Site icon Cybertek Defense

Phishing

Part 1 – 1: Terms and Definitions for Phishing

TermDefinition
PhishingSocial engineering that uses spoofing
TyposquattingMaking a URL look like a legit URL
PrependingAdding an additional letter to the beginning of a URL
PretextingPretending to be a legit person who is lying to get info from you
PharmingAn attack that targets a large group of people
VishingVoice phishing which includes spoofing a phone number
SmishingSMS phishing over text messaging
ReconnaissanceGathering information about someone
Spear PhishingTargeted phishing
WhalingSpear phishing towards CEO’s or executive employees of a company

Phishing is the umbrella term for attackers who are sending messages to victims in order to obtain their credentials to sensitive accounts. This would allow attackers to gain access to bank accounts, personal social media websites, stock exchange accounts, etc. of their victims very easily.

Phishing is usually conducted over some form of messaging application such as email, text messaging, Facebook chat, etc. Most commonly, a URL is imbedded into the message which does most of the work for the attacker. The URL includes a crafty way to lure the victim such as using front-face text while hiding the address behind the text. The text of the URL would be something along the lines of “Click here to update your account information” or “Sign in here to prevent your account from closing“. While the front-facing text explains to the victim what they are clicking on, behind the text which contains the bad URL address, the victim will open up.

From an email example, we can see that a victim received an email from Wells Fargo about their bank account profile that needs updating. The logo is present which looks familiar to the legit bank logo, and similar text and format that Wells Fargo uses in similar emails to their customers. We also see the use of phishing in the email through the use of a link a victim could click on, which is “Proceed To Update Here“. What we expect to happen is the link should bring us to https://www.wellsfargo.com, but actually, the attacker has changed the address to route the victim to a fake website which would require the victim to login.

With this simple trick, the victim would enter their credentials into the fake website which would then provide the attacker their credentials in plain text. The attacker would then utilize their login information to obtain any information they are trying to steal.

Three major ways attackers trick the victims to click on links or to provide sensitive information is by modifying the URL or pretending/faking.

The use of Typosquatting is done by adding, removing, or modifying a URL to look like the legit URL of a major website, but it fact is a fake website. We could use www.welsfargo.com as a fake URL. We can see that there is a missing letter “L” in “wells” which could easily be misread if a victim was quickly reading through a phishing email.

Another way to trick a victim is by Prepending a URL with an additional letter. An example of this could be adding an additional “W” to the beginning of “wells” to make the URL look like www.wwellsfargo.com.

Last, the victim may try to use Pretexting or pretend to be someone else such as a banker, FBI, IRS, or support representative. The attacker would use some type of a lie presented to the victim which could be, “I am from Wells Fargo and I see your account was recently used by someone else, can you provide your social security number to confirm your identity?“.

Pharming, when an attacker tries to phish groups of users rather than individual users. This saves time and effort for the attacker which provides a better outcome. A popular way to pharm multiple users is by poisoning the DNS server the website users which can help redirect victims to the attackers fake website. The graph below shows exactly how DNS poisoning works.

With this type of attack, multiple users may try to login using their credentials on the fake website thinking it was a legitimate website. It would seem legitimate if you type the correct URL into your browser, thinking your going to the right website, right!? That is why DNS poisoning is hard to notice, even for basic security systems. This is because websites use DNS servers to route traffic, which to the end user, is unable to easily see what DNS servers are being used. DNS servers are backend systems that are part of the website network configuration.

When cell phone technology was available to the general public, means of communication changed. Users could call, leave voicemails, and text others wirelessly on the go. While all of this sounded amazing at the time, it brought tons of phishing attacks to users as well.

Vishing is used by attackers which allowed for fake phone numbers or use of caller ID spoofing to make the victim think the caller was a legitimate company calling them. Similar to the term pretexting, attackers would pretend to be someone else and would lie to the victim about who they were and what they were asking, usually requesting to get sensitive information from the victim.

Smishing was a way an attacker could text message a victim to click on a link in the message. This attack would use caller ID spoofing and typosquatting to lure the victim to click a link within the text message, and were expecting to be brought to a legitimate website, but was actually fake.

Attackers rely on gathering information about their victims before they perform any type of attack, this is called Reconnaissance. Sophisticated attacks are usually best done by observing the environment which the attack takes place. Everything from what technology is used, users who interact with the systems, and what security could prevent the attacker from gaining access to the system is some examples of what attackers look for.

Social media has been a proven way attackers can gather plenty of information about their victims or systems they are attacking. We post millions of comments, names, videos, and tons of other general information to the world which can easily be obtained by creating a free account to Facebook, LinkedIn, Pinterest, and more. Other information such as company website links, home addresses, personal phone numbers, gender, age, etc. are commonly found on these websites as well.

This leads into the use of Spear Phishing which is a attack used when an attacker has general information about a victim in order to perform an attack far better than if the attacker had no information about the victim. Spear phishing is commonly used against CEO’s, CFO’s, and other executive class employees in a company. Attacks made against higher-up employees is called Whaling. In these types of attacks, their is higher potential or payout from the attack, to the attacker, compared to attacking a regular individual. By attacking the department head of a company could hold millions of dollars or classified information that could greatly benefit the attacker. While compared to attacking any individual, the attacker generally does not know what in return could be benefited from the attack.

Exit mobile version