Let’s Learn about Phishing
We all are working from home during this Global Pandemic. I wish everyone a safe time while keeping they are working from home. Covid-19 has kept us all out of our corporate office. Most of us using our own devices at home. It required us to make sure that we know about phishing attacks.
Phishing is one kind of social engineering attack. Phishing used to steal user data, including login credentials and credit card numbers. The Attacker is pretending as a trusted person. Once he gains the trust he dupes a victim into opening an email, instant message, or text message. The Attacker tricks the user into clicking the malicious link. That would lead to the installation of malware or ransomware. Also, the Attacker tricks the user into providing sensitive information. That includes username and password, credit card information, bank information, etc.
This attack performed using email, instant messaging apps, text messages, or phone calls. The Attacker is masquerading as someone user trust. That would lead the user to click on the malicious link. Once the user at the URL, it looks like a familiar page, and it would allow the user to share confidential information.
The phishing attack is not only done on corporate or government users. The Attacker also targets individuals to gain unauthorized access. They try to get the user’s bank account, credit card, any financial details. The Attacker also gets access to the user’s identity that also named as IDENTITY THEFT.
For corporate, government sector phishing attack is to gain access to critical information. The Attacker extracts not only personal information but also corporate data as well. The phishing attack even for Ransomware attack on the organization. A compromised user in an organization may lead to bypass security perimeters. The user also used to distribute malware inside corporate environment. Once compromised Attacker tries to get escalated user permission to gain access to secure and confidential data.
Phishing attacks and its after-effects are so high that it would ruin the organization’s market share. It also ruins reputation and trust with their customers and peers. Phishing attacks are so big that it could crash the organization.
As per APWG’s Q4 2019 Report, there is a decline in Phishing attacks compare the Q3 2019. A phishing attack can lead to payment diversion. The customer would receive the email to wire transfer amount to another bank account. This attack is almost 22% of the total attacks. Also, this attack has a higher value compared to the Gift Card based attack. Vendor Payment diversion attack is also higher compared to the Payroll diversion attack.
There is an increment in HTTPS based phishing attacks. There is a 77% increase in HTTPS based attacks, which indeed shocking. Many People think that HTTPS means not only security but also trust. Recent changes in browsers have increased the HTTPS-based attack. The before Padlock was Security and Trust Indicator. An EV SSL Certificate turns the address bar into a Green bar. Green Bar also a kind of Trust Indicator, but now users get more confused. It would lead to more HTTPS phishing attacks, as there is no trust indicators.
Following are the couple of phishing attack types as per my knowledge:
1) Search Engine Based Phishing Attack
An attacker used paid advertisements on different search websites to promote their fake website. They also use SEO to make sure that their phony website ranks one Search Engine. These fake websites not only provide false information but also mislead the user. The user provides their access details to these websites. You can see that; there are several links that providers false information or do not sound legitimate. Please check the following screenshots:
2) Email Phishing
There are several email-based phishing attacks as well. The following are a couple of examples of email-based phishing attacks:
- Whaling Attack
- Malware/Ransomware Attack
- Spear Phishing Attack
I will describe all the above in one by one with an example that would help you to understand. Attackers/hackers will use the above methods to gain access to your organization. They also try to get access to your personal information to attack you.
A whaling attack targets the Upper Management of the Organization. Attackers targets CXX or Directors to get confidential information about the organization. Attacker presents themselves as one of the employees of the company. Sometimes they pretend as a vendor. The Attacker then requests the senior executive to click on the link or open the attachment. That would allow the Attacker to gain access. The Attacker would have not only personal but professional information as well.
World’s 2/3rd of malware and ransomware attacks use phishing email. The Attacker sent out an email to the user as one of the contacts that the user is familiar with. That email has some attachment has a fake attachment that content malware/ ransomware. As the email is coming from a known contact person will download and open the attachment file. It would allow malware/ransomware installed in the system and infect it. The Attacker would pretend to be one of your contacts along with attached file. The email seems like it has some critical data that you have download. Once, you download and open file attacker’s software would install malware in your system. Sometimes
accessible direct using your Mail client like outlook also executes the malware. It would get your organization compromised to the Attacker. Once, the malware in your system, and it would affect the other computers. The malware works like COVID-19, where it infects each computer that connects to infected PC. To make your organization safe, you need to make sure that the infected computer is out of the system. Though modern-day malware protection solutions are good enough. But sometimes they even miss this kind of attack that would affect not only your PC but the entire network.
Spear Phishing Attack
Spear Phishing is an attack that is the target of the particular person. This attack to get access to sensitive information. The confidential information like the email, social media account, credit card, or bank details. Spear Phishing attack is getting more and more sophisticated in recent years that it could be hard to find. The Attacker gathers your personal information. This includes like your date of birth, anniversary, your friends, your employer. Sometimes Attacker collects information about places you visits. Once the Attacker has this information, they would use it against you. They try to lure you into providing them information like your bank account details. They also try to get information.
3) Clone Phishing
Clone phishing attacks, attackers use the original email and make changes in the original email content. The email content looks the same as the email received before and legitimate email. The email has an attachment or link, which looks identical to the previous email. If you download that attachment and open it, that would infect your computer and network. The Attacker would gather your personal information or spread malware/ransomware in your system. Some email would have a link that clone of your
corporate email login or your corporate portal login that would allow them to get access to your username and password.
4) Link/Website Spoofing:
An attacker would create a similar link that looks like a legitimate website. Use fake links o get information about your financial or critical data. Major Link spoofing attacked performed on financial institutions. Some times even major social media and email providers spoofed sites created. Following is a couple of example of the kind of fake website constructed:
Legitimate – https://www.paypal.com/
Phishing – https://pa-yp-al.phishingwebsite.com
Some tips that would help you to in this Work From Home Era to be secure against phishing attacks.
1) Always use 2 Factor Authentication for your corporate email as well as any internal application.
2) Make sure that you change your password every three months. Check your password at Password checker by haveibeenpwned at Password checker
3) Make sure you check the URL before you enter your critical information. Only enter username and password, credit card, or banking information if you feel safe about the website.
4) Make Sure that your Security software is up to date and it has the option to scan your email software
5) Don’t open any email that you think is not legitimate and inform your IT Professional about the same.
18 Years Experienced Professional in Cryptography, PKI, Information Security, Data Security, SSL Certificate, TLS Certificate, Cloud Security, Website Security, Email Security, Cloud HSM, IT Infrastructure Management, Cloud Management and Customer Support. Certified in Comptia Security+, EC Council CEHv10, MCSE, ITILv3. Domain Investor by Hobby owns 150+ domains.