Phishing Attacks

Introduction:

Mailing letters to people whether it was for sharing information or delivering important messages, would take forever. When the internet was introduced it was capable to send electronic mail or e-mail. It became such an important tool for everyone around the globe. It allowed people to share information in matter of seconds! Along with the benefits came dangers. One of such dangers is email phishing. Not the kind of fishing you do out on a lake, but email phishing. It is a form of social engineering attack against a victim’s system via email messages. Hackers create fake emails that look identical to emails sent from your bank or friends requesting you to do something such as wire transfer or download files. The victim can be redirected to a fake website asking him for his credentials or send money which in turn hackers confiscate and have gained full access to that victim’s accounts. Today I will describe and demonstrate different types of phishing and how to avoid them.

 

Phishing Attack Types:

In general, there are three different type of phishing attacks used by hackers. They are:

  1. Spear Phishing
  2. Clone Phishing
  3. Whaling
  • Spear Phishing:  “is directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the Internet today, accounting for 91% of attacks.”
  • Clone Phishing: “is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.”
  • Whaling; “Several phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. “

This is a phishing email directed at a potential victim from a fake bank asking him to deposit money using the link in the email.

 

 

Other Attacks:

In general, phishing isn’t restricted to emails. There are other domains targeted by hackers using phishing techniques. Some of them are SMS phishing attacks, some link manipulation, other such as website cloning and voice phishing. Rule of thumb to stay safe from these attacks is to remember if you have requested any information from the sender or if this is in anyway relevant to your activity in the past days.

 

Counter-measures:

Now, this all might sound scary which it definitely is, but there are simple ways to avoid falling victim to them. I will list some ways below and talk in detail about them.

  • Proof read the email for basic grammar errors, wrong personal information, sane-check if this does have to do with you or not, etc…
    • If you received an email as the one above and you have never done any business with “TrustedBank”, it should be instantly clear to you that it is a scam. While other attacks might be from related websites or companies, try to double check your activity with them before opening or downloading anything from the emails.
  • If they ask you to send personal information or repay tax funds etc…
    • Stop! Find the correct phone number of the institution and call them. Ask them about the email and verify if that is indeed them. Thousands of people fall victim to fake IRS scammers each year.

 

A descriptive diagram to help you identify a fake email.

 

There is much more to talk about phishing and more details to describe but instead I will post proper resources you can counsel to gain important information and procedures on how to avoid such attacks and remain safe.

  • http://www.phishing.org/what-is-phishing
  • http://www.phishing.org/phishing-examples
  • http://www.phishing.org/10-ways-to-avoid-phishing-scams
2018-08-17T13:16:50+00:00
Call Us

Enjoy this blog? Please spread the word :)