Phishing scams have been rife for almost as long as there have been email addresses. In many ways, it’s a rather ‘old-school’ technique that cybercriminals use to hack into computers and online accounts that don’t belong to them.
These days, there are many more sophisticated techniques that such maliciously-minded groups and individuals can use to much the same effect – fake WAPs (wireless access points), cookie thefts, malware storms to name but a few. But, sometimes, the old tried and trusted methods are still the best, and so good old phishing scams are still very much live and kicking today.
Put very simply, phishing is a form of cyber fraud, where an attacker poses as a reputable entity – such as a bank, for instance – and attempts to glean vital information about the victim’s account and login details. Usually, a phishing scam arrives via email, instant message (IM), or other communication channel such as a social network.
As I say, it’s a rather old-hat technique by today’s standards, but it works. Indeed, you could say that phishing is the digital equivalent of criminals in the real world who masquerade as tradesmen and knock on people’s doors looking for things to steal – it’s one of the oldest tricks in the book, but the success rate is still high.
Typically, a victim will receive a message in their inbox or IM feed that appears to have been sent by a known or otherwise reputable contact. Within the message, there will be a link or links, or possibly an attachment, which, if clicked, will begin to install malware on the user’s device, or direct them to a malicious website where they will be tricked into divulging sensitive information, such as passwords, login credentials or banking details.
Because it’s easy, that’s why. Most home computers are equipped with anti-malware/spyware/virus defenses, which make things difficult and time-consuming for the cybercriminal trying to remotely break into a computer or online account.
To try your hand at a bit of phishing, on the other hand, all you really need is someone’s email address, and possibly some easily-acquired malware that can do some pretty serious damage.
The word itself – ‘phishing’ – is simply a homophone of ‘fishing’, as the technique involves laying some bait as a lure to catch a fish/victim/phish. As any angler will tell you, the best bait catches the most fish, and so, whilst some phishing emails are very poorly written and clearly fakes, some cyber-phishermen-and-women go to great lengths to make their messages and malicious websites look as genuine as possible. They include logos and other identifying information, which they take directly from a real company’s website, creating the perfect lure and the perfect bait. In addition, some sophisticated cybercriminals even employ the techniques of professional marketers in order to identify the most effective types of message that hook the most phish.
Phishing actually comes in many forms. The basic premise is always to attempt to acquire sensitive information by masquerading as a trustworthy entity in some form of digital communication. However, there are some variations on the methods that are used, and they are worth dealing with individually so we can be clear on each.
Spear-phishing differs from traditional phishing attacks in that spear-phishing is highly targeted and requires research before being executed. Whilst regular phishing emails are simply duplicated and sent out to thousands of potential victims – casting the net wide, if you like – spear-phishing takes a considerable amount of investigation into a specific victim.
The attacker will first stalk the victim online, and begin to get a real understanding of his/her habits and behaviours. A lot of such information can be gleaned from social media. For example, you might have gone out for a meal and left a glowing review on the restaurant’s Facebook page. An attacker might see this and send you a message saying something like this:
“Hey Jo! Glad you enjoyed your meal with us at Weatherforks. We thought you might like to take advantage of our special offer [link to a fake page to gather your information]. Have a FREE meal on us!! Thanks, the Weatherforks Team.”
As well as attacks on individuals, spear-phishing attacks are also used to target businesses and corporations, not by random hackers, but serious criminals out for trade secrets, government or military information, and of course large financial gain.
Clone phishing gets its name from the type of bait that it uses to hook a phish. A previously delivered email containing a link or attachment will be taken, cloned, and then resent to the recipient with only the link or attachment modified to contain a malicious cache. This second email will often claim to be a re-send or an updated version of the original, and will come from a ‘spoofed’ email address that will look almost identical to that of the original sender.
Whaling is really a type of spear-phishing, but one that is very specifically designed to target high-worth and high-profile victims (i.e. the ‘big fish’), such as politicians, corporate executives and celebrities.
The method, however, remains the same. The victim is sent an email (usually) that appears to be from a trusted source, and is lured to a website that has been set up especially for an attack. Whaling emails are highly personalised and customised, will usually include the target’s name, job title and other information that is quite readily gleaned from the internet.
Phishing scams are rife and maintaining their popularity, according to the Infoblox DNS Threat Index. Although the third quarter of 2015 saw a slight dip in the amount of cases, the figures still indicate an overall increase in attacks. From the 2015 Q3 Report:
“Phishing continues as a significant component of the Index for the second quarter in a row, with more than double the average phishing activity over the previous nine quarters. Although Phishing has been around for a long time, criminals still use the technique because it works, and because it’s often easier to trick humans into giving up sensitive information than to overcome increasingly sophisticated cybersecurity systems.
The dip in the figures, it should be noted, does not necessarily signify a dip in phishing activity. Indeed, phishing is a cyclical process. One half of the cycle involves what is known as “planting”, whereby attackers are busy creating new infrastructure and domain names from which they launch their attacks. The second half of the cycle – “harvesting” – occurs when everything is set in place and those attacks are now being launched from the previously acquired and prepared domains.
“The Infoblox DNS Threat Index shows this endless cycle of planting and harvesting, when looking across the twelve quarters to date,” the report explains. “If the index is lower in a given quarter, this may correspond with a period in which the malicious agents are harvesting the infrastructure they have already created and are not setting up new bad domains at the same pace. If the index is higher in a quarter, this could indicate that the attackers are in a planting phase, establishing domains and other infrastructure to execute their plans.”
Proofpoint have also done extensive research into Phishing trends and figures. Their report, The Human Factor, gives an overview of the findings:
“The report offered a unique, data-driven look at who was clicking on malicious links in emails, what email templates were most effective, when they were most likely to click, where they were clicking, and why they clicked on malicious URLs at such a high rate. In short: company Staff were clicking on social media invitation phishing messages delivered in a wave before the start of business, and 20% of these clicks were happening off the corporate network.”
2014 was the year that attackers “went corporate”, according to the report. Shifts in approaches to phishing mainly came in the form of targeted attacks – spear-phishing – on middle-management figures in order to steal cash. Other subtler techniques are also being refined, such as changes in time of distribution so that malicious emails blend in with business high mail-flow times, and an increased use of attachments as opposed to links.
The report indicates some of the top phishing lures that are being used in 2015, mainly as attachments to email – and we highlight 5 of them here for you to be aware of.
VoIP and other hosted PBX hosted solutions are on the rise, and this means that employees are receiving more and more voicemail in their inboxes. Since voicemail naturally has a ‘disconnect’ with malware, due to its historical association with telephones, proper caution is not always exercised when clicking voicemail attachments.
Once again, faxes are associated with telephone lines, and so usual caution is easily overridden. This is indeed coupled with the fact that faxes have a natural urgency about them, and so employees click.
Urgency yet again plays a vital role in corporate communications, which are often sent to request wire transfers or indicate failed transactions. Needless to say, such phishing scams can be catastrophic if the bait is taken.
Personal warnings sent to alert users to fraud on bank accounts or credit cards are still being used frequently to lure people into clicking malicious links. Put simply, you should NEVER trust such an email – always go directly to the website of the financial institution, or, even better, phone the number on the back of the card itself to find out if the fraud is real.
This scam involves sending out an email that says something along the lines of: “Your account has been disabled after it was the victim of unauthorized access. Click the link below to reactivate your account.”
If you’re worried that your organisation may not be fully equipped to deal with phishing hacks and scams, then please get in touch to find out how CronLab can help you. We have a range of solutions that have all been designed to keep your business safe. They are tried and trusted by a wide range of clients. Please use our Contact Page and drop us a line today.