Definition of Phishing
Phishing is a type of cyberattack that uses disguised emails as a weapon. These attacks use social engineering techniques to trick the recipient of the email into believing that the message is something they want or need (a request from their bank, for example, or a credit note). a member of their company) and click on a link or download an attachment. .
“Phish” is pronounced exactly as it is spelled, i.e. like the word “fish” – the analogy is that of a fisherman throwing a baited hook over there (the phishing email) and hoping you bite.
Phishing emails can be targeted in different ways, with some not being targeted at all, others being “targeted” to someone in a particular role in an organization, and others to specific people in great value.
One of the oldest types of cyber attacks, phishing dates back to the 1990s, and it’s still one of the most widespread and pernicious, with increasingly sophisticated phishing messages and techniques.
The term originated among hackers aiming to trick AOL users into giving up their login credentials. The ‘ph’ is part of a fanciful spelling tradition of hackers and was likely influenced by the term ‘phreaking’, short for ‘phone phreaking’, an early form of hacking that involved playing beep tones in handsets phone lines for free phone calls. .
Some phishing scams have been successful enough to make waves:
What a phishing email can do
There are several ways to divide attacks into categories. One is by the goal of the phishing attempt—which it is supposed to do. Typically, a phishing campaign tries to trick the victim into doing one of two things:
Transmit sensitive information. These messages aim to trick the user into revealing important data, often a username and password that the attacker can use to breach a system or account. The classic version of this scam is to send an email designed to look like a message from a major bank; by sending the message to millions of people, the attackers ensure that at least some of the recipients will be customers of that bank. The victim clicks on a link in the message and is redirected to a malicious site designed to look like the bank’s webpage, then hopefully enters their username and password. The attacker can now access the victim’s account.
Download malware. Like many spam emails, these types of phishing emails aim to trick the victim into infecting their own computer with malware. Often the messages are “soft-targeted” – they can be sent to a member of HR staff with an attachment that pretends to be a job seeker’s CV, for example. These attachments are often .zip files or Microsoft Office documents that contain embedded malicious code. One of the most common forms of malicious code is ransomware. In 2017, it was estimated that 93% of phishing emails contained ransomware attachments.
Types of phishing
Another way to classify these attacks is who they target and how the messages are sent. If there’s one common denominator among phishing attacks, it’s disguise. Attackers spoof their email address to look like it’s from someone else, create fake websites that look like the ones the victim trusts, and use foreign character sets to disguise URLs .
That said, there are a variety of techniques that fall under phishing. Each of these types of phishing is a variation on a theme, with the attacker impersonating some trusted entity, often a real or presumably real person, or business that the victim might do business with.
Phishing by email: With widespread mass market phishing attacks, emails are being sent to millions of potential victims in an attempt to trick them into logging into fake versions of popular websites.
Ironscales has listed the most popular brands used by hackers in their phishing attempts. Among the more than 50,000 fake login pages monitored by the company, here are the top brands used by attackers:
- PayPal: 22%
- Microsoft: 19%
- Facebook: 15%
- eBay: 6%
- Amazon: 3%
Phishing: When attackers craft a message to target a specific individual. For example, the spear phisher may target someone in the finance department and impersonate the victim’s manager by requesting a large short-term wire transfer.
Whaling: Whales Hooking, or whalingis a form of spear phishing targeting the really big fish: CEOs or other high-value targets like company board members.
Gathering enough information to fool a very high value target can take time, but it can have a surprisingly high return. In 2008, cybercriminals targeted corporate CEOs with emails claiming to come with FBI subpoenas. In fact, they downloaded keyloggers onto the executives’ computers and the success rate of the scammers was 10%, resulting in nearly 2,000 victims.
Business Email Compromise (BEC): A type of targeted phishing attack in which attackers pretend to be a company’s CEO or other senior executive, usually to trick other people in that organization into transferring money.
Vishing and smishing: Phishing via phone call and text message respectively.
Other types of phishing include clone phishing, racketeering, social media phishing, etc. The list grows as attackers constantly evolve their tactics and techniques.
How Phishing Works
All the tools needed to run phishing campaigns (called phishing kits), as well as mailing lists are readily available on the dark web, making it easy for cybercriminals, even those with minimal technical skills, to carry out attacks. phishing attacks.
A phishing kit bundles resources and tools from phishing websites that only need to be installed on a server. Once installed, all the attacker needs to do is send emails to potential victims.
Some phishing kits allow attackers to spoof trustmarks, increasing the chances of someone clicking on a fraudulent link. Akamai’s research provided in its Phishing–Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for DHL, and 11 for Dropbox.
Duo Labs’ Phish in a Barrel report includes an analysis of the reuse of phishing kits. Of the 3,200 phishing kits discovered by Duo, 900 (27%) were found on multiple hosts. However, this number could be higher. “Why aren’t we seeing a higher percentage of kit reuse? Maybe because we were measuring based on the SHA1 hash of the kit contents. A single change to a single file in the kit would appear as two separate kits, even if they are otherwise identical,” said Jordan Wright, senior R&D engineer at Duo and author of the report.
Examples of Phishing
Criminals rely on deception and create a sense of urgency to succeed with their phishing campaigns. As the following examples show, these social engineers know how to capitalize on a crisis.
Example of Phishing: Corona Update
The following screenshot is a phishing campaign discovered by Mimecast that attempts to steal the victim’s Microsoft OneDrive account login credentials. The attacker knew that with more people working from home, document sharing via OneDrive would be common.
Phishing example: cure for Covid
This phishing campaign, identified by Proofpoint, asks victims to load an app onto their device to “run simulations of the cure” for COVID-19. The app, of course, is malware.
Phishing Example: A Public Health Matter
This email appears to be from the Public Health Agency of Canada and asks recipients to click on a link to read an important letter. The link points to a malicious document.
How to prevent phishing
The best way to learn how to spot phishing emails is to study wild-caught examples! Lehigh University’s Department of Technology Services maintains a gallery of recent phishing emails received by students and staff.
There are also a number of steps you can take and mindsets you should adopt to prevent yourself from becoming a phishing statistic, including:
- Always check the spelling of URLs in email links before clicking or entering sensitive information
- Beware of URL redirects, where you are subtly sent to a different website with an identical design
- If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just replying
- Do not post personal data, such as your date of birth, vacation plans, address or phone number, publicly on social media
If you work in your company’s IT security department, you can implement proactive measures to protect the organization, including:
- Incoming “Sandboxing” email, verifying the security of every link a user clicks
- Web traffic inspection and analysis
- Conduct phishing tests to find weak spots and use the results to educate employees
Encourage employees to send you suspected phishing emails, then follow up with a thank you note.
Copyright © 2022 IDG Communications, Inc.