By: David Bisson Source: Tripwire.com
Phishing attacks continue to play a dominant role in the digital threat landscape. In its 2020 Data Breach Investigations Report (DBIR), for instance, Verizon Enterprise found that phishing was the second topmost threat action variety in security incidents and the topmost threat action variety in data breaches. It therefore comes as no surprise that more than a fifth (22%) of data breaches analyzed by Verizon Enterprise’s researchers involved phishing in some way.
Digital fraudsters show no signs of slowing down their phishing activity in 2020, either. On the contrary, a report from Google found that phishing websites increased by 350% from 149,195 in January 2020 to 522,495 just two months later. Many of these websites likely used coronavirus 2019 (COVID-19) as a lure. Indeed, Barracuda Networks observed that phishing emails using the pandemic as a theme increased from 137 in January 2020 to 9,116 by the end of March—a growth rate of over 600%.
The rise of phishing attacks poses a significant threat to all organizations. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information. It’s also crucial that they are familiar with some of the most common types of techniques that malicious actors use to pull off these scams.
Towards that end, we at The State of Security will discuss six of the most common types of phishing attacks as well as provide useful tips on how organizations can defend themselves.
Deceptive phishing is by far the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.
Vade Secure highlighted some of most common techniques used in deceptive phishing attacks:
As an example, PayPal scammers could send out an attack email that instructs recipients to click on a link in order to rectify a discrepancy with their account. In actuality, the link redirects to a website designed to impersonate PayPal’s login page. That website collects login credentials from the victim when they try to authenticate themselves and sends that data to the attackers.
We’ve seen these types of campaigns make headlines in recent years, as well. In the beginning of September 2020, for instance, PR Newswire shared research from the CERT at Retarus warning organizations to be on the lookout for attackers impersonating contract partners. Those malicious actors sent out phishing emails urging organizations to update their business partner contracts by downloading an attachment. To add legitimacy to their attack, the malicious actors made the documents look like they were hosted on the industry-leading transaction system Dotloop. But clicking on the document simply redirected the victim to a fake Microsoft login page.
Less than a month after that, researchers at Cofense spotted an email campaign that pretended to originate from a security awareness training provider. The operation’s attack emails warned the recipient that they only had a day left to complete a required training by clicking on a URL. In the event that the victim complied, the campaign sent them to a phishing kit that used a fake OWA login page hosted on a Russian domain to steal victims’ Microsoft credentials.
The success of a deceptive phish hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
Not all phishing scams embrace “spray and pray” techniques. Some ruses rely more on a personal touch. They do so because they wouldn’t be successful otherwise.
Enter spear phishing schemes.
In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: trick the victim into clicking on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
Provided below are some of the most common techniques used in spear phishing attacks:
In the beginning of September 2020, Proofpoint revealed that it had detected two spear-phishing attack campaigns involving China-based APT group TA413. The first took place in March and targeted European government entities, non-profit research organizations and global companies associated with economic affairs by tempting recipients to open the WHO’s “Critical preparedness, readiness and response actions for COVID-19, Interim guidance” document. The second targeted Tibetan dissidents with a PowerPoint presentation entitled “TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx.” Both delivered payloads of a new infostealer family called Sepulcher.
Less than a week later, Armorblox explained that it had come across a phishing attack attempt against one of the top 50 innovative companies in the world in 2019. The attack email used spoofing techniques to trick the recipient that it contained an internal financial report. The campaign’s attachment subsequently redirected recipients to a fake Office 365 login page that showed their username pre-entered on the page, thereby further creating the disguise that the portal was an internal company resource.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
Spear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Whaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
Back in May 2016, Infosecurity Magazine covered Austrian aerospace manufacturer FACC’s decision to fire its CEO. The supervisory board of the organization said that its decision was founded on the notion that the former CEO had “severely violated his duties, in particular in relation to the ‘Fake President Incident.’” That incident appeared to have been a whaling attack in which malicious actors stole €50 million from the firm.
It was more than three years later when Lithuanian Evaldas Rimasauskas received a prison sentence of five years for stealing $122 million from two large U.S. companies. As reported by Naked Security in December 2019, Rimasauskas staged whaling attacks in 2013 and 2015 against two companies by sending out fake invoices while impersonating a legitimate Taiwanese company. The Manhattan court that handed down the sentence also ordered Rimasauskas to serve two years of supervised release, forfeit $49.7 million and pay $26.5 million in restitution.
Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter the threats of CEO fraud and W-2 phishing, organizations should mandate that all company personnel—including executives—participate in security awareness training on an ongoing basis.
Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.
Until now, we’ve discussed phishing attacks that for the most part rely solely on email as a means of communication. Email is undoubtedly a popular tool among phishers. Even so, fraudsters do sometimes turn to other media to perpetrate their attacks.
Take vishing, for example. This type of phishing attack dispenses with sending out an email and instead goes for placing a phone call. As noted by Comparitech, an attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds.
Here are some common techniques used in vishing attacks:
In mid-September 2020, managed care health organization Spectrum Health System published a statement warning patients and Priority Health members to be on the lookout for vishing attacks. This warning indicated that those individuals responsible for the attack had masqueraded as employees of Spectrum Health or Priority Health. They used this disguise to try to pressure individuals into handing over their information, money or account access.
It was less than two weeks later when a report emerged on WFXRtv.com in which Montgomery County officials warned residents of the Virginia community to beware of scams involving Social Security Numbers. The report specifically highlighted a surge of fraudsters conducting vishing attacks in which they informed residents that their Social Security Numbers were suspended and that access to their bank accounts would be seized unless they verified their data.
To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID app.
Vishing isn’t the only type of phishing that digital fraudsters can perpetrate using a phone. They can also conduct what’s known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information.
Webroot identified some techniques commonly used by smishers:
News emerged in the middle of September of a smishing campaign that used the United States Post Office (USPS) as a lure. The operation’s attack SMS messages informed recipients that they needed to view some important information about an upcoming USPS delivery. Clicking on the link led them to various locations including a fake casino game as well as a website designed to steal visitors’ Google account credentials.
It was a short time later when Naked Security released a report of a smishing campaign targeting Apple fans. The SMS messages appeared as though they had arrived at the wrong number, and they used a fake Apple chatbot to inform the recipient that they had won the chance to be part of Apple’s 2020 Testing Program and test the new iPhone 12. This campaign ultimately instructed victims to pay a delivery charge. In actuality, the operation simply used a fake web portal to steal its victims’ payment card credentials.
Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
As users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming. This method of phishing leverages cache poisoning against the domain name system (DNS), a naming system which the Internet uses to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices.
In a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That’s the case even if the victim enters the correct site name.
Included below are some pharming tactics identified by Panda Security:
All the way back in 2014, Team Cymru revealed that it had uncovered a pharming attack in December 2013. That operation affected over 300,000 small business and home office routers based in Europe and Asia. Ultimately, the campaign used man-in-the-middle (MitM) attacks to overwrite victims’ DNS settings and redirect URL requests to sites under the attackers’ control.
A year later, Proofpoint revealed that it had detected a pharming campaign targeting primarily Brazilian users. The operation had used four distinct URLs embedded in phishing emails to prey upon owners of UTStarcom and TP-Link routers. Whenever a recipient clicked one of the URLs, the campaign sent them to a website designed to execute cross-site request forgery (CSRF) attacks on vulnerabilities in the targeted routers. Successful exploitation enabled the malicious actors to perform MitM attacks.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also deploy anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).
Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.