What is Phishing.
Phishing is an attempt to obtain sensitive information such as usernames, passwords etc by disguising as a trustworthy entity in email communication or instant messaging. It often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.
Phishing is an example of social engineering techniques being used to deceive users. Popular phishing websites fake corporate email login websites, banks, online payment processors or IT administrators.
Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures – because phishing attacks also often exploit weaknesses in current web security.
Real phishing examples.
Some of the most known breaches in history started with a simple phishing email
- Target breach that affected over 110 Million customers https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
- Wannacry ransomware attack https://www.nytimes.com/2017/10/27/world/europe/uk-ransomware-hack-north-korea.html
- Hillery Clinton email scandal https://www.businessinsider.com/hillary-clinton-campaign-john-podesta-got-hacked-by-phishing-2016-10
Phishing is one of the oldest and simplest social engineering tricks. Phishing emails target their victims by masking malicious links and attachments to mimic routine tasks or urgent requests and counts on the fact that some people will not pay attention and click on an attachment/enter credentials to get in.
Some phishing emails that Perception Point catches every day trying to mimic Microsoft Office 365 login, PayPal, large US banks, DocuSign, DHL and Dropbox to name a few.
Docusign Phishing Campaign 2018
Microsoft Office365 Phishing Campaign 2018
DHL Phishing Campaign 2019
How it works.
There are a number of techniques that fall under the umbrella of phishing email but they all start with a disguise. The two main categories of a phishing email campaign are:
- User credentials harvesting – the email is designed to trick the user to click on a link that will lead him to a fake site, like the examples above of Office 365 login or DocuSign. Once the user enters his credentials the attacker can use it to breach a system or account. The attacker can be silent in the network for a long period of time before starting to make damage.
- Download payload – the email is designed to trick the user to click on a link that will initiate a download of malware to his machine. Like the fake DHL example above, the user is tricked to click on a tracking link for a package and downloads malware that can attack in various ways
Creating a phishing site is extremely easy and available for any criminal even without being a cybersecurity expert. A simple Google search for “how to create phishing website” leads to hundreds of results with step by step guides, Github projects for phishing frameworks that can support 2FA https://github.com/ustayready/CredSniper and so on. Each guide or framework will help the attacker to:
- Clone a legitimate site
- Set the login fields in the webpage to point to stealing credentials script
- Upload the phishing HTML to a domain (hacked/real/free host domain)
- Send emails with the phishing URL
- Collect credentials and use it to send more emails and collect more credentials from other users
- Sell the credentials on the Darknet
How to prevent.
Many organizations invest less in phishing as part of their email security strategy since it is less damaging in their view. It is clearly wrong to reduce the importance of phishing prevention and expose the organization to breaches.
Phishing prevention requires a layered approach that includes:
- Email phishing prevention – Scan all URLs in an email or in an attachment. Look for URL reputation and for a dynamic scan of websites to uncover phishing sites that are not yet reported
- Anti-Malware protection – Block malware that is delivered or downloaded through a phishing URL. Dynamically scan the website for a background download of malicious payload
- Email authentication – Prevent impersonation attacks such as spoofing and BEC
Security awareness training – Arm your users with knowledge and techniques to deflect phishing attempts. There are several companies that offer phishing training solutions and can guide your users on how to identify a phishing site. Google recently launched a phishing quiz https://phishingquiz.withgoogle.com/ that can be a good start for this initiative
you may also like
Connect with our team to:
* Learn more
* Get a live demo
* Get a quote
* Set up a free 30 day trial
We will respond to your enquiry within 24 hours.