Hidden Phishing Threats
By now, the risks associated with phishing are well-known and well-documented. What is often misunderstood or overlooked is a hidden threat related to phishing.
Brief Background
There are various forms of phishing, but each form has a similar objective: to elicit information from an unsuspecting victim (refer to this article for more details).
Phishing simulations & training
Phishing
Phishing is an attack wherein an attacker attempts to acquire sensitive information from a target, including usernames and passwords, personal identification information, or payment card information. This is typically done via email, but it can also be broadened to include watering hole attacks, wherein an attacker plants innocuous-looking links in places like discussion forums to entice victims to click.
Phishing tends to be blind, in that there is no specific target.
Spear Phishing
Spear phishing is similar to phishing, but it has a much better defined target. An attacker will typically perform some kind of reconnaissance on his intended victim, collecting information that will help personalize the phishing content so it looks more legitimate.
Spear phishing content will typically look as if it's intended specifically for the target, using the target's name, geographic cues, or other points of interest. For example, using social media profiles, an attacker could learn that a target is an active photographer. The attacker could send a spear phishing message to the target, apparently from a popular online photography retailer, saying that a bill for a recent camera lens purchase is past due. (A "double barrel" approach will add more legitimacy to this, which we'll look at later.)
Whale Phishing (Whaling)
Like spear phishing, whale phishing is a targeted attack, but it specifically aimed at corporate officers or high-level executives. The content of these attacks is designed to arouse the interest or alarm of senior management, providing motivation for them to click the link.
Smishing (SMS phishing or SMiShing)
Smishing is a phishing attack that uses SMS (Short Message Service) to send text messages containing phishing content. A common technique is to use URL-shortening mechanisms (like bitly or tinyurl) to hide malicious URLs.
Credibility
Some phishing attempts are obviously more effective than others. Effectiveness to a large degree depends on how believable the content is. It's easy to dismiss the Nigerian 419 class of scams, for example. It also might be easy to dismiss fake notifications from a bank that you don't do business with. But what about the email about the past due notice from the online photography retailer? Even if you know you didn't order that camera lens, it's easy to second-guess yourself into believing that maybe you did or that maybe--ironically--you suspect that someone accessed your credit card or personal information and you want to follow up with the retailer by clicking on the link.
This is why shipping-related notifications are so effective, especially around holidays; victims can easily convince themselves that maybe they did ship something via UPS instead of FedEx, or that perhaps they didn't order something for themselves but that they could be expecting something to be shipped to them instead.
The Double Barrel Approach
PhishMe uses a "Double Barrel" approach to increase the believability of phishing attacks. Let's use the example of the camera lens bill from above. Instead of sending a past due notice, a double barrel approach would first send an innocuous email with the order confirmation. No malicious links or alarming content would be included; this email is intended to be the seed of credibility. An attacker later sends a follow-up email (a week, two weeks, whatever is appropriate) with a past-due notice; this email includes the malicious content. The seed had already been planted, so the follow-up email looks more credible. In PhishMe's parlance, this gives the attack a "conversation" effect, and the target is more likely to fall prey to the attack if he is feels more engaged.
The Threats (Two Common and One Hidden)
The objectives associated with phishing attacks are varied, but they fall into three general categories.
Malware
One of the most popular threats is the downloading of malware onto the computer. Malware is a catch-all classification that can include:
Keyloggers
Used for tracking keystrokes of the victim
Ransomware
Used to "lock" the victim's data in exchange for payment
Viruses or worms
Used to further infect a victim's computer or network
Bots
Used to perform specific tasks like collecting or transmitting data; controlled by a botnet controller
Information-nabbing
The Washington Post attack in August of 2013 was successful because the link associated with the phishing email directed the Washington Post employee to what looked like the Post's Outlook Web Access site:
Image credit KrebsOnSecurity.com
This attack sought email credentials, but the attack could have been for any site on which the target has an account or other sensitive information. This type of attack is commonly used with spear phishing; the attacker knows something about the target (think about the online photo retailer example) and uses that to build credibility with the target.
The Hidden Threat
For all of the threats that phishing is known for, one that hasn't received much acknowledgment is geo-locating. A nefarious characteristic of this threat is that the target doesn't even need to click a link to fall victim to the attack. This type of attack takes a cue taken from marketing emails: using a tracking image, usually a 1x1 pixel transparent image hidden somewhere in the body of an HTML email. In marketing terms, this lets the sender know that the message was viewed by the recipient. In phishing terms, it gets much more interesting than that.
Consider the fact that viewing an HTML resource (web page, image, JavaScript, stylesheet, etc.) leaves a digital fingerprint on the attacker's web server. The log file below, for example, is from an Apache access log. The last two entries represent HTTP requests for "1x1.gif," which is the embedded transparent image in a phishing email that the target unwittingly viewed:
71.6.167.142 - - [13/Jan/2014:19:51:41 -0500] "GET / HTTP/1.1" 404 16
183.60.244.46 - - [14/Jan/2014:05:17:33 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
183.60.244.29 - - [14/Jan/2014:05:17:36 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
183.60.244.30 - - [14/Jan/2014:05:17:41 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
183.60.244.37 - - [14/Jan/2014:05:17:51 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
183.60.243.187 - - [14/Jan/2014:05:18:11 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
119.9.74.172 - - [14/Jan/2014:05:49:26 -0500] "GET / HTTP/1.0" 404 16
162.243.119.47 - - [14/Jan/2014:09:19:35 -0500] "GET / HTTP/1.1" 404 16
58.64.155.116 - - [14/Jan/2014:11:14:42 -0500] "GET /manager/html HTTP/1.1" 404 210
163.247.46.15 - - [14/Jan/2014:13:37:24 -0500] "HEAD / HTTP/1.0" 404 -
173.244.215.194 - - [14/Jan/2014:15:45:59 -0500] "GET / HTTP/1.0" 404 16
111.74.122.19 - - [14/Jan/2014:18:20:18 -0500] "GET /manager/html HTTP/1.1" 404 210
198.20.69.74 - - [14/Jan/2014:22:52:20 -0500] "GET / HTTP/1.1" 404 16
198.20.69.74 - - [14/Jan/2014:22:52:20 -0500] "GET /robots.txt HTTP/1.1" 404 208
58.64.155.116 - - [15/Jan/2014:06:39:55 -0500] "GET /manager/html HTTP/1.1" 404 210
209.126.230.76 - - [15/Jan/2014:08:18:02 -0500] "GET / HTTP/1.0" 404 16
173.73.85.84 - - [17/Jan/2014:14:11:59 -0500] "GET /img/1x1.gif?userid=566235 HTTP/1.1" 200 4121
174.236.199.25 - - [17/Jan/2014:17:52:21 -0500] "GET /img/1x1.gif?userid=566235 HTTP/1.1" 200 4121
In this case, an attacker appended a userid parameter to uniquely identify the victim. The true worth of this request, however, is the IP address.
What an attacker now knows:
- Using a web site like http://geomaplookup.net/?ip=173.73.85.84, an attacker can see that the first of the last two IP addresses resolves to the Washington, D.C., area. An attacker now knows generally where the victim was at the time the email was viewed.
- The IP address resolves to pool-173-73-85-84.washdc.fios.verizon.net, so the victim was accessing the internet using Verizon FiOS, most likely from home.
- The last IP address resolves to 25.sub-174-236-199.myvzw.com, which is a Verizon Wireless mobile host. The victim left home and then hopped in the car.
With this information, the attacker can follow the victim's progress, assuming that the victim views his email along the way and leaves digital breadcrumbs.
This geo-location information is useful for information gathering, among other purposes. Given the information above, an attacker could craft spear phishing emails claiming to be from Verizon or from a local retailer. The purpose of using this information is to establish credibility with the target and entice him or her to click a link or visit a malicious website.
Keep in mind that this information was gathered from the victim's simply viewing the HTML email; no links were clicked. From a web server's perspective, viewing an HTML resource is indistinguishable from clicking a link.
Information Gathering
When a victim clicks a link in a phishing link, in addition to the IP address information discussed above, the attacker can gather other characteristics about the client that the victim used to click the link.
For example, consider the following table based on a victim's interaction with a phishing link:
Clicked
IP
Browser
Flash
Java
12/02/13 7:08 AM
173.73.85.84
Internet Explorer 8.0
11.9.900.117
1.7.0_45
What an attacker now knows:
- The victim is using Windows, possibly an unpatched version.
- The victim is using an outdated version of Internet Explorer.
- The victim is using an unpatched version of Flash.
- The victim is using an unpatched version of Java.
From this information, the attacker can use a more directed attack against the target using a product-specific exploit against the target's operating system, browser, Flash, or Java.
Putting It All Together
In the illustration below, an attacker sends a simple lure that doesn't include any nefarious content other than a tracking image. By viewing the email, the target divulges the name of his home internet service provider. Fresh with this knowledge, the attacker crafts a credible-looking spear phishing email that solicits payment information from the internet service provider. Pressed by fear, the victim obliges by providing payment information to a credible-looking payment web page crafted by the attacker.
Icons courtesy http://www.designcontest.com,
Used by permission using http://creativecommons.org/licenses/by/3.0.
In this scenario, the attacker solicited payment information, but the attacker could instead have requested any other type of information or could have planted malware onto the victim's machine. The point is that the attacker was able to persuade the victim to view the lure and use that information to create a believable spear phishing attack.
Protecting Yourself
Organizations typically lean on education and awareness to teach employees how to identify potential phishing attacks. The refrain is heard often enough: don't click suspicious links (knowing what to look for can be the hard part!). To avoid the hidden threat of geo-location tracking, however, HTML images should not be viewed. Most email clients enable this feature by default, putting users at risk. The following are examples of how to disable this setting in popular email clients.
iOS
To turn off this feature in iOS, turn off the "Load Remote Images" option in the "Mail, Contacts, Calendars" setting:
Image loading setting in iOS
Android
In Android, this is managed through a mail client, like the Gmail app:
Image loading setting in Gmail for Android
Outlook
The setting for Outlook 2013 is buried under "Options" | "Trust Center" | "Trust Center Settings" | "Automatic Download":
Image loading setting in Outlook
Whatever mail client is used, look for a setting similar to the above examples.
Conclusion
What can start as a basic phishing attack can turn into something much more specific and personal. An important risk to know about is that employees might think of a phishing attack as something that threatens the company's computer or network. When an employee checks company email from home or from mobile phones, the threat becomes much different; even if the employee is viewing a company email, the attacker can gain access to the employee's home computer and network.
Successful attacks rely on the psychology of phishing. Relevant content is more credible than generic content, and personal content is even more convincing. Attackers are continually tuning their craft and can produce some impressive spear phishing attacks given the appropriate research on their target.
Further, psychologists have demonstrated that the fear of loss is greater than the potential for gain (Kahneman, 2011). This explains why content based on past due notices can be more successful than content based on a winning sweepstakes entries.
Simple defenses like not viewing HTML images in email messages can go a long way in protecting your privacy and securing your computing devices.
Resources
"CryptoLocker Ransomware"
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
Kahneman, D. (2011). Thinking, Fast and Slow. New York City: Farrar, Straus and Giroux.
"Spear phishing led to DNS attack against the New York Times, others"
"The Double Barrel: PhishMe trains users to avoid conversational phishing"
http://phishme.com/the-double-barrel-phishme-trains-users-to-avoid-conversational-phishing
"Washington Post Site Hacked After Successful Phishing Campaign"
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
http://krebsonsecurity.com/2013/08/washington-post-site-hacked-after-successful-phishing-campaign/
In this Series
- Hidden Phishing Threats
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
