Technical Details & Reasons for Attack Archives • InfoSec Resources

Overview

Phishing involves attempts by Internet fraudsters to access and obtain personal and sensitive information, such as usernames, passwords, and financial information, by utilizing social engineering techniques. To accomplish this, hackers impersonate legitimate businesses in order to trick users into divulging personal and often highly sensitive information. Phishing attacks were first discussed as a theoretical possibility at the 1987 Interex conference. The earliest reported instance of such an attack occurred in 1996 when hackers—attempting to generate fake AOL accounts—began contacting users of AOL Instant Messengers posing as AOL staff and requesting password confirmation. Since then, phishing and data-mining attacks have increased in frequency, intensity, and scope, and phishers have been increasingly targeting large companies, government entities, and individuals with high net worth because of the greater potential for economic or information windfall.

Armed with fraudulently obtained personal information, the phisher is then able to gain access to virtually all of a target’s online accounts and records, including bank, mortgage, credit, medical, personnel, and insurance, among others. The primary method for most phishing scams is to create a phony, but credible-looking, web presence for a trusted brand, which fools the user into providing confidential information that can be accessed by the hacker.

Phishing threats are ubiquitous; however, the most concerning are called Advanced Persistent Threats (APTs) and involve an individual or group that utilizes ongoing and surreptitious computer hacking practices, including phishing, to target a specific entity for financial gain, to conduct surveillance or espionage, to facilitate theft of intellectual or other property, and various other malevolent behaviors. To qualify as an APT, the threat must be continual, long-term, covert, sophisticated, and focused upon a specific target. One example of an APT that specifically focused on phishing tactics was 2006’s Sykipot Trojan attack, which leveraged a common security loophole in Adobe products (especially Adobe Reader and Acrobat) and used spear-phishing to steal intellectual property from US and UK defense contractors.

Common Phishing Techniques

Phishing

The most common type of phishing occurs through email, when a scammer poses as a legitimate and trusted business using a similar look and feel to regular email notifications to trick users into clicking on a link that takes them a phony website or access portal designed to look like the legitimate company website. Here, victims are then prompted to enter personal information ranging from login names and passwords to social security numbers, birthdates, account numbers, and other highly sensitive data. Email phishing is prevalent because of the abundant access to databases containing millions of active email addresses, thus providing thousands of potential victims with relatively little risk and almost no cost.

Spear-Phishing

Spear-phishing involves creating email messages that appear to be from a friend or other trusted sender, such as an employer, physician, or a local company. Spear-phishers take advantage of the degree of familiarity between the target and the supposed sender. Because of the volume of personal information shared on social networking sites, spear-phishing is easier than ever—all but the most secure Facebook pages will provide first and last name, names of family members, and employers to anyone looking for them. The salutation of a spear-phishing email may use the individual’s name instead of the more impersonal “Dear Sir” used in basic phishing campaigns and may contain keywords such as “mutual friend” or “urgent,” or include a situation that is either dangerous (“I was traveling overseas and was robbed; please send financial information so I can get home”) or lucrative (“I just discovered a fantastic opportunity, and I’d like to get you on board too”); both of which require quick, instinctive action before logic can intervene. The seeming familiarity and urgency can make a potential target less vigilant and more apt to providing personal information.

Whaling

Whaling is a type of phishing that travels one step up the ladder of risk and reward. It refers to phishing campaigns waged against senior executives such as CEOs or CFOs. The victim is researched more thoroughly and lured with a very professional, corporate-flavored document such as a fake FBI legal subpoena, an IRS audit announcement, or public relations emergency bulletin. Documents often appear authentic and claim to require the installation of proprietary software (malware) in order to view the document.

Security Awareness

How does Phishing Work?

Malicious Software

Viruses, worms, and Trojan horses are all examples of malicious software—or “malware”—that can wreak havoc on an unsuspecting target. Viruses are pieces of code that a scammer introduces into a computer or network that can alter and/or sabotage files. Viruses can only function with unsafe user activity such as allowing an infected program to run. Worms’ sole purpose is to reproduce and then seek out vulnerabilities in operating systems where they continue to replicate. Trojans—named after the Greek army’s subterfuge, the Trojan horse—are destructive programs that masquerade as legitimate applications. In addition to destroying data, Trojans often provide a “backdoor” entry to a computer, allowing the sender to access information on the computer from offsite locations.

Phishers often utilize social engineering tactics to insert malware into a person’s computer or network. Unsafe (and unrequested) Microsoft Word documents attached to phishing emails will ask the user to enable macros before running—sometimes using reverse psychology by suggesting that macros need to be enabled as a safety measure—thus bypassing a computer’s content scanners and allowing the document to download malware from an offsite location. Unsafe browser extensions or plug-ins (like Video DownloadHelper or Greasemonkey) can introduce malware into web browsers, while ZIP archive files can hide ransomware threats that lock one’s computer until a “fine” is paid. Most insidiously, however, a router that is malware-infected can be changed from the outside, resulting in complex site redirections to unsafe websites. In such cases, a user might type in google.com, but, instead, the infected router will redirect the request to a malicious domain name server that looks just like Google but harvests the user’s username and password.

Pharming

Pharming is a more complicated phishing tool that involves redirecting network traffic or altering the domain name system (DNS) for the target website. The DNS is responsible for converting user-friendly domain names (such as yahoo.com or irs.gov) to numerical internet protocol (IP) addresses that computers use to communicate with each other. Potential targets receiving a fraudulent email urging them to “click here to be redirected” to the presumed legitimate site can be deceived if the hyperlink contains a numerical IP address—rather than a common DNS address—as the target is unlikely to investigate whether that particular IP address matches the organization’s real address. A related pharming tactic involves registering DNS domains for fraudulent websites that closely resemble the name of the legitimate domain. For example, if HugeRetailer.com is a legitimate site, scammers will register HugeRetailr.com or Huge-Retailer.com in an attempt to trick users into believing that the fake domain is, in fact, authentic. The fraudulent domain is usually designed to look like the real thing but redirects users immediately to a page that asks for username and password to proceed.

Phishing Injection

Phishing injection occurs when malicious content (such as a website not connected to the main page) is inserted into an otherwise legitimate website through a security vulnerability in the website. Fraudulent pages can be created by copying and uploading a simple HTML page to a compromised website server while installing specific back-end capacities to process user-entered data, thus making the data available to the hacker. Phishers send an email requesting that users click through to the website, which looks legitimate due to its trusted URL. From this unauthorized page, phishers can remotely install malware onto users’ computers or redirect users to another site. In 2014, a recruitment service website called Jobvite was found to have dangerous SQL injection vulnerabilities, leaving their CMS database (and their hundreds of thousands of users) susceptible to phishing attacks.

Domain Hijacking

Domain hijacking involves gaining access to a legitimate domain’s control panel and then redirecting it from the domain owner’s web server to another one by reconfiguring the domain name to redirect users to the fraudulent site. Domain hijacking does not require the phisher to obtain access to the target web server itself. Instead, hackers can obtain domain user information through the WHOIS site (whois.domaintools.com) by entering the target domain name and accessing the “lookup” feature to see to whom the domain is registered and the administrative email address for said domain. The scammer can then utilize the administrative email address as a backdoor to hack into the domain control panel.

As recently as 2015, web hosting brand leader GoDaddy managed to discover a cross-site request forgery (CSRF or XSRF) vulnerability that was accessible through old domains still registered on GoDaddy. Although GoDaddy’s security department was able to patch the hole within 24 hours of its discovery, security measures like this are regularly discovered too late and after much financial and security damage.

Phishing & Social Engineering

First examined within the social sciences as a type of psychological manipulation designed to influence social behaviors and beliefs, the concept of social engineering has been expanded into the information technology and security sphere. Fundamentally, social engineering tactics manipulate users into giving money or confidential information before reason can take hold. In its most basic sense, social engineering uses bait to lure a user into a trap. Determining the appropriate bait lies at the very heart of social engineering.

Social engineering tactics prey upon human nature and emotion. Phishers can lure potential victims by playing to their greed with emails regarding awards or contests (“Click here to claim your $20 Starbucks gift card!”); their anxieties about non-existent emergencies (“Microsoft has discovered a virus on your computer—click here to fix.”); and their trust (“Your Amazon package cannot be delivered—click here to confirm your shipping address”). It is critical to realize that, for example, one cannot win a contest without entering, nor can Microsoft remotely detect a virus on one’s own computer.

Within their online social networks, individuals tend to be more communal and less vigilant about potential interlopers. In order to expand their brands, many companies now offer their own social networking groups or pages that provide coupons and exclusive promotions, thus attracting scammers en masse. Phishing tactics on social networking sites include rogue apps, messages from friends’ hacked accounts (“I got a great deal on home refinance, go check it out!”), fraudulent user groups that look like legitimate ones, and utilizing social programs such as games or other applications with in-app purchase options. Conducting financial transactions through social networking platforms has significant potential to compromise sensitive data and financial information.

Other common social engineering schemes include enticing users to click on legitimate-looking links that redirect them to fraudulent sites. One oft-utilized tactic involves creating fake advertisements or offers for cheaper versions of services like Netflix or DirecTV, which can install malware on their computers, opening a backdoor for information theft. This tactic is popular because it preys upon human nature, a user’s innate curiosity and excitement.

Cyber-criminals are always expanding their repertoire to devise innovative methods to obtain another’s personal and sensitive information. With rapidly evolving and increasingly sophisticated computer technology that improves scammers’ speed, mobility, and geographical reach—coupled with the relatively slow evolution of learned behaviors—the capacity of social engineers to bring about large-scale outcomes is heightened dramatically.

Combating Phishing

Technological Fallbacks and Avoiding Poor Practices

Knowledge and vigilance are the two most important counter-phishing strategies. Though spam filters are commonplace with most email services, phishing emails that make it through their defenses may appear more trustworthy. This gives uses the impression, “This has to be a real message from Netflix, otherwise it wouldn’t have made it through my spam filter!” Technological defense tactics can work only when aided by scam-savvy individuals. Any email that prompts users to click on a link to a business’s website or to reply to the message itself with personal information should always raise a red flag. If a person is concerned about a particular account and wish to check the legitimacy of a received message, it is much safer to call the company’s trusted telephone number or to access the company’s website directly. When in doubt, simply delete the email. In addition, many businesses have email addresses where consumers can report potential phishing scams or to check on the legitimacy of an email they received. PayPal’s dedicated scam email address (spoof@paypal.com) will alert the reporting party as to the potential fraudulence of a received message purporting to be from the company.

Avoiding poor practices with respect to Internet technology can also be effective in preventing and combating potential phishing attacks. Using one’s work email for personal business or “surfing the web” while “on the clock” has the potential to jeopardize the company’s network and facilitate a damaging phishing attack. Ensuring that one’s name is used in the greeting and that “official” messages from the company (rather than “Dear User”) contain no misspellings are some of the signs to watch for, but not a guarantee that a communication is safe. In an age where friends and colleagues have multiple email addresses through free services as well as their work-related addresses, caution should be taken when receiving a request from a colleague at work who has sent it from a Gmail or other outside address. Employees should also take care not to use the same password for multiple accounts. While it is undoubtedly easier to remember one or two passwords, should a hacker gain access to one’s information on one site, it is much easier to breach many other sites if the usernames and passwords are all the same..

Utilizing Security Awareness Training

Although the Internet is rife with examples of how to conduct phishing scams, such as a step-by-step guide on creating a phishing page for Gmail , these same techniques can be used to promote security awareness. One example of this would be SecurityIQ’s PhishSim program. This program allows security departments and individuals to create realistic phishing campaigns to disseminate to their friends, family, or employees. These fake campaigns do not compromise information but are meant as education. A user who falls for the phishing campaign is sent a notification that they have been phished, but that their information is safe, followed by a short video describing increased security awareness. Security teams can use ongoing campaign trackers to determine which employees of the company are most susceptible to phishing schemes.

Section Guide
Ryan
Fahey