The art of phishing and how to fight it

The most dangerous attack vector in modern days

By Pedro Tavares, CSIRT.UBI Co-Founder

Cybercriminals continue using phishing attacks as an effective “cyber weapon”. Of all attack vectors, this remains as the most exploited attack with a relevant success rate in malicious activities. Phishing campaigns are becoming more sophisticated and people need to be aware of the danger of falling into crooks’ tentacles. Within a company, for instance, employees should be educated and better informed about prevalent phishing attacks in order to proactively protect themselves against such attacks in the wild.

In general, companies are not prepared to fight this old problem, and thus the number of attacks have increased in the last years. For example, after a data breach has been published on the Internet, several spear phishing campaigns can be performed by cybercriminals. Notice that it’s common that at least one person in every 14 clicks on a link or opens an attachment shared within a phishing message.

The most common phishing campaigns

There are various types of phishing campaigns “cooked” and widespread by crooks. Below are presented some examples.

Deceptive Phishing

This refers to the most common type of phishing attacks. Here, an attacker impersonates a legitimate company in order to steal personal information or any credentials from victims as a way to access unauthorized systems. The fraudulent link is often distributed via a malicious website in a  URL that is very much identical to the company’s official domain (generally only one letter will be misplaced).

Spear Phishing

Spear phishing is considered a sophisticated way for cybercriminals to get information about their victim. These attacks usually occur after a data breach and the criminals customize malicious emails with data related to the victim, e.g., their name, position, company, work phone number, or information that has been published online or obtained via a social media platform such as Linkedin.

The main goal is to lure the victim to click on a malicious URL or email attachment which will, in turn, give them access to the victim’s personal data.  The most effective spear phishing attacks are often the simplest and that might occur on a normal day for a company. For instance, an Email from a company regarding their privacy policy is sent to the victim.  When the victim opens a link attached in the email body, a pre-filled form is presented on the screen. Here, criminals request additional information from the victim, and as everything looks like a normal procedure, the victim eventually falls into the trap of delivering valuable information to the criminals.

Business Email Compromise (BEC) Attacks – CEO Fraud

CEO fraud is often the second part of BEC attacks, where attackers impersonate an executive and use that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice. Such a scenario is possible because companies do not provide adequate training for their employees. To fight that threat, as well as the risk of CEO fraud, all company personnel, including C-level executives,  should undergo security awareness training.  For example, employees should be aware that it will never be possible to conduct an asset transfer via email without additional validation.

These type of attacks rarely set off typical spam traps because they’re not mass emailed – the victims are carefully targeted by the criminal.

Malware-Based Phishing Campaigns

This type of malicious activity happens when the attacker sends an email attachment or downloadable file to a victim with the intent of exploiting some vulnerabilities or even stealing sensitive information from their devices. After that file or link is clicked on, it triggers the malicious content embedded in the attachment. At this point, an attacker can spread various types of malware, including computer viruses, keyloggers, worms, trojan horses, etc. In some cases, this malware disseminates to others and infects them, as happened last year with the Wanna cry ransomware attack.

Keeping people and companies away from phishing    

Preventive Measures

• Promote training for all employees
• Many security problems and cyber attacks are performed via phishing, and that is the result of a bad cybersecurity
• Training employees should be seen as a prevention measure and an effective way to stop low-level

Maintain software up-to-date

Have web browsers and operating systems totally up-to-date is a mandatory measure — this represents the first line of defense against viruses and malware spread by criminals.

Encryption and backups

Cryptography is always required as a supplementary protection step. One of the most important IT procedures in a company are the backups. A golden rule for companies should be to prevent and minimize the risks of data loss after a well-succeeded cybercrime schema.

Final thoughts     

Phishing continues to be the main attack vector used by cybercriminals, and it is becoming increasingly sophisticated. Acting in the opposite direction from criminals is crucial, promoting, thus, a cybersecurity culture within the company, by providing training actions in which employees can be submitted to potential real-life cases of fraud.

Don’t forget, humans are still the weakest target.

About the Author

Pedro Tavares is a cybersecurity professional and a founding member and Pentester of CSIRT.UBI and the founder of seguranca-informatica.pt.In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, iot and security in computer networks.