Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.
Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.
Short History of Phishing
Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Here is a brief history of how the practice of phishing has evolved from the 1980s until now:
In March 2011, Internal RSA staff were successfully phished, leading to the master keys for all RSA security tokens being stolen, which were used to break into US defense suppliers.
A Chinese phishing campaign targeted the Gmail accounts of senior officials of the United States and South Korean governments and militaries, as well as Chinese political activists. The Chinese government denied accusations that they were involved in the cyber-attacks, but there is evidence that the People’s Liberation Army has assisted in the coding of cyber-attack software.
In August 2013, advertising platform Outbrain became a victim of spear phishing when the Syrian Electronic Army placed redirects into the websites of The Washington Post, Time, and CNN.
In November 2013, Target suffered a data breach in which 110 million credit card records were stolen from customers, via a phished subcontractor account. Target’s CEO and IT security staff members were subsequently fired.
Between September and December of 2013, Cryptolocker ransomware infected 250,000 personal computers with two different phishing emails. The first had a Zip archive attachment that claimed to be a customer complaint and targeted businesses, the second contained a malicious link with a message regarding a problem clearing a check and targeted the general public. Cryptolocker scrambles and locks files on the computer and requests the owner make a payment in exchange for the key to unlock and decrypt the files. According to Dell SecureWorks, 0.4% or more of those infected paid criminals the ransom.
In January 2014, the Seculert Research Lab identified a new targeted attack that used Xtreme RAT (Remote Access Toolkit). Spear phishing emails targeted Israeli organizations to deploy the advanced malware. 15 machines were compromised – including those belonging to the Civil Administration of Judea and Samaria.
In August 2014, iCloud leaked almost 500 private celebrity photos, many containing nudity. It was discovered during the investigation that Ryan Collins accomplished this phishing attack by sending emails to the victims that looked like legitimate Apple and Google warnings, alerting the victims that their accounts may have been compromised and asking for their account details. The victims would enter their password, and Collins gained access to their accounts, downloading emails and iCloud backups.
In September 2014, Home Depot suffered a massive breach, with the personal and credit card data of 100+million shoppers posted for sale on hacking websites.
In November 2014, ICANN employees became victims of spear phishing attacks, and its DNS zone administration system was compromised, allowing the attackers to get zone files and personal data about users in the system, such as their real names, contact information, and salted hashes of their passwords. Using these stolen credentials, the hackers tunneled into ICANN’s network and compromised the Centralized Zone Data System (CZDS), their Whois portal and more.
Former U.S. Nuclear Regulatory Commission Employee Charles H. Eccleston plead guilty to one count of attempted unauthorized access and intentional damage to a protected computer. His failed spear phishing cyber attack on January 15, 2015 was an attempt to infect the computers of 80 Department of Energy employees in hopes of receiving information he could then sell.
Members of Bellingcat, a group of journalists researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by several spear phishing emails. The messages were phony Gmail security notices containing Bit.ly and TinyCC shortened URLs. According to ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in other attacks previously. Bellingcat is best known for accusing Russia of being culpable for the shoot down of MH17, and is frequently ridiculed in the Russian media.
In August 2015, another sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was linked to a spear phishing attack against the Pentagon email system, shutting down the unclassified email system used by the Joint Chiefs of Staff office.
In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launched attacks against the White House and NATO. The hackers used a spear phishing attack, directing emails to the fraudulent url electronicfrontierfoundation.org.
Fancy Bear launched a spear phishing campaign against email addresses associated with the Democratic National Committee in the first quarter of 2016. The hackers were quiet on April 15, which in Russia happens to be a holiday honoring their military’s electronic warfare services. Cozy Bear also had activity in the DNC’s servers around the same time. The two groups seemed to be unaware of each other, as each separately stole the same passwords, essentially duplicating their efforts. Cozy Bear appears to be a separate agency more interested in traditional long-term espionage.
Fancy Bear is suspected to be behind a spear phishing attack on members of the Bundestag and other German political entities in August 2016. Authorities worried that sensitive information could be used by hackers to influence the public ahead of elections.
In August 2016, the World Anti-Doping Agency reported a phishing attack against their users, claiming to be official WADA communications requesting their login details. The registration and hosting information for the two domains provided by WADA pointed to Fancy Bear.
Within hours of the 2016 U.S. election results, Russian hackers sent emails containing corrupt zip files from spoofed Harvard University email addresses. Russians used phishing techniques to publish fake news stories targeted at American voters.
In 2017, 76% of organizations experienced phishing attacks. Nearly half of information security professionals surveyed said that the rate of attacks had increased since 2016.
A massive phishing scam tricked Google and Facebook accounting departments into wiring money – a total of over $100 million – to overseas bank accounts under the control of a hacker. He has since been arrested by the US Department of Justice.
In August 2017, Amazon customers experienced the Amazon Prime Day phishing attack, in which hackers sent out seemingly legitimate deals. When Amazon’s customers tried to purchase the ‘deals’, the transaction would not be completed, prompting the retailer’s customers to input data that could be compromised and stolen.
There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals’ techniques being used are also more advanced.
To prevent Internet phishing, users should have knowledge of how the bad guys do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims.
.Think of spear phishing as professional phishing. Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success.
In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.
Web Based Delivery
Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.
Phishing through Search Engines
Some phishing scams involve search engines where the user is directed to product sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.
Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
Vishing (Voice Phishing)
In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.
Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.
Smishing (SMS Phishing)
Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.
A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.
Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.
Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC’s is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
Forged websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.
One example is CEO fraud and similar attacks. The victim gets an email that looks like it’s coming from the boss or a colleague, with the attacker asking for things like W-2 information or funds transfers. We have a free domain spoof test to see if your organization is vulnerable to this technique.
Evil Twin Wi-Fi
Hackers use devices like a pineapple – a tool used by hackers containing two radios to set up their own wi-fi network. They will use a popular name like AT&T Wi-Fi, which is pretty common in a lot of public places. If you’re not paying attention and access the network controlled by hackers, they can intercept any info you may enter in your session like banking data.
Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network.
Top-Clicked Phishing Emails
Curious about what users are actually clicking on? Every quarter we release which subjects users click on the most!
Our customers run millions of phishing tests per year and we get numbers on what top-clicked templates are. The infographic below shows the latest data, broken down into 3 categories. The first two sections rank email subjects related to social media and general emails. ‘In The Wild’ attacks are the most common email subjects we receive from our customers by employees clicking the Phish Alert Button on real phishing emails and sending the email to us for analysis..