The “phishing” industry is a booming goldmine for hackers. More unsuspecting victims fall prey every hour to phishing campaigns, than any other type of cyber-attack. It is an epidemic of sorts, plaguing the digital world.
(Image from GCN.com)
First, let’s discuss what phishing is. Phishing is a method of social engineering used to discern information from a victim using email or malicious websites, posing as a legitimate organization or individual the victim does business with (i.e. bank, utility company, Boss). The objective of phishing is to manipulate the victim into divulging personal information and harvest credentials to sensitive accounts. Social Media has become one of the most attractive “lures” for hackers to utilize, for ensnaring their victims.
So, how does phishing work? A hacker might send an email that mimics the victim’s financial institution, requesting the victim click on a “link” to verify the account is still active. Once the victim clicks on the “link” provided in the phishing email, they will be redirected to a fake (cloned) banking website asking for sign-in credentials. This is a common method of credential harvesting used in many phishing campaigns and is especially effective on mobile email users.
(image from: dexerto.com)
Next, let’s discuss how Social Media is used in phishing attacks. One favorite target used by hackers is Facebook. Facebook has been in the headlines recently for storing hundreds of millions of user passwords in plain text. This has been a monumental security failure and display of complete incompetence by Facebook. Many hackers have capitalized on the confusion of this debacle and have used Facebook linked accounts to access other personal information about victims. Hackers have often posed as Facebook technical support staff, requesting the user change the password for their Facebook account. They will offer a “link” to reset the password. The link will be malicious and redirect you to what looks like the real Facebook site, but it will be a “cloned” version. The fake site will prompt you to login with the old password. Once the password is entered, the page will again redirect, but this time to the real site. This is an attempt at misdirection, giving the victim the impression of a “harmless” technical glitch. At this point the hacker has the login credentials and can monitor the victim at will.
There are several effective social-engineering toolkits available to construct cloned versions of any website, even TLS/SSL protected ones (https). These types of phishing attacks occur at the reconnaissance phase of most organized attacks. Most organized, state-sponsored hackers use the following structure of attack: Phase 1 is reconnaissance, Phase 2 is scanning, Phase 3 is infiltration, Phase 4 is establishing persistence, Phase 5 is covering traces of the attack.
(Image from: staysafeonline.org)
Now, let’s discuss the types of phishing emails. The first is clone phishing. Clone phishing is making a near identical replica of a legitimate source of online correspondence, that has been previously trusted by the victim (banking/Facebook login page). The second type is called Spear phishing. This type of phishing is designed for a more specific target like an individual of a company, often accounting or front desk employees. Hackers will often pose as a customer of the victim and attempt to send malicious attachments disguised as business documents. The third type of phishing is called Whaling or Whale Phishing. This type of phishing is directed at high-profile individuals within an organization like the Chief Executive Officer or head of Human Resources. This happened to Snapchat in 2014. A hacker impersonated Snapchats CEO Evan Spiegal and asked for employee payroll information. What resulted, was the leak of many of Snapchats employees’ personal and financial data. Hackers then sold the information on “dark marketplaces” to the highest bidder. Snapchat has a long history of unprecedented data breeches. The attacks on Snapchat in 2014 became known as “The Snappening”. The repercussions of those attacks are still being answered for and sparked many legal battles.
(Image from: Network Coverage)
How can you protect yourself against phishing attacks? Awareness is critical for safeguarding against phishing attacks. Knowing the signs of a phishing attempt can shut them down instantly. First, never click on a link or attachment before verifying the validity of the source. There are many scanning tools available to check emails for viruses, but some will still go undetected by providers. Always take the extra time to verify that the spelling of the sender’s name is correct and is from the right domain. If you notice strange emails with different variations of a legitimate name, contact the IT department and make them aware ASAP. Second, it is a good idea to send out a monthly reminder of the steps being taken to stop phishing attacks to keep a high level of awareness for employees. This would include letting employees know, no emails will be sent with embedded hyperlinks to websites and the company will never ask for personal information via email. Third, it is advised to keep all website certificates up to date, to assure the legitimacy of the websites employees are directed to use. This helps immensely when being redirected to a “cloned” website. Remember, always verify the URL and certificate of the site you are being redirected to. Other tips include, using SPAM filters, correctly configuring the email client, monitor phishing sites, correctly configuring the web browser, and use https. In the end, you must also trust your own instincts and become a “Human Firewall”. If something seems suspicious, it most likely is. Take the proper precautions and always stay vigilant.