Phishing Attacks are no longer that TOO GOOD TO BELIEVE - you have won a Million $$ jackpot kind of emails from strangers that easily stands out from your otherwise mundane life.
Today, phishing emails have got sophisticated. It is called spear phishing where the attacker tries to "custom-write" the emails to make it believable to you. They try to copy our (normal) life, and that's where it gets interesting and scary at the same time.
23% of recipients now open phishing emails and 11% click on attachments. and nearly 50% of this happens within 60-minutes of the attack !
- 2015 Data Breach Investigations Report (DBIR group)
Let me share a personal experience.
We got selected as the Top 50 Product Companies as part of #Intech50 2016, and I was on the road - on my way to the event. I got an email on my phone saying "a gift from Intech50 is waiting for me".
I was surprised and opened the email. and this is how it looked...
Being in the security space - It will not be an overstatement if i say - I have got "hardened" to suspicious emails. But for any other normal person, this email would be too tempting to not to fall for it.
Right Person. Right timing. Right content. Wrong Intent !!
In this article I will cover the various different tactics that the bad guys use to succeed in a phishing attack, and in the end also cover one of the most effective tactics to prevent it.
Sit tight and enjoy the ride ...
Tactics Used for Phishing (Many Old. Some New.)
1. Deception Phishing
One of the most traditional approaches to phishing is to send out a mass email and try to convince users to click the link in the message such as the one shown below.
Tab-nabbing techniques seek to impersonate popular websites that have been left unattended for some time, and convince users to re-enter their credentials.
3. Malware Based Phishing
Malware based phishing, a strategy typically aimed at small and medium -sized businesses (SMBs) inserts malware onto a user’s computer (by email attachment, download, etc.) in order to gain information and exploit vulnerabilities. SMBs frequently have weak patch management policies, thus forgetting applications and operating systems updates – which frequently have patches to harden the system against these types of attacks.
Ransomware is a special type of malware that is getting increasingly popular. It involves encrypting the victim's data, and asking for a ransom to decrypt it. Very effective because of the bad data backup routine we all follow.
68% of 200 security professionals surveyed by TripWire during the 2016 RSA conference expressed concern that their company would not be able to fully recover from a Ransomware attack.
(Source: The Hacker News)
4. Key Loggers and Screen Loggers
Key loggers and screen loggers are a type of malware that can record a user’s keystrokes and activities – sometimes even your entire display. Computers can become infected with key loggers and screen loggers when users visit certain web pages or complete downloads such as applications and device drivers. Using this method, phishers can intercept any information input to the system once it is sent to the designated collection server.
Spyeye, one of the more popular keyloggers, plagued the financial services industry for years by quietly stealing customer account information by recording keystrokes.
5. Web Trojans
One of the most devious and deceitful methods of phishing involves web Trojans, which are malicious programs that are used to collect a user’s login credentials while disguising itself as a specific website – e.g. a company login portal, a social media platform, or an email account. The user believes they are entering their ID and password into this certain website, when in reality they’ve just submitted their credentials to a phisher.
The Dyre Banking Trojan was delivered by emails disguised as JP Morgan & Chase advertisements. These trojans were able to pass through anti-virus software allowing them to remain undetected for large periods of time.
6. Data Theft
Once malicious code is successfully implanted on a user’s computer, phishers are able to steal confidential information. Not only is this tactic widely used to collect social security and bank account numbers, but this has been known to be aimed at corporate espionage in many cases.
7. Content Injection
When hackers are able to gain access into the back-end of websites, they are often able to tweak content to be misleading, resulting in users submitting sensitive information.
8. System Reconfiguration Attacks
Hackers can modify system settings on user desktops to create holes in endpoint security that can be further exploited – such as updating URL favorites to redirect to malicious websites and even disabling endpoint anti-malware endpoints with administrative privileges.
9. Search Engine Phishing
Search engine phishing occurs when phishers create websites with “offers” – often, too good to be true, and have them indexed systematically within popular search engines.
Users stumble upon these sites in their usual searches, and oftentimes are fooled into providing information to receive the offer (which can be a false bank offering low interest rates, insurance solutions, etc.)
The search companies would eventually take them down if there are complaints, but that might be later.
10. Man in the Middle (MitM)
Quite possibly the hardest type of attack to detect, MitM phishing attacks occur when hackers position themselves between users and legitimate websites – resulting in the interception and recording of any data sent to the website.
11. Session Hijacking
Session hijacking occurs when malicious software “hijacks” a user-initiated session once a user has entered their credentials. This type of attack can simply be used to monitor activity, and is usually carried out by local malware on the user’s endpoint or as part of a man-in-the-middle attack.
(Source: PC & Tech Authority)
12. DNS Based Phishing (Pharming)
DNS Based Phishing generally includes any technique that interferes with the integrity of a domain name search.
As per Infoblox and DarkReading.com -The DNS threat index jumped almost 60% in 2015 as attackers became far more sophisticated in their campaigns. Also a new generation of inexpensive and quick startup domain names has made it easier for bad guys to set up shop in the DNS infrastructure.
One example includes a phisher polluting the user’s DNS cache with information that can be used to redirect the user to a false, corrupted location.
13. Host File Poisoning
Hackers use this form of local pharming, or DNS poisoning to corrupt the user’s host file. When a user enters in a web address, it must first be converted to IP address using the host name lookup, before undertaking the DNS lookup. By “poisoning” the user’s host file, users are sent to websites impersonating others in order to steal information.
So these were some of the tactics used in phishing.
Having said that - this list is by no means complete. The bad guys are devising new ways to attack, as we are reading this !
So How to Prevent ?
There are a whole lot of things you can do as a counter measure in order to harden your organization against falling prey to phishing. Some of these measures can be -
- Anti-malware: Popular anti-virus/anti-malware solutions
- Web Filters: Determining what websites users can access using a risk-based approach
- Data Loss Prevention(DLP) : Protecting data in transit, at rest, and in use
- Anti-phishing software: Containerization solutions for downloads from malicious emails and websites
- Using HTTPS for transactions: Checking the padlock icon to ensure secure transactions
- Spam Filters: Many email clients can detect potential spam (many being phishing attacks) and separate out those emails
- Patch Management: Ensuring systems are patched and up-to-date can mitigate many vulnerabilities targeted by phishing campaigns
But the most important defense mechanism is still the "people".
Companies without security training & awareness programs spent an average of $683,000 due to new hire security incidents while those who did have security training & awareness spent only $162,000. i.e less than 1/4th of the cost !
- PwC’s US State of Cybercrime Report
Phishing is called a Social engineering for a reason - because it is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Therefore one of the most effective prevention tactics involves training people.
“One of the most effective ways you can minimize the phishing threat is through
awareness and training.”
—Lance Spitzner, Training Director,
SANS Securing The Human
Phishing Fall and Fail Rates: Why they matter ?
In a typical phishing attack, the target is enticed to read an email, visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he/she can get based on user actions, even when there are no major revelations of private data. For instance, just by the action of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets.
The Fall Rate is defined as the percentage of users (targets) who “fall” for the attack and visited that fake website.
The Fail Rate is defined as the percentage of users (targets) who “fail” in the attack, visit the fake website and reveal sensitive information.
It is obvious that all employees who “fall” need not necessarily “fail”, which means that either they realized it was an attack (most likely the case) or just didn’t proceed further due to other priorities. This means there is a good opportunity to train people using the “teaching moments".
If people are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic training.
Phishnix is a phishing diagnostic solution by Aujas that simulates a phishing attack and captures users potential reaction to a real attack. It further leverages the teaching moment created based on the user's response, and generates an easy-to-implement action plan to drastically improve the defense against future phishing attacks.
Phishnix is currently being used by several organizations globally to strengthen their people defense against phishing attacks. It focuses on the “Fall rate” and “Fail rate” based on actual employee behavior and is very effective in helping organizations in developing specific control measures to address potential problem areas.