitive data, and resources or holding a specific authority within the organisation that is valuable to the attacker. To do this, the hacker studies his victim, collecting useful information on the company website and social media platforms. This form of collecting data is also known as Open-Source Intelligence (OSINT). Having collected data on a target, a personalised email is sent coming apparently from a colleague, boss or direct superior, or from a trusted vendor. Here, the language can be fairly informal, to create a sense of familiarity with the sender and a call for action might be presented in semi-casual way such as a request for payment of an attached invoice by the end of the working day (with the account number on the invoice being the account of the fraudster).
Whaling – as the name suggests – is trying to catch the biggest ‘fish’ in the pond, aiming to hook specific users high in an organisation’s hierarchy, often the CEO or CFO. Typical requests here will be for access to sensitive information or a funds transfer.
Next week we will concentrate on some of the most common features of phishing messages and ways of defending against these types of attacks.