Phishing Attacks: Identification and Prevention
Before we began to identify Phishing Attacks and how to prevent them. We have to identify what exactly is phishing.
Phishing is a way to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy brand or person. Via Social Media or some kind of electronic communication such as Email. The most common example of phishing scam/attack. Are those that target online banking customers, where users receive emails that appear to be from their bank asking them to click on a link to review recent transactions. The link takes users to a site that looks like their legitimate bank. But is actually controlled by the attacker. The user then enters their username and password into the phishing website, which collects the user’s login credentials and gives the malicious creator of the site access to the user’s account. Then what happens commonly afterward is the draining of balances.
Now that we have some background let's begin:
Also called “deception phishing,” email phishing is one of the most well-known and common attack types. Malicious actors send emails to users impersonating a known brand and leveraging social engineering tactics to create a heightened sense of immediacy and then lead people to click on a link or download attachment.
The links traditionally go to malicious websites that either steal credentials or install malware, on a user’s device. The downloads, usually PDFs, have Trojans stored in them that reveals its self after the user opens the document.
How to identify/prevent email phishing:
Most people recognize some of the primary indicators of a phishing email. However, for a quick refresher, some traditional things to look for when trying to mitigate risk include:
- Too Good To Be True: Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many scams claim that you have won a new iPhone, the lottery, or some other lavish prize/opportunity. If you see an email like that don’t click on it. Remember that if it seems too good to be true it’s most likely 100% of the time is!
- Sense of Urgency: A common tactic amongst cybercriminals is to ask them to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes or hours to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most creditable organizations give ample time before an account is terminated an account. And they never ask patrons to update personal details over the Internet via a 3rd part. When in doubt, visit the source directly rather than clicking a link in an email.
- Hyperlinks: A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a frequently visited website with a misspelling, for instance, www.pncbankk.com. See there is an extra “k” its easy to miss at a quick glance.
- Attachments: If you see an attachment in an email you weren’t expecting or that is contradictory, don’t open it! They often contain payloads like ransomware or other viruses. The only file type that is usually safe to click on is a .txt file. But even at times, they are not safe.
- Unusual Sender: If you come across an Unusual Sender especially a sender you are not expecting or is not known to you. Proceed with great caution caution and use all of the other tips above.
The hypertext transfer protocol secure (HTTPS) is often considered a “safe” link to click because it uses encryption to increase security. Most legitimate organizations now use HTTPS instead of HTTP because it establishes trustworthiness. However, cybercriminals commonly leverage HTTPS and its trust. too included it into links that they put into phishing emails.
How to Identify/prevent HTTPS Phishing:
While this is often part of an email phishing attack. There is a subtle distinction to approach them. So when trying to decide if a link is legitimate or not, consider the following:
- Shortened links: Make sure that the link is in its original state, long-tail format, and shows all parts of the URL. And it is not a tinyurl and bitly link.
- Hypertext links: These are “clickable” links embedded into the text to hide the real URL. Hover over them to see the real link.
spear phishing often uses email as a vector of attack, but it takes a more targeted approach. Cybercriminals start by using open source intelligence (OSINT) to gather information from published or publicly available sources like social media or a company’s website. Then, they target specific individuals using real names, job functions, work telephone numbers, familiar names, recent events, etc etc. To make the recipient think the email is from someone or a organization they deal with frequently.
How to Identify/prevent spear-phishing:
- Abnormal requests: Look out for requests that come from people or organizations that seem out of the ordinary considering normal behavior and actions.
- Shared drive links: Be wary of links to documents stored on shared drives links Google Suite, O365, and Dropbox because these can redirect to a fake/malicious website that can infect you with various types of malware.
- Password-protected documents: Any documents that require a user login ID and password may be an attempt to steal credentials.
- Make a Phone Call: A spear phishing attacks can be very well masked that it does not give any hint to the recipient that it is malicious at times. An attacker can spoof the name, email address, and even the format of the email that you usually receive. So don’t hesitate to make a phone to the alleged sender to confirm the legitimacy of the email.
A whaling attack is a type of phishing attack where upper management within a organization is targeted like the CEO or the CFO. And this attack hinges on the cyber criminal masquerading as another senior member of the organization or from a trusted know source. To gain the trust of the target. Once trust is gained, the attacker can probe the target for information that helps them gain access to sensitive areas of the network, passwords, or sensitive user account details.
How to Identify/prevent Whaling:
- Abnormal request: If a senior leadership member has never made contact before, be wary of taking the requested action.
- Recipient email: Since many people use email applications that connect all their email addresses, make sure that any request that appears normal is sent to a work email not personal.
- Education: Executives are often more focused on keep the business alive and well. Rather than having security mindset. So them being educated on the dangers whaling is important.
- Invest in DLP Software: Data Loss Prevention (DLP) software can block violations of the protocols put in place. It can also flag emails based on the name and age of the domain. Similarity of the display name to known contacts, and suspicious keywords such as “wire transfer” or “invoice”.
- Anti-virus/malware software: Having this installed will help prevent any malware from infecting. Any senior members of a organization.
Voice phishing or “vishing” happens when a cybercriminal calls and creates a heightened sense of urgency that makes a person take an action against their best interests. These calls normally occur around stressful times. For example, many people receive fake phone calls from people posing to be the Internal Revenue Service (IRS) during tax season, indicating that they want to do an audit and need a social security number. Because the call creates a sense of panic and urgency, the recipient can be tricked into giving away there Social Security Number(SSN).
But Vishing doesn't always come with a sense of urgency. Cybercriminals may misled with familiarity and liking to fall under the radar.
How to Identify/prevent vishing:
- Caller Number: The number might be from an unusual location, blocked, and or unrecognized.
- Timing: The call’s timing coincides with a season, incident, or event that causes stress.
- Requested Action: The call requests personal information that seems unusual for the type of caller.
- Threats: Any validate and credible organization or person will resort to threats. If somebody is threating you for sensitive information hang up and make a police report.
- Call from a Government agency: Unless you’ve requested contact or expecting a phone call from a government agency, none of these federal agencies will ever initiate contact with you by email, text messages, or social media channels to request personal or financial information. In fact, be skeptical of anyone who calls you with an offer.
- Verifying Identity: Any legitimate caller would not have a problem to provide the information necessary to verify their identity. If they can’t or wont they can’t be trusted. Even If they do provide contact info, it’s still important to independently verify the legitimacy by using an official public phone number to call the organization in question.
smishing is a kind of phishing attack that involves a text message(SMS). Smishing is particularly scary because sometimes people tend to be more inclined to trust a text message than an email. Most people are aware of the security risks involved with clicking on random links within emails. This is less true when it comes to text messages.
That also includes links that , when clicked, installs malware on the user’s device.
How to Identify/prevent smishing:
- Delivery status change: A text requesting that the recipient take action to change a delivery will include a link so always look for emails or go directly to the delivery service website to check status.
- Abnormal area code: Review the area code and compare it to codes you usually get codes from.
- Unknown Number: if you get a message from a number you don’t recognized don’t click on any links contained inside It most likely smishing.
- Shortened links: Make sure that the link is in its original state, long-tail format, and shows all parts of a legitimate URL. And it is not a tinyurl and bitly link.
- ignore, block, and report: If you encounter smishing I suggest you ignore and block. Or Report it to the https://reportfraud.ftc.gov/
There are two types of pharming: pharming malware and DNS poisoning.
DNS poisoning: Pharming type is a cyberattack involving the redirection of web traffic from a legitimate site to a fake site for the purpose of stealing usernames, passwords, financial data, and other personal information.
When you type a URL into your browser’s address bar, like www.google.com for example, several background processes have to happen before you see that familiar Google logo and search box on your computer screen. During a pharming attack, cybercriminals discreetly manipulate those processes, sending your web traffic to a malicious website instead of the one you intended to visit.
Pharming malware: aka DNS changers/hijackers infect a victim’s computer and stealthily make changes to the victim’s hosts file. It helps to think of your computer’s hosts file as a catalog of websites. Which kind of acts like an in-house DNS server in a way. Which cuts down the time it takes to load each website you visit. With a malware-based pharming attack, the malware sneaks its way onto your computer commonly with a Trojan. Then starts modifying your hosts file so that the domain name of a given website points to a malicious site instead of the legitimate site.
How to identify pharming:
- Insecure website: Look for a website that is HTTP, not HTTPS.
- Website inconsistencies: Be aware of any inconsistencies that indicate a fake website, including mismatched colors, misspellings, or strange fonts, URL typos.
- Use a password manager: Many password managers offer a auto-fill username and password feature. Which detects a login page you’ve visited before and for which you saved a password for.
- Anti-malware: This type of Phishing involves malware. So a good Anti-malware software is a vital part of protecting against pharming. As it actively blocks malware attempting to hack your computer’s hosts file.
- Use a reliable DNS server. For most of us, our DNS server will be our ISP. However, it is possible to switch to a specialized DNS service, which could offer more security against DNS poisoning.
Although most people use pop-up blockers, pop-up phishing is still a risk. Malicious actors can place malicious code in the small notification boxes, called pop-ups, that show up when people go to websites. The newer version of pop-up phishing uses the web browser’s “notifications” feature. For example, when a person visits a website, the browser prompts the person with “www.evilsite.com wants to show notifications.” When the user clicks “Allow,” the pop-up installs malicious code.
How to identify pop-up phishing:
- Irregularities: Review for spelling errors or abnormal color schemes.
- Shift to full-screen mode: Malicious pop-ups can turn a browser to full-screen mode so any automatic change in screen size might be an indicator.
- Loud Repeating Sounds: Loud repeating sound can create a sense of urgency to act now. A real Alert will not blast your eardrums or even have loud repeating sounds at all.
- Use ad-block: A good way to stop these pop-ups is into install ad-blocking extension on you web-browser such as uBlock origin.
An evil twin phishing attack uses a fake WiFi hotspot, often making it look legitimate, that might intercept data during transfer. If someone uses the fake hotspot, the malicious actors can engage in man-in-the-middle or eavesdropping attacks. This allows them to collect data like login credentials or sensitive information transferred across the connection.
How to identify an evil twin phishing attack:
- “Unsecure”: Be wary of any hotspot that triggers an “unsecure” warning on a device even if it looks familiar.
- Requires login: Any hotspot that normally does not require a login credential but suddenly prompts for one is suspicious.
- Insecure website: when browsing look out for websites that are normally HTTPS but have changed to HTTPS.
- Use a VPN: Use a VPN to encapsulate your Wi-Fi session in another layer of security. So if you are subject to a Evil Twin Attack any hijacked data attackers do get it will be encrypted.
- Website inconsistencies: Be aware of any inconsistencies that indicate a fake website, including mismatched colors, misspellings, or strange fonts.
Watering hole Attack:
A watering hole attack is a form of cyberattack that targets users by infecting websites that they commonly visit. This watering hole definition takes its name from animal predators that lurk by watering holes waiting for an opportunity to attack prey when their guard is down like a crocodile. Likewise, watering hole attackers lurk on niche websites waiting for a chance to infect websites, and in turn, infect their victims with malware.
How to identify watering hole phishing:
- Pay attention to browser alerts: If a browser indicates that a site might have malicious code, do not continue through to the website, even if it’s one normally used.
- Monitor firewall rules: Ensure that firewall rules are continuously updated and monitored to prevent inbound traffic from a compromised website.
- Update your software: Watering hole attacks often exploit holes and vulnerabilities to infect your computer. So by updating your software and browsers regularly reduces risk.
- Mask your online activities: Cybercriminals can create more effective watering hole attacks if they know more about the users or users they are targeting. So watching what you put out on the internet especially social media is vital for lowing risk.