What Is Phishing?
Phishing is an attempt to steal sensitive information by impersonation. It is a method of deception that aims to cause the user to act, usually clicking an attached link, that will endanger their computer.
Let’s see an example in the attached photo below, taken directly from our email inbox:
Let’s start by stating the obvious- We have no deceased beneficiary who has left us 10 million dollars. The improper grammar and nonexistence of punctuation marks clarify to us that we have not struck gold. These phishing messages may provide us with comic relief at times, but they can cause extreme harm when done right.
Phishing attacks show our most basic weaknesses. The most sophisticated cyber defense systems can’t prevent human error. Therefore, it’s important to identify the signs of a phishing message and to implement proper behavioral procedures that include employee tutorials and phishing tests. Here are the most common types of phishing attacks and ways to ensure you don’t become a victim as well.
Emails that seem to have come from a reliable source (generally Facebook, eBay, etc.) like professional organizations, institutions and service providers, but were sent from a malicious hacker. These emails use corporate language, company logo and even the original typography – methods that raise the credibility and persuade us to believe in the legitimacy of these emails.
These emails create a sense of urgency and usually include a call to action – passwords that are about to expire and must be changed, a security breach that occurred and requires all users to change their login details.
The links attached to the emails are very similar to the authentic ones, however they usually have a small spelling error or additional domain, leading to an address reminiscent of the original site. But don’t be fooled, these sites are a gateway for malicious software installation or data theft.
Pay attention to warning signs:
- Lack of personal details
- Typos such as gooogle instead of google,
- Address without SSL [usually a symbol of a lock in the link bar]
- You can scan the address on this site
Taken from Conversation
Phishing vs Spear Phishing
A fishing metaphor is necessary when discussing phishing attacks, and we have no intention of disappointing you.
While email phishing might be a net thrown in hopes of snatching as many fish as possible, Spear Phishing is the plane survivor inside the water trying to catch dinner with a makeshift spear.
Take an organizational environment as an example- in the case of Spear Phishing, the attacker collects information about the names of employees in a particular department and impersonates a known entity – for example a service provider working with them or an IT team. In this case, the email is for a small number of users and therefore “tailor-made”.
A hacker impersonating an employee in the human resources department sends an email updating work procedures to an employee of the company
Because of the potentially catastrophic damage, when it comes to spear-phishing it is essential that S&M businesses consult with cyber security firms that will implement holistic cyber solutions.
Verify via email or personal call to the email sender
Man in the Middle
The Man in the middle is perhaps the most difficult method to identify by a non-expert. MITM occurs when a hacker inserts himself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords and account information – most often occurs in communications between users and financial companies, SaaS, online stores and sites that require login to an account.
This type of attack has two stages – interception and decryption:
The hacker tries to intercept the connection between the user and the service provider, usually by creating a free and public hotspot. Once the victim connects to the hotspot without the need for a password, the attacker has full access to the internet communication.
Do not login to sensitive accounts when connected to unsecured wi-fi (airports, cafes, etc.)
After intercepting the user’s Internet communication, the information received must be decrypted without alerting the user – SSL abstraction or hijacking can be used, and HTTPS Spoofing.
Pay attention to the browser messages that report suspicious activity
Phishing tests- Defend your company
The phishing method has become a hacker favorite, with attacks occurring daily that can lead to losses of millions and irreversible damage. The phishing tests train employees to take precautions and be on alert for any sign of foul play. Management benefits from these tests as well, by receiving a deeper understanding of the company’s security defenses and vulnerabilities.
The phishing test is performed by a professional team that specializes in identifying these attacks.
The goal is to create a simulation of a real phishing attack, so the employees are subjected to a phishing test – will they provide data or not.
The team will usually purchase a domain and SSL certificate which will increase the credibility and lower suspicion. A message will then be sent to the company’s employees (using one of the phishing methods listed), from an address that is supposedly known. The message is usually accompanied by a link with a request to enter personal information (password, username, account information, etc.)
Once employees’ awareness of this issue increases through phishing tests, caution will increase and thus prevent the next attack.
Organizational Phishing Test Methodology
The first step in the phishing testing process is to gather information about the organization. The testers begin with basic details- the product or service they provide, the location of the organization, and the website. This is done to receive a basic understanding of the target in question.
However, the primary goal of gathering information is to discover employees ’email addresses, usually through Chrome extensions like hunter.io, which collects information about the company’s employees’ web addresses. Sometimes these are general addresses for human resources or sales departments’, yet many employees’ personal addresses can be discovered in such ways.
Additionally, the testers can use the organizational email template, usually some variation of the employee name and the company name as the domain. When searching for company employees on social networks like LinkedIn the connection can be made and the validity of the emails can be checked using email checker sites.
This process continues until the tester has gathered a sufficient amount of email addresses, determined by the original goal of the test. Are we interested in wide distribution to examine the company’s overall awareness? Or perhaps upper management wishes to test executives in a process resembling whaling?
Following this, the testers map the organization’s defense systems, with an emphasis on Mail Relay protocols performed by EDR systems. These systems intercept emails sent to the organization’s domain and scan the messages to detect suspicious activity.
Unfortunately, there are still organizations and businesses that do not use email protection protocols, mainly small businesses, and are therefore more vulnerable to exploitation.
A study published in AdvisorSmith showed that 42% of all small businesses experienced a cyber attack in 2021 with the majority being phishing attacks.
After a deeper understanding of the obstacles, the testers formulate and adjust the email sent according to the findings and purpose.
For example, Office365 is known to use a Sandbox environment to run files attached to emails, allowing potential malware to run without affecting the organization’s systems. Therefore the testers will attach a link to an external site, eluding the sandbox defense protocol.
Most testers impersonate the organization’s IT, locating email addresses and copying their signatures. The testers create an e-mail box with a similar name and use this to send messages disguised as a security update with operating instructions and a file/link.
The attached file is usually of an EXE type, which creates a session for remote takeover by the testers. Due to a lack of technical awareness, many do not doubt the emails of IT teams, nor operations that might look suspicious.
However, even if the employee does suspect and quickly closes the EXE file, testers can connect in those few seconds to another component in the corporate network or device, if they are fast enough.
Once access to the organization’s systems has been gained, the phishing test is completed. The cyber security companies that perform these tests submit a final report with proof of capability, as well as recommendations for improving awareness and defense systems.