Phishing is more than a cybercriminal sending a bunch of emails that are designed to steal sensitive data to random people, hoping someone clicks on their link. The new face of phishing is a LOT more devious and sneakier than that.
Nowadays, a phishing attack can be coordinated and be wholly successful even WITHOUT a single email sent! Now that I have your attention, let’s dive in.
What is Phishing?
Phishing is a fraudulent attempt to obtain private and sensitive information such as credit card details, account usernames & passwords, and all forms of personal identifiable information (PII), using deceptive — social engineering — techniques such as spoofed emails, web login forgery, and impersonation.
The term “phishing” coined from the word “fish” is a cybersecurity lingo that was first used in 1996 to describe malicious hackers who were “fishing” for online account passwords and financial information from the sea of Internet users.
Ever since then, all activities that involve the sending of emails appearing to be from reputable sources with the aim of influencing the user to gain unlawful access to their private information have been tagged phishing.
Nowadays phishing seems to be the goto cyber technique of most cybercriminals. We see this in Verizon’s DBIR analysis of 16000 cybersecurity incidents and 800 breaches, which revealed that phishing was involved in 90+% of successful cyber attacks.
Modern phishing attacks include but are not limited to:
- Sending of email attachments packaged with malware to victims.
- Social engineering unsuspecting individuals to visit fake websites that will trick them into handing over login credentials and personal information.
- Placing spoofed phone calls or sending spoofed text messages to people manipulating them to hurriedly take actions that are detrimental to them.
We will go into a bit more details on these, but the key takeaway here is to always remember that in phishing an attacker will always appear to be someone/something they are not.
But, if you have been educated on how to detect this epic cyber deception, you will probably be able to gallantly spot the ‘phish hook’ and avoid a whole LOT of headache.
Categories of Phishing Attacks
Before we go on to see the types of phishing attacks I’d like to first show you the categories of phishing to help you understand this better.
There are many forms & scenarios phishing attacks can take because cybercriminals are constantly looking for new ways to keep old phishing techniques fresh.
All phishing attacks have similar characteristics geared towards a common end goal and because of that, we can correctly classify almost all them into three (3) categories, which are:
1. Action Based Phishing
Action-based phishing includes all phishing attacks that the end goal is to get the victim to take an action of compromise that brings immediate profit or payback to the attacker. The “action” taken by the victim is in itself the value (or profit) of the attack.
For example, an adversary could pretend to be the CEO of a company and spoof an email to the head of the finance team of that company, and convince him to wire several millions of dollars to an offshore account. That money to be sent is all the adversary needs and so his mission is accomplished if he succeeds.
In fact, the above example is a popular phishing attack tactic amongst cybercriminals, dubbed the “CEO Fraud Scam”. And here is one of many reported cases of this kind of phish caught in the wild.
Note that action based phishing scams are not limited to emails only, attackers could reach their victims through instant messaging services like Facebook Messenger and WhatsApp or through SMS/text messages also known as SMiShing (more on this later).
2. Exploit Based Phishing
In this category of phishing attacks, malicious hackers deliver malware onto a victim’s computer in order to get their malicious code to execute on those computers and then use that to pivot to yet more access.
For example, cybercriminals targeting a large corporation may send malware as an attachment within an email to the sales department of the organization and gain code execution on their computers. And in turn use the access gained from the compromised computers of the sales folks to pivot to the finance department, compromise the payment system, and access credit card details of customers (which may be the ultimate goal).
The reason adversaries love to go through the sales people is because they are a public-facing department of any organization, whereas the finance team is not. The sales department carries out marketing functions which include customer service, sales, and communication. So it’s natural to send the sales people office documents which the attackers can laden with malware to begin the attack sequence.
Note that Exploit based phishing attacks can also target individuals. And after the attacker has gained control over the victim’s computer through the initial malware drop, he may pivot to the extract the saved browser passwords, and then decide to install a keylogger to collect future passwords the victim types ANYWHERE on that computer.
With malware on a victim’s computer the attacker has a vast range of evil things he could do with that access. Talk about locking the victim or organisation down with the dreaded ransomware, adding their computers and mobile devices to a botnet, etc.
3. Credential Based Phishing
This is like the commonest phishing attack vector, where malicious hackers are phishing for usernames and passwords to gain access to online accounts. In 2019, ProofPoint reported that 65% of surveyed Infosec professionals identified credential compromise as the most common impact of phishing attacks.
For example, a malicious hacker can clone a website or forge a login page for a service, to steal login credentials and personally identifiable information of unsuspecting users, and the rate of success of these attacks is alarming.
A contributing factor to the success is the fact that website URLs can be easily manipulated to fool victims into thinking they are engaging with the genuine website or service they use.
Take a look at these crafted web URLs below…
I can guarantee that A LOT of users (including you, probably) wouldn’t see anything wrong with them. But in reality, these are the types of credential phishing URLs we see on a daily basis which malicious hackers use to rake in a bountiful harvest of stolen usernames & passwords, credit card numbers, PII, etc.
Types of Phishing Attacks (with real-life examples)
Based on the target audience and the delivery channel malicious phishers use, we have the following types of phishing:
1. Spear Phishing
Spear phishing attacks are attacks targeted at specific individuals instead of a large group of random people. It’s unlike the traditional or general phish where attackers just ‘cast a wide net’ with the hopes that at least a few persons would fall prey.
In a spear phish, the attacker needs to know some key details about the victim if the attack is to succeed.
Attackers often will spend some time conducting Open Source Intelligence (OSINT) research on their targeted victims in other to know them better, so that they can make the phish appear more authentic.
Thanks to social media, such information is no longer very difficult to find. The average person has most of their lives across different social media accounts.
Depending on how important you are and the value of what the attacker wants from you, he may go farther than knowing just your full names and email address during his research.
If you are really important, he will find out all about where you live, where you work and your position at work, your hobbies & interests, spending habits, properties you own, closest and trusted friends, spouse, family relationships, and so forth. Just about any information, the attacker can gather on you, the more he finds the better for him.
With such depth of research on you, the attacker can now craft a very compelling phish customized for you with personalized communications. And based upon the number and success rate of breaches caused by spear phishing, we know that the phish would be difficult to resist.
Whale phishing or Whaling describes phishing attacks targeted specifically at high-value, powerful and prominent individuals such as the C-level executives in big corporations, high-profile government officials, and very top celebrities.
Therefore, prime whaling targets will include CEOs, CFOs, COOs & other C-suite positions in private businesses. Other targets are those in government such as Senators, Ministers, Secretaries to State Governors, or those with privileged access to government information or top secret.
A phishing attack on a whaling target can be considered a ‘big phish’ or ‘whale’ because if they are successfully compromised, the credentials that would be stolen, or access to resources obtained could endanger the entire business or country.
For that reason, the phishers usually conduct a very high-level research on the intended ‘whale’ to know what interests them so as to make the right phish.
A classical real-life example is the 50 million euros whale phishing attack that occurred in 2016, and to date holds the record for being the most money in history lost by an individual in a single scam.
The successful whale phishing attack was on the CEO of FACC, an Austrian aeroplane parts manufacturing company, Mr Walter Stephan.
FACC’s systems were not hacked, the cyber criminals seem to have managed to get into Stephan’s company email account and sent a wire transfer instruction via email to an entry-level accountant in the finance department.
Unfortunately, a whooping sum of 41.9 million euros was sent off shore to the attackers. But later on, the company was able to block and recovered 10.9 million euros from being transferred.
Following this attack, FACC fired it’s CEO Walter Stephan with immediate effect. A while later, the Cheif financial officer (CFO) was fired as well.
Vishing is the practice of eliciting information or attempting to influence action via the telephone. It is so named vishing because it is done by voice over the phone, i.e voice + phishing = vishing.
Phishers take advantage of the cloak of anonymity and willingness of people to help to impersonate others. An attacker can confidently communicate in the name of their victim to elicit information about the victim from a brand or service the victim uses.
On the flip side, the attacker could “spoof” (or falsify) his outgoing number to be coming from within an organization and pose as an authority figure to elicit sensitive information from a customer of the business. Or worse, pose as a fellow employee or technician to obtain sensitive information that could lead to the compromise of the organization.
In the video, Dave spoofs his phone number and calls the IT guy of a company, impersonating the companies tech support. He then directs the IT guy to visit a malicious website that he has set up to download a custom malware he, Dave, wrote himself. Watch the video below…
SMS phishing or SMiShing are phishing scams that use Short Message Service (SMS) text messages to lure victims to take an immediate action such as visiting a malicious website, texting back sensitive information, or installing mobile malware.
Most people are very trusting when it comes to SMS text messages. There is this weird way in which people just relax their guard and believe anything they read in an SMS without verifying. Probably because they are oblivious of the fact that SMS text messages are a medium through which cyber crook could reach them.
This trust especially stems from the fact that branded text messages usually come from numbers that aren’t actually real phone numbers, such as “3800“, or from brand names, such as “WhatsApp“, “First Bank“, etc. We just immediately attach trust and credibility to such SMS text messages we receive.
There is absolutely nothing special about SMS coming from shortcodes or brand names. It only means that you’ve received an email to your mobile phone number as text message or from a bulk SMS service.
Now a real problem here is, if legitimate businesses are using it to promote brand awareness, you can bet the bad guys are using it too to make their phishing campaigns appear legitimate. So keep that at the front of your mind.
Smishers (as with phishing in general) use elements of social engineering such as fear, anxiety, or greed to get their victims to share their personal information. Or may plainly just exploit the willingness of people to help others.
The screenshot below is a perfect example of such a case where an attacker is exploiting a victim’s willingness to help over text messages.
The attacker is nicely asking the victim to send them the 2FA code that is normally sent to your mobile number on file before you can complete a bank transaction.
One thing I can say from experience is that malicious attackers rely almost all the time on the fact that their victims are cybersecurity illiterates to be able to perpetrate their hacking activities and also win.
Meaning with proper user awareness and education, more than 98% of the battle could be won against a superb hacking technique like phishing. So if we all join hands to spread and promote articles like this, together, we will sooner or later force “phishers” out of business.
I believe you’ve learned something new from this post, if so would you kindly share it with others because it would help them too, and you would feel good about yourself knowing you have done something right.