PHISHING – LEARN ABOUT ATTACK METHODS AND DEFENSE TECHNIQUES – PART II

Phishing is a type of hacker attack based on a combination of social engineering and often malicious code. In this fraud method, the attacker impersonates another person or institution in order to extort confidential information, e.g. login details, credit card numbers, infect the victim's computer with malware, or persuade the attacked person to perform specific actions.

In the first article, I described phishing using electronic means of communication, including email and WhatsApp. However, below I will present and describe what vishing, smishing, spear phishing, clone phishing and whaling are, and I will present techniques for defending against phishing.

What is vishing?

Vishing is phishing carried out over the telephone, and the name of this type of attack comes from the combined English words "voice" and "phishing". For fraudsters, vishing is very easy to carry out because it does not require advanced IT knowledge. When carrying out this attack, the fraudster calls his victim and persuades him to perform specific actions, e.g. transfer a specific amount of money or provide his confidential data. Due to the fact that there is a living person on the other end of the phone who sounds very credible, the effectiveness of this attack is very high. The effectiveness is enhanced by software that can impersonate any telephone number displayed on the victim's phone, e.g. a bank hotline, police, office, public trust institution, family member or friend.

Many people find it difficult to defend themselves against vishing because they are repeatedly contacted by phone by representatives of various institutions. Therefore, the best defense against vishing is not to provide detailed information about yourself over the phone, in particular logins, passwords, PIN codes and other information that may allow access to bank accounts and digital services such as social media, web applications, etc. Fraudsters often try to put pressure on us or gain trust by using phrases such as: "this is the last chance", "we really have little time", "we have to act quickly", "it's absolutely safe, please don't be afraid". It is also suspicious if the interlocutor asks us if we are at the computer and suggests installing some software, e.g. one that shares our screen.

Moreover, if any content of the interlocutor's message arouses suspicion, it is better to hang up. You can always confirm later whether the call you made was from the institution your interlocutor referred to.

Unfortunately, because fraudsters specializing in vishing are good social engineers, many people fall for it and often lose their life savings. Good examples are the famous scams involving a policeman or a grandson.

An appropriate summary of vishing and the vigilance of a potential victim is an old joke:

The phone rings and an elderly woman answers it. She hears the nervous voice of a young boy who claims to be her grandson's friend. The voice on the phone urges the old lady to transfer a significant amount of money to the indicated account. An elderly lady hears that she doesn't have time because her grandson had an accident and urgently needs the money for treatment, and her grandson's best friend calls her. The old lady replies in a firm voice: “Get away from me, you cheater! I'll call the police soon." A young interlocutor, pretending to be a friend of the old lady's grandson, assures her that he is not a fraudster and that her grandson really needs help - he says this in an increasingly nervous and desperate voice: "Madam, I am really your grandson's friend. He really needs help and this money. He had a terrible accident - I can't talk about it on the phone. This money will save the life of your grandson, and my best friend. Please don't call the police, I really want to help your grandson!” The old lady replies: "I have your phone number, you fraudster, and I'm going to the police right now! My grandson is a loner and has no friends!”

Smishing – what is it?

Smishing? is one of the types of phishing , in this case targeting mobile phones via text messages (SMS) - hence the name of this attack " SMiShing". Its purpose is to collect the victim's personal data, e.g. his ID number, credit card number and other data identifying the attacked person.

This attack has gained popularity because people trust text messages more than emails. Additionally, many people are unaware of the possibility of phishing attacks using short text messages (SMS), although it is easier for fraudsters to generate a mobile phone number than a valid email address due to the use of specific combinations of numbers in mobile phone numbers.

To illustrate the attractiveness of this attack for fraudsters, it is worth pointing to research conducted by Granter, which shows that 98% of SMS messages are read, and 45% of them are answered.

Examples of such attacks may be messages impersonating coming from a bank, which inform about the detection of a suspicious transaction and ask for its verification by clicking on a link contained in such a message impersonating the bank's website. Alternatively, the message may include a phone number to call for more information about such a suspicious transaction or account hack.

Another example of this attack often used by hackers is to evoke sympathy and willingness to provide financial help, e.g. to victims of a cataclysm or war. Such a message contains a reasoned request for a charitable donation, which can be made by clicking on the link contained in the SMS and providing your credit card or bank login details.

Another example of smishing is impersonating a mobile operator who offers a discount on telecommunications services or a new phone. The condition for taking advantage of such an "offer" is to click on a link that will display on the victim's phone a page prepared by the hacker, often resembling the operator's website, where the victim is asked to provide his/her data, e.g. from a credit card.

What is spear phishing ?

Spear phishing, i.e. profiled phishing, targeted phishing, involves cybercriminals conducting environmental intelligence targeting a specific company, institution or group of people. Unlike phishing, messages are not sent en masse, but by profiling attack victims using previously obtained information, the effectiveness of this type of attack is much higher and the content of the messages sent is more credible and therefore dangerous. W well-crafted spear phishing message may be indistinguishable from a real message. Moreover, in order to increase authentication, hackers impersonate a person trusted by the victim who sends a message from a known source, for which the data of the attacked person's co-workers, which was leaked as a result of previous attacks and breaches, may be used.

The purpose of spear phishing attacks is to steal money, access to confidential documents, steal identity or intellectual property and other sensitive data.

Due to the increasingly common remote work and, therefore, reduced mutual recognition of employees of the same company, this type of hacker attacks is becoming more frequent and widespread. According to a study conducted by Statista Inc. between August and October 2020, as many as 87% of all spear phishing attacks were carried out worldwide on working days, and only 13% of all attacks were carried out on non-working days.

Based on spear phishing attacks carried out so far, we can distinguish three basic techniques:

• the attacker sending an email with a link to an infected website or an attachment with malicious code that will infect the device with malware or encrypt data and demand a ransom for decrypting it,
• by impersonating a friend, co-worker, supervisor or other reliable person, the attacker asks for access to social media accounts or to provide usernames and passwords in order to collect information important to the hacker and transfer it to another place,
• the attacker sending an email containing a link to a fake website where the victim is to provide his or her personal or sensitive data, such as PINs, login details or access codes.

Due to the fact that carrying out a spear phishing attack is much more time-consuming and expensive than a regular phishing attack, cybercriminals can devote a lot of time and work to preparing it and obtaining detailed information about potential victims. Therefore, detecting such an attack may prove to be extremely difficult, especially for people not professionally involved in cybersecurity. Cyber criminals look for information about their victims on social media, employer websites, forums and other sources available on the Internet. Careful development of profiles of potential attack victims makes spear phishing is extremely effective. Employers can defend themselves against this type of attacks by having appropriate data protection systems and procedures and by conducting regular employee training.

An example of a famous spear phishing attack was the attack in March 2021, when the president of the Radom municipal company "Rewitalizacja" (Poland) informed at a session of the City Council that the accountant had made unauthorized transfers in the amount of over 1.5 million PLN (about 325 380 Euro). A total of 25 transfers were made within four hours, of which only 5 were blocked. As it turned out, the cybercriminal persuaded the company's accountant to make transfers by informing that the funds accumulated on the company's bank accounts were at risk of a hacker attack and should be protected as soon as possible.

What is whaling?

Whaling, also known as a whale attack, is a type of phishing attack, the subject of which is the senior management of a given company or institution, the so-called "big fish" because these people have greater access to confidential information than ordinary employees. Generally, it is similar to a spear phishing attack, because, like in that attack, hackers must conduct detailed environmental research. Unfortunately, the presence of social media, including business platforms, is very helpful in conducting such an interview.

Due to the fact that whaling is highly targeted and often preceded by long-term and precise environmental intelligence, it is twice as effective as regular phishing.

When carrying out this attack, the hacker sends an email to a senior executive of a given company pretending to be its manager, CEO or CFO. This message is intended to initiate a transfer of corporate funds or asks for credentials that will allow the attacker to gain access to the organization's system. Also, the message used in the whaling attack may contain a link that, when opened, will take you to an infected website. This was one of the most famous hacker attacks on the director of Coca-Cola, which I described in detail in the article about the 10 biggest hacker attacks. The email allegedly came from a high-ranking person in the company's legal department and concerned energy saving - at that time, Coca-Cola was running a campaign promoting electricity saving. After clicking on a link that was supposed to contain additional information about this campaign, the director downloaded various types of malware onto his computer, including a keylogger that recorded everything the attacked director wrote on the computer for weeks. It is likely that this attack by Chinese hackers prevented Coca-Cola from taking over the Chinese beverage manufacturer.

Another example of whaling may be the attack carried out in 2015 on an American publishing company, whose accounting employee received two emails purporting to be from its president. The messages contained instructions to make transfers to contractors to accounts maintained by Chinese banks. The content of the email indicated that this was a priority and confidential matter, so the employee immediately transferred the first tranche of funds. However, before ordering another transaction, he contacted his superior (CEO) by phone, who knew nothing about the transfers or the whole matter. It turned out that the message was sent by a cybercriminal who gained access to the president's mailbox. The company lost a total of $1.5 million, which went to Chinese institutions. The Chinese bank did not want to cooperate in resolving the matter, and the transferred money was never recovered. It is worth adding that in 2015, Ubiquiti Networks, an American manufacturer of network equipment, lost over $46 million in the same way.

What is clone phishing?

Clone phishing is a hacker attack that involves copying the content of a correct and genuine message, often containing original elements such as logos, contact details, people's signatures, and replacing a link in it that leads to an infected and malicious website or an attachment containing malicious code, and then sending such a prepared message to users. The attack is intended to deceive the victim who will not check the sender and link in a real-looking message and will therefore download the infected content or provide his/her data.

It is worth adding that clone phishing attacks are popular on social networking sites because to carry out such an attack, all you need is an editor for developers, a browser, a script testing application, an FTP client and external hosting. The attack scenario itself is very simple and involves preparing a crafted message containing a script that saves login data and sending it to a large group of people under various titles - here the hacker's imagination is unlimited, but the titles usually concern the failure of the login system or winning. A person who enters such a link will leave his login details to the hacker, but will be redirected to the real website so that the original login does not arouse suspicion. In this way, hackers hijack the accounts of deceived people and often use them for criminal purposes.

Other types of phishing

At the end of the discussion of the types of phishing attacks, it is worth briefly mentioning pharming and Nigerian frauds.

Pharming is based on a completely different mechanism than a typical phishing attack. In this attack, the victim is required to attempt to gain access to a real website which DNS record has been taken over and replaced by the attacker - this involves cybercriminals creating a fake website impersonating another trusted website, but stealing personal data, logins, passwords, bank account details or installing various types of malware. Most often, pharming attacks concern online banking login pages.

However, the Nigerian fraud (419) - comes from Nigeria, where this criminal practice began, and from the crime number in the Nigerian Penal Code. This attack involves sending the victim a message informing them that in Nigeria (or any other country) their former or distant family has died, leaving no other heirs, and has left behind a large estate as an inheritance. The condition for taking over the inheritance is to provide full personal data (in order to confirm it - or really to defraud you) and the bank account number to which the money is to be transferred or personal arrival to a given country.

I was also the subject of a Nigerian attack. While working for one of my previous employers, I received an email from an American bank in my work mailbox. Its content indicated that I was being contacted by the representative of this bank, who was handling the inheritance case of people with my surname who died in a car accident and who had no other heirs and left 10 million US dollars on an account in this bank. The content of the email sounded credible, but I immediately reported the address to be blocked and deleted the message itself.

How to recognize phishing ?

The information provided below concerns the common features of most attacks - however, it should not be treated as an interpretation for a message to be considered phishing. You should always use common sense and logical thinking and do not give in to pressure, e.g. time, but you should carefully verify the message received. With the slightly lengthy introduction behind me, here are the most important features of phishing emails:

• contain linguistic and grammatical errors and are not written in the correct native language of the person to whom the email is addressed,
• they usually force you to act quickly and urgently, and failure to do so may result in unpleasant consequences, e.g. blocking your account, turning off the electricity, detailed verification of the reasons for not taking action, deleting your profile, loss of funds, etc.,
• they usually contain strange names and addresses, e.g. the email sender's address, the name of the SMS sender, the name of an account on a social networking site or messenger,
• contain a link that does not belong to the domain of a given company or institution, e.g. olx-payment[.]pl instead of olx[.]pl (OLX is a Polish auction portal),
• contain attachments in a non-standard format compared to the attached file, e.g. an invoice that should be attached in .pdf format is in .zip, .rar, .xls, .xlsx, .iso, .doc or .docx.

How to defend yourself against phishing?

Generally, there is no single effective solution to defend against phishing. Hackers' creativity is limitless and depending on the type of phishing, different defenses will be effective. However, it is always invaluable to keep a cool head, think logically and not give in to attempts to put pressure on us. We should always consider whether, for example, the e-mail we received really comes from the president, or a nice message with a link on the messenger was sent to us by our friend, and whether the voice heard in the phone actually comes from a bank employee.

Moreover, when receiving a message and suspecting that it is phishing, we should always verify the sender of the message, in particular we should check whether the domain of the sender of the email looks different than usual (e.g. we always receive messages from a superior from the following address: service@xyz[.]pl, and the received email contains the domain me_boss@fakemail[.]com) - if this is the case, we should never open attachments or click on the links provided; the same applies to the sender of the SMS and the message received on messenger or social media; remember, never reply to such messages. However, if for various reasons it is necessary to click on a link, you should first verify whether the website address provided is correct. Particular attention should be paid to the domain name (e.g. it should be: olx[.]pl and it is happy-hacker[.]com) and whether this name does not contain any typos (e.g. "rn" instead of "m" or "I" instead of "l ""), and also whether the domain name contains any letters containing unusual characters for our language, e.g. "?" instead of "n".

In addition, you should always confirm the information received through another contact channel, e.g. if you have received an e-mail that your bank account has been blocked, you should contact the bank's hotline by phone to confirm whether your account has indeed been blocked. Did we receive an e-mail informing us that we won? Let's verify whether such a company actually organizes a given competition.

Of course, you should never open e-mail attachments from unknown senders that you did not expect to receive. Regardless of whether it is a request for payment, an unexpected invoice or an important letter. All this can be explained without having to open an unexpected attachment, and as I mentioned in this and the previous article, opening such an attachment can load us with various types of malware, display advertisements, direct us to infected websites, add our device to a botnet, install a keylogger or viruses responsible for scanning our computer's files and providing important information to the hacker, encrypting our files (and decrypting them after paying the ransom, if the hacker remains free at that time) and finally causing the deletion of all data and permanent damage to the device.

The question is whether the time saved by not verifying the message, links, recipient or attachment is worth it? Each of you, dear readers, must answer this for yourself.

Phishing – interesting facts

The term "phishing" is sometimes translated as "password harvesting fishing". However, the origin of the name of this type of hacker attack comes from the English word fishing, because just as an angler does not know whether he will catch a fish, the hacker does not know whether he will be able to persuade victims to provide their data ("catch them"). Moreover, the hacker has no information whether potential victims actually use the services the hacker refers to (e.g. electronic banking of a specific bank), but he hopes to find such people and gain their trust through sent spam.

There is also a theory that the term phishing comes from the name of Brian Phish, who was said to be the first person to use psychological techniques to steal credit card numbers in the 1980s. However, there is a known counter theory that Brian Phish was just a fictional character used by spammers to recognize each other.

Summary

Hacker attacks are becoming more and more frequent and the ingenuity of cybercriminals seems limitless. This is particularly clear in the case of phishing attacks, which record even triple-digit increases year by year, and their various types. In this two-part article, the indication of different types of phishing attacks, discussion of examples of real attacks, and indication of methods of detection and defense are intended to raise awareness and knowledge in this field. I believe that we cannot remain indifferent to the problem of phishing attacks, because they affect increasingly wider social groups, from ordinary people to enterprises. As I wrote above, I was the subject of phishing attacks, both privately and professionally. Fortunately, I always managed to detect the fraud attempt. However, with hackers becoming more and more inventive and moving our lives into cyberspace, for example to social media, we are exposed to at least a spear phishing attack, and if we hold a high professional position, even whaling.

Nevertheless, you should always be careful and follow the tips contained in both articles, and in order to make sure that you are really vigilant and can detect phishing, I invite you to test yourself in the quiz prepared by Google: https://phishingquiz.withgoogle.com/?hl=en.

I wonder how many Readers will get the maximum number of points (8/8), which I sincerely wish for everyone!

Finally, I would like to add that any attempted fraud (phishing attack) can be reported on the website run by your country CERT (Computer Emergency Response Team).

Thank you for your interest in the articles and for reading them to the end. In the following articles, I will reveal and present further types of hacker attacks.