Most of us will not click on the email claiming we are lottery winners nowadays. However, phishing attacks have evolved and remained the most dangerous cyberattack for individuals or enterprises since the first phishing attack in 1995.
According to a report by email security company Valimail, over three billion spoofing messages are sent each day, nearly 1% of all email traffic. And this is costing quite costly damage to our society. By 2021, global cybercrime damages will rise from $3 trillion in 2015 to $6 trillion yearly, according to the estimation from the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures.
The term “phishing” is a play on the word “fishing.” According to IETF RFC 4949 Ver 2, phishing is defined as:
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.
For example, the message may have a “New iPhone giveaway,” “Malware Alert,” or another type of attractive subject line. The phishing email may contain the company’s logo, address, and phone number, to any other information that can make it looks legitimate.
Another common tactic is to get it to look like a personal email from someone you know or a friend who wants to share something with you. A phishing technique often waits for someone to “get hooked.” As in conventional fishing, these scammers send out “hooks” and only require a relative few to take the “bait” (i.e., click the link).
Nowadays, most of us would be able to spot a phishing email, most of us. And scammers also know that. They enhance the phishing techniques (more about that later). But before we recognize an email as phishing, it’s too late. Someone may have already clicked on the link.
Social engineering is leveraging our psychological elements to establish access to information or financial gain from us. A phishing email is one type of the most common way hackers try to gain information or financial gain from individuals. In cybersecurity, we categorize this kind of technique as “Social Engineering.”
According to NIST SP800–63–3 — Digital Identity Guidelines, Social Engineering is:
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
There is no signature to update in our mind or firewall to be installed. Thus, hackers exploit unpatched psychological vulnerabilities, and the easiest way to do that is by phishing.
The COVID-19 situation is not getting better soon, as many companies are striving for business survival. Contingency plans like the remote workforce and work from home are becoming the new normal for many employees (me included).
Working from home means that employees are more relaxed and may often use their own devices for work (i.e., BYOD), meaning that, if a cybercriminal compromises an employee’s device, they could gain access to not only the data sitting inside the device but also access to the corporate network.
Employees are more remote from the IT and cybersecurity team, implying that they are less monitored and supported when needed (especially when BYOD is in place), like seeing a suspicious but urgent email; normally, they may report it to their internal team. Still, while they are at home, they may be treated differently.
If you want to be a cybercriminal, you can. A growing number of tools are intended to help amateurs with little computer knowledge get into the cybercrime industry. Phishing tools are low-cost and widespread.
The availability of phishing kits online and the rise of ransomware-as-a-service (RaaS) lower the required skills to begin. This has resulted in an outburstRansomwareware and other exploits coming from an ever-growing swamp of amateur cyber criminals.
In the following, I will introduce several new types of phishing to give you more awareness the next time you may encounter one of these attacks.
Proofpoint researchers identified a new variant of the Buer malware loader circulated via emails masquerading as DHL shipping notices in early April. The emails impacted over 200 organizations across more than 50 verticals. (Buer is a downloader sold on underground marketplaces used as a “base ” in compromised networks to distribute other malware, includRansomwareware.)
The phishing email contained a link to a malicious Microsoft Word or Excel document that used macros to drop the new malware. The new strain is completely rewritten in a coding language called Rust — a malware written in a completely different way. This makes phishing more difficult to detect and more harmful.
While conventional phishing campaigns go after large numbers of comparatively low-yield targets, spear-phishing aims at particular targets, especially emails crafted to their designated victims. It is a different kind of phishing that was purposefully created to penetrate a target (usually an organization).
While mass phishing primarily involves using automated off-the-shelf kits to collect credentials at a massive scale, targeted campaigns normally involve documents containing malware or links to credential-stealing sites to steal sensitive information or intellectual property or to compromise payment systems solely.
QRishing is the combination of the words: “QR Codes” + “Phishing.” This indicates the attack is in the form of a QR code.
QR codes are a popular tool for threat actors, significantly since the Pandemic has limited physical contact. We use it to access menus, check-in for vaccines, and get public information. Social distancing guidelines and trends like “contactless for everything” have popularised the use of QR codes.
Kaspersky reported in one example from Q1 2020 that clients of several Dutch banks received a fake email that asked them to“unlock” mobile banking by scanning a QR code. Rather, the QR code directed them to a malware-embedded web link.
Another tactic is by inserting fake QR codes into a phishing email, text, or social media platform. Upon scanning the false code, users are redirected to fabricated websites, where the victim may be prompted to log in to steal their credentials.
A scam QR code has the potential to connect to an unsecured WiFi network while someone can easily capture what you are typing. Phony codes may also take you to websites where malware can be automatically downloaded and used to gain access to your device, steal data, or make further attacks such as Ransomware.
A smishing message possibly related to the Facebook leaks | Copyright by the author
Meanwhile Smishinghing is a combination of the words “phishing” and “SMS.” That means it is one kind of phishing sent across your mobile network in the form of text messages. Although the name uses SMS, this kind of attack can also happen on other messenger platforms, such as Facebook Messenger or WhatsApp.
Common Smishing attempts focus on everyday necessities. Missed deliveries, late payments, bank notifications, fines, and urgent notices are excellent examples of a smishing attack.
With so many people staying at home and so many daily online purchases, we’re awash in cardboard. It’s very challenging to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is the best recipe for successful Smishing.
Previously I wrote about my recent encounter with a scammer during a phone call 📱. This is also one type of phishing known as “vishing.” It is often referred to as “voice phishing,” indicating cybercriminals use social engineering tactics to lure victims into acting and giving up personal information.
Like Phishing or Smishing, vishing relies on convincing targets that they are doing the right thing by responding to the caller. Often the caller will pretend to be people from the government, tax department, police, or the bank (Like Mr. Li in my case).
Using threats and convincing language, cybercriminals make victims feel as though they have no other choice than to give up the information being asked for. Some cybercriminals use strong and forceful language, and others suggest helping the victim avoid criminal charges.
Another common tactic is to leave threatening voicemails that tell the recipient to call back immediately or risk being arrested, having bank accounts shut down, or worse.
Recently, in Hong Kong, a woman has contracted out HK$20 million (around 2.58 million USD) via a vishing attack. This is particularly effective in Hong Kong. This is the case since scammers can now disguise themselves as the ultimate power special police force for national security.
The reality of this situation is, no one can stop phishing completely. For sure, there are multiple steps a company can use that include anti-phishing protection. You must also keep up-to-date on the contemporary phishing strategies and ensure your security policies and solutions can eliminate threats as they evolve.
Remember, a phishing attack is a key to social engineering. Therefore, you need to make sure that employees understand the risks when opening email attachments or clicking links from unfamiliar sources. And for these, that can lead to malware infection. The best way to cover this is a training program that actually works.
You should include a session showing them what good and bad emails tend to look like. By that, users can have an idea of how to check the validity of an email. Verify the effectiveness of training through testing.
Performing phishing trials against your own organization will help you know if your staff is ready to manage a real phishing attack. Also, it can help to assess their level of sophistication in handling phishing attempts.
If you, unfortunately, fall for a phishing attack, please do the following:
Finally, the NIST developed a method to help security teams see why users clicked on the phishing email:
Thank you for reading. May InfoSec be with you🖖.