Phishing Attacks

What is phishing and how to combat phishing attacks

At a Glance:

Phishing is a type of security attack that attempts to trick or coerce targets into divulging sensitive/valuable information. Sometimes referred to as a “phishing scam,” attackers target users’ login credentials, financial information (such as credit cards or bank accounts), company data, and anything that could potentially be of value. And while some phishing attacks are fairly easy to spot, others can be more difficult to identify.

Types of Phishing Attacks

At its most basic definition, the term phishing attack often refers to a broad attack aimed at a large number of users (or “targets”). This can be thought of as a “quantity over quality” approach, requiring minimal preparation by the attacker, with the expectation that at least a few of the targets will fall victim to it (making the minimal up-front effort attractive even though the expected gain for the attacker isn’t usually all that big).

Phishing attacks typically engage the user with a message intended to solicit a specific response (usually a mouse click) via an emotion or desire, such as:

  • “You could win a $50 gift card to Restaurant X” (greed)
  • “Your Purchase Order has been approved” (confusion)
  • “Your account will be cancelled if you do not log in immediately” (concern, sense of urgency)

Attackers have innovated on phishing attacks over the years, coming up with variations that require more up-front effort by the attacker but result in either a higher rate of victims or a higher value “payout” per victim (or both!).

Spear Phishing

When a phishing attack is customized to target an organization or specific individual(s), it’s referred to as spear phishing. These attacks involve additional information gathered ahead of time and incorporate other elements—such as company logos, email and website addresses of the company or other businesses the company works with, and sometimes professional or personal details of a target—in order to appear as authentic as possible. This additional effort by the attacker tends to pays off with a larger number of targets being duped.

Whaling

As a variation of the spear phishing attack, whaling targets an organization’s senior or C-level executives. Whaling attacks typically take specific responsibilities of these executive roles into consideration, using focused messaging to trick the victim. When a whaling attack successfully dupes a target, the attacker’s windfall can be substantial (e.g. high-level credentials to company accounts, company secrets, etc.).

Clone Phishing

Another variation on spear phishing attacks is clone phishing. In this attack, targets are presented with a copy (or “clone”) of a legitimate message they had received earlier, but with specific changes the attacker has made in an attempt to ensnare the target (e.g. malicious attachments, invalid URL links, etc.). Because this attack is based on a previously seen, legitimate message, it can be effective in duping a target.

And More

Attackers continue to seek out new and creative ways to target unsuspecting computer users. A recent phishing attack involved a Google Doc that was received via email from a user known to the target, but would then try to gain the target’s Google login credentials (and also spam itself out to all emails in the target’s address book). And more passive attack types, like pharming, can result in the same losses as other phishing attacks.

Phishing Techniques

Attackers use a number of mechanisms to phish their targets, including email, social media, instant messaging, texting, and infected websites—some attacks are even carried out using old school phone calls. Regardless of the delivery mechanism, phishing attacks utilize certain techniques to execute.

Link Spoofing

One common deception attackers use is making a malicious URL appear similar to an authentic URL, increasing the likelihood that a user will not notice the slight difference(s) and click the malicious URL. While some of these manipulated links can be easily identified by targeted users who know to “check before they click” (e.g. authentic URL thelegitbank.com vs. shady URL theleg1tbank.com), things like homograph attacks, which take advantage of characters that look alike, can reduce the efficacy of visual detection.

Website Spoofing

Links aren’t the only item that attackers can spoof. Websites can be spoofed or forged to appear as if they are the authentic, legitimate site by utilizing things such as Flash or JavaScript, allowing attackers to control how the URL is displayed to the targeted user. This means that the site could show the legitimate URL even though the user is actually visiting the malicious website. Cross-Site Scripting (XSS) takes this attack one step further: XSS attacks exploit vulnerabilities in the legitimate website itself, which allows the attacker to present the actual website (showing the legitimate URL, legitimate security certificates, etc.) and then quietly steal the credentials the user provides.

Malicious and Covert Redirects

Redirects are a way attackers can force a user’s browser to interact with an unexpected website. Malicious redirects typically involve a website that is normally/willfully visited by the targeted user, but then forcibly redirects all visitors to the undesired, attacker-controlled website. An attacker can accomplish this by compromising a website with their own redirection code or by discovering an existing bug on the target website that allows a forced redirect though specially crafted URLs, for example.

As the name implies, covert redirects make it less obvious to the target user that they are interacting with an attacker’s site. A common scenario of a covert redirect would be where an attacker compromises an existing website by giving a new action to an existing “Log in with your Social Media account” button that a user might click in order to leave a comment. This new action collects the social media login credentials the user provided and sends them to the attacker’s website before proceeding to the actual social media website, leaving the targeted user none the wiser.

How to Prevent Phishing Attacks

The following suggestions are designed to prevent and disarm phishing attacks from succeeding:

Continuous User Education and Exercise

  • Transform all users (from the CEO on down) into one of your best assets in the fight against phishing attacks. Involve users in periodic security awareness training and education (as well as re-education) on how to identify and avoid phishing scams, complemented with regular, unannounced phishing “exercises” to reinforce and apply what they’ve learned. This will ensure users have up-to-date awareness on the latest phishing attacks and actually do what they should when they come across one.

Filter Suspicious Attachments

  • Remove and quarantine incoming attachments known to be utilized in malicious ways before they reach your users.

Filter on Malicious URLs

  • Quarantine messages that contain malicious URLs. Similarly, make sure to safely resolve any URLs from link shorteners (e.g. bit.ly, goo.gl, etc.) to ensure they don’t resolve to malicious URLs.
  • In an attempt to bypass filters, some attackers will send a phishing message that contains no text in the body and one large picture (in which the picture itself contains text, which will be ignored by some filter technology). Newer “character recognition”-based filter technology can detect these messages and filter on them.

Promote Good Credential Behavior

  • Disallow weak passwords.
  • Enforce recurring password changes for users.
  • If your users are currently only using a single level of authentication, consider moving them to a two-step verification (2SV) or two-factor authentication (2FA; even better than 2SV) solution.

Additionally, it's also good practice to regularly scan user and infrastructure systems for malware and keep them current on software updates/patches.

The breadth of phishing attacks and attack methods out there may sound scary, but with proper training around what a phishing attack is, how it works, and how it can harm users and their organizations, you can help ensure you’re as prepared as possible to recognize the threat and mitigate it accordingly.