Cyber Security Part 2: Phishing Attacks

By: Hart Johnson, MSCSIA, CEH, CHFI; Cyber Security Officer

What is Phishing?

Well, the phishing being referred to in this article isn’t going out to your favorite lake, casting a line out, and hoping to land a big ol’ bass, but it definitely shares some similarities.  Phishing is a type of Social Engineering¹ attack, used to steal data, credentials, credit card details, and insert malware into a system.  These attackers use the trust we humans have with each other, to trick the victim into giving them what they want with little effort on the attackers part.  Phishing is incredibly successful and VERY easy to pull off, it is one of the preferred choices for attackers to gain access to a system in the world we live in.  With many working from home, this gets compounded by the lack of security on home networks/devices that could make this attack even worse for organizations.  There are a variety of different phishing attacks, and not all are created equal.  Let’s learn about some of the more common types of phishing attacks you need to watch out for.

Types of Phishing Attacks

Malware Implant

Gaining a foothold into a corporate network or other system is a dream come true for most attackers. There are several different ways to do this, but phishing attacks can help make this easier on the attacker to pull off.  They simply go on the Dark Web, buy a pre-built piece of malware, attach it to an email, and send it to their victim.  Now you might think “I’ll never fall for it”, but you would be surprised.  According to PhishingBox, 64% of organizations have fallen victim to a phishing attack in the past year and over 70% of all cyber attacks employ a phishing component. (PhishingBox, 2020)  So let’s walk through how this works:Attacker acquires malware (this could be ransomware, a virus, or some other kind of nefarious exploit to gain access to the network/system)

1.Attacker acquires malware (this could be ransomware, a virus, or some other kind of nefarious exploit to gain access to the network/system)

2. Attacker gathers a list of email addresses

3. Attacker crafts an email message that looks something like this:

4. The attack sends the message out to the massive list of emails and waits until someone opens the attachment.

5. Once a victim opens the attachment, the Locky Ransomware takes hold, encrypts their files, and then the attacker demands a ransom be paid (usually in cryptocurrency) in order to unlock your files.

In this example, the attacker crafts an email from what looks to be a trusted source, asking to review a financial statement.  They attach a zip file into the email, that is embedded with the Locky Ransomware malware.  Downloading this file, would cause all files on your machine to be encrypted with a key that only the attacker knows, thus rendering your files useless (we will talk specifically about ransomware in later posts). 

A few things to note about this.  There is no guarantee that the attacker will actually give you the decryption key for your files after you pay.  There is no guarantee that the malware won’t come back with a vengeance.  The malware can even crawl through network attached storage devices, meaning it can bring down your whole organization if safeguards aren’t in place. Protecting yourself from Ransomware and what to do after you are infected is out of the scope of this post (we will touch on it in a later blog post), however, a few tips can help you:

  • Backup your systems regularly, keep them encrypted, and separate from your normal system
  • Don’t open unsolicited attachments
  • Patch your system on a REGULAR basis
  • Learn how to spot phishing emails

As you can see, embedding malware into your system through a phishing attack is rather easy for the attacker and requires virtually no skill to do so.

Credential Stealing

This one is simple, effective, and fairly easy to pull off, but incredibly damaging.  It can even be compounded by lack of password hygiene (using the same password for multiple services. Side note, don’t do that!).  In this attack, the goal of the attacker is to trick the user into handing over their password to one or multiple services.  There are a few variations of this, one might look like it is coming from a trusted contact, asking for the password, and hoping that you will just give it to them.  Another variation, pretends to be the service itself, wanting you to reset your password, or “your account needs action”.  You click on the link, it looks like a real login page, but it is really set up by the attacker to grab your username and password.  Now the attacker can simply login as you and gain access to whatever service those credentials are for (and if you use the same password elsewhere, you bet they will start trying other services as well).  So here is the basic flow of this type of phishing attack:

  1. Attacker acquires a list of users for a certain service.
  2. Attacker sets up a fake login site for the service
  3. Attacker sends an email to list of users with a link asking them to take some action
  4. User clicks on link, enters username and password in fake site
  5. Attacker redirects the user to the real site (user is now unaware anything is wrong)
  6. Attacker then has user’s credentials to login to service at any time

Spear Phishing/Whaling

Spear phishing is a phishing attack, but one that is targeted at a specific individual or department within an organization. Whaling is when this type of attack involves a high level executive. Payroll departments get hit with this type of scam all the time.  One common attack, will be an email claiming to be from a high level executive (the attacker spoofs² the email address) to the payroll department, claiming the need to switch their direct deposit to another bank account, usually because of an access issue or other problem with their existing bank account.  Since the email looks legitimate, there are instances where the payroll employee will make the change immediately (since it looks like it is coming from an authority who can do that), and then the next paycheck, will go out to the attacker, rather than the executive. This could be huge sums of money, and it will be gone for good.  Here is a real world example of this type of attack.

As you may have noticed, there are some grammatical errors and the email address is a bit generic, so this one was spotted fairly easily (keep reading for more info on how to spot a phishing attack).  But, on a hectic day, it could easily be missed and processed. 

What to do about Phishing?

There is a key element to almost every phishing attempt, it requires interaction on the victim side.  Basically, in order for phishing to be successful, the victim has to take some action, like replying to an email, downloading an attachment, clicking on a link, etc.  So, the best way to manage phishing is with education (the entire purpose of this article).  Here are a few tips you can use and share with others to help stop phishing attacks:

  1. Be vigilant
    1. This means that you need to keep an eye on things and be aware that these attacks are out there.  If something sounds fishy (see what I did there), it probably is. 
  2. Double check the email address (both the from and the reply-to)
    1. Check both of these pieces, to see if there is a discrepancy from what you normally see.
    2. If the request doesn’t seem normal to you, reach out to the one requesting the information through another channel.
  3. Double check any links
    1. Are the links going to the real URL?  Do they look odd?  Are they sending you to a completely different domain?  These are sure signs of a phishing attack.
  4. Don’t open unsolicited links/attachments
    1. Did you request the attachment that was sent?  What about that password reset link that was sent to you, did you initiate that?  If the answer is no, you might be part of a phishing attack.
    2. One way to handle this, is if you aren’t sure if it is legitimate or not, visit the actual website that you got the password reset from and request a new one.  That way, you know it is coming from the source.  Same thing with an email address/phone number, you can always verify it.
  5. Read over the correspondence for grammar, spelling, and changes in tone/vocabulary. 
    1. If the CEO of your organization always has impeccable grammar and uses certain phrases, but you suddenly get an email riddled with spelling errors, it is probably a phishing attack.

The gist of this is, if something seems off, then you should investigate further.

Software

There are tools, software, and browser extensions that can help mitigate phishing attacks.  Do your due diligence, but even some antivirus/antimalware software offer browser extensions and tools to help mitigate the risk of phishing attacks.  However, the human element can still be susceptible to phishing attacks that don’t implant malware or try to steal credentials through a malicious link.  A phishing attack that asks an employee to buy gift cards for an emergency that comes “from” the CEO will likely not be able to be stopped by software alone.

Training

There are many organizations out there that offer training for employees on how to spot phishing.  My recommendation would be to provide as much information and resources to your team as possible. 

Google has created a great phishing quiz that can give your team some insights into what to watch out for in common phishing attacks.  You can access this through: https://phishingquiz.withgoogle.com/

I sincerely hope that you enjoyed this article and that it provided you with some new knowledge on phishing attacks. These attacks are not going away anytime soon so I would implore you to be vigilant and keep your organization safe!

______________________________________________________________________________

 ¹ Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites. (Kaspersky, 2020)

² Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. https://www.forcepoint.com/cyber-edu/spoofing