Introduction to Phishing
The word ‘Phish’ is an analogy for an angler thrown to fish as bait to catch them. Phishing is an example of a social engineering technique that is used to deceive the users. It is a cyber-crime in which the targets can be contacted through emails, texts, calls to make the target trust that it is from a legitimate source and that sensitive information and data can be collected from the target. The data thus collected can include bank details, account information, etc…
Phishing is one of the oldest cyber-attacks that started way back in the 1990s. This was started on AOL users in the 1990s to trick them into providing the login credentials. Still, this is one of the major attacks in recent times and is become very sophisticated. There are several ways to deal with phishing, like user awareness, legislation, user training, technical measures in proper cybersecurity.
Types of Phishing
The types of phishing attacks can be classified into the following categories:
1. Spear Phishing
This is phishing, where either an individual or a company is targeted. Unlike bulk phishing, phishing attackers often attack either individuals or companies and use their personal information to increase the rate of success. In this attack, attackers send specified messages to an individual instead of a generic one. The attackers add in as many personal details as possible to trick the targets that it is coming from a highly legitimate source.
How Do They Work?
Spear phishing happens by scanning the individual profilers through social networking sites. From a profile, they will be able to get their email id, gender, friends list, locations, etc. With this info, the attacker will be able to act with the target as a friend or some familiar entity and send them convincing yet fraudulent posts or messages. Often, the individual sent a link to some spoofed websites where it appears to be a real website but is used to take up usernames, passwords, etc.. kind of sensitive information. Once attackers have gathered all necessary info, they could access bank information, trick attackers to download some malware, etc.
To Be Cautious:
- One needs to be aware of what sensitive data is being visible on social sites and online.
- Passwords can be smartly created so that it is very difficult to make a guess.
- The software has to be frequently updated.
- I need to be careful while clicking on links in e-mails. Even with a bit of suspicion, try to avoid clicking links.
2. Clone Phishing
Clone Phishing is one type of phishing where an email from a legitimate source is completely cloned for the content, and malicious content is added to it. The attacker may trick the user that it is an updated email or so and does the job of phishing. Win the email, malicious links could be sent, and the target user could be blackmailed or extorted or exposed.
3. Whale Phishing
Whale phishing can be considered as one type of spear-phishing as the targets are individuals but not in bulk. Whale phishing is a type of phishing where high-profile employees are only targeted. This is to target a company’s highly sensitive information. The targets in this attack are generally CFO/CEO level people who hold essential and sensitive info about the company. The term whaling has come depending upon the attack size (whale size/big size). Due to its very high targeted nature, it is very difficult to stop these kinds of attacks as the attackers are very cautious about being caught, and hence there is a high chance that the attack is successful. Whaling attacks are highly customized, and they have incorporated the attacker’s mail, names, and other various information which they can get through various sources.
The attackers are ready to spend a high amount of time as the information gives them very high returns than the normal ones. Whaling attacks happened recently in 2016, where CEOs were tricked into giving income tax-related data to some unauthorized third parties.
Ways to Perform Phishing
Here are different methods and ways to perform phishing which are given below:
1. Deceptive Phishing
This is the most common technique in which attackers impersonate a trusted company and attempt to steal some sensitive data like usernames etc. They can also send some links in Email, which redirects them to false websites to collect data like login credentials.
2. Website Forgery
3. Filter Evasion
Phishers have started using images instead of text so that it is difficult for anti-phishing filters to detect them. However, some anti-phishing filters have the ability to detect hidden texts/scripts embedded in the images with OCRs.
4. Voice Phishing
Sometimes, phishing need not happen online. They can happen by making calls to users as if they are from banks and convincing them to provide pin, usernames, other sensitive data through which financial security attacks can be done like stealing money, making purchases, etc.
5. SMS Phishing
A fraudulent link of phishing can be sent via SMS instead of emails. This link acts exactly the same way as spam links over e-mails. Since people are using mobile phones for almost everything, this has become quite popular now. The messages could deceive users with attractive or catchy messages like “You Have won 50 lakh in a draw. To claim, click on …”
6. In Session Phishing
This is where the phishing relies upon the browser session, being able to detect the presence of another session. Phishing can happen here by opening a pop-up that deceives the user as if the targeted session is opening it.
How to Identify it?
- The display name cannot be trusted.
- Check properly for the sender’s email address. Sometimes, the website address given in the email or email address of the sender could be suspicious, which could be detected by examining keenly.
- Sometimes, the e-mail body text could be poorly written, showing that the email is not from a legitimate source.
- The e-mail could have contained suspicious attachments within it, which could contain malware or has some virus that gets installed when opened.
- Should refrain from trusting if the Email asks you about any kind of personal information that sounds suspicious.
- ‘Urgent’ e-mails could be a threat. Beware when an email comes with a sense of urgency. Usually, this is a trick to make the users not think of any further and immediately take action like providing personal info and making them download malware.
- Check the signature. Legitimate sources would be very transparent and provide complete contact information, support telephone number, etc. So check if the signature is valid and has some trustable information, which helps understand if the e-mail is a genuine one.
- Use proper browsers which have some anti-phishing enabled within the browsers. Chrome, Firefox, IE, Safari, etc.. have anti-phishing enabled within them.
- There are a few websites over the internet, which help people show the exact message circulated over the internet for phishing. These kinds of websites help in spreading awareness.
- Many organizations started implementing methods where the employees are trained to implement proper techniques legally within the organization to be safe from phishing attacks. Organizations also run phishing campaigns to spread the word and make employees understand the importance of safety against phishing. Also, organizations try to adopt a pattern/signature in official e-mails so that the employee will know if the e-mail is actually official or not. However, it also really depends on the individual paying attention to such kind of minute details on e-mails.
- Users can be trained to recognize phishing attempts and counter them with some proper techniques.
- Browsers like IE, Chrome, Firefox maintain a list of fraudulent websites that are popular in making phishing attacks. These make the user aware before even opening the website so that the user would be safe. However, this can only prevent 50% of the problem as attackers, after knowing that their website is blocked, would obviously prefer another way by probably changing the domain, etc…
- Some banking websites have adopted some intelligent ways to detect phishing, like by asking users to enter the password only when a certain action is reliable. For e.g., the website shows a set of images of which the user would select one, and that gets displayed. Only then, a user is requested to enter a password, and this suggests that the webpage they are viewing is a reliable one.
- Spam filters are available on almost all mailboxes that filter the inbox emails.
- Currently, there are more ways of authorizing a user, like providing a two-step verification method like an OTP to a mobile number.
- With OAuth, where you can utilize google/ Facebook/ Twitter authentication, fraudulent login has become less possible as these big companies completely take over the complete login security and safety.
- Penetration testing is a technique that is authorized a simulated attack on the computer system to check the system’s security level. This is basically used for risk assessment, where the assessment evaluates how good the system can be away from security attacks and how vulnerable the system is to any such attacks. In this, the target system is completely reviewed and get the data. The testing is then performed by having a goal of an attack to particular data and then testing how good the system is to encounter it. Pen testing is one component of a full security audit.
Phases of Pen-Testing
Given below are the phases of Pen-Testing:
1. Reconnaissance: This is the phase where the required information is gathered.
2. Scanning: Use tools to further the attacker’s knowledge of the system.
3. Gaining Access: Here, the attacker can use the payload to attack the system by using data from the 1 and 2 stages.
4. Maintaining Access: To be persistent in attacking the system and check for any vulnerabilities.
5. Covering Tracks: Be Anonymous of whatever is performed.
These are the stages of penetration testing, and this one is standardly recommended for cyber attacks.
Pen testing can be of two types:
- External Testing: Where testing is performed on digital data that is external, like company website, mail servers, domain servers, etc.
- Internal Testing: It is where testing is performed on every system on the data behind the company firewalls.
Reported Phishing Attacks
Even when computers are becoming smart and new techniques come to counter phishing, phishing attackers are becoming smarter and coming up with the latest attacks.
- People are often scared when they receive a mail saying that their account is getting deactivated. Attackers utilize this psychology of the human mind and attack through e-mails asking them to click on a link immediately. As the e-mail comes with an emergency note, people could easily get trapped without even checking the reality.
- Some e-mails like from Nigerians come with very bad grammar and with context having something like requesting for some amount as a donation, paying heavy hospital fee, etc. These e-mails are just another way to gain sympathy from users and lure their money. These e-mails, to the maximum extent, were reported that they have from out of the country and mostly from Nigerian fraudsters.
- Attackers know another trick that humans have guilt conscience and use this to frighten them. The e-mails would come with context saying that you are subject to a violation. You need to take immediate action like paying some amount within 3 days otherwise, which you could be subjected to jail or liable to pay a lot of money.
- E-mails also do come with context like “Attention… Take action immediately. Call us on 1800… numbers to receive the support immediately etc… As soon as you call the number (The fraudsters can easily buy the number), A technician would come into the assistance and ask you to provide remote access for your system. As soon as you provide, they would access the system and install some malicious software or access their data, etc.
It is highly recommended that people know all these kinds of phishing attacks and make best practices to be safe in this digital world.
This has been a guide to What is Phishing? Here we discussed the phase, types, and ways to perform phishing respectively. You can also go through our other suggested articles to learn more –