Written by Adrien Souyris
We’ve all experienced phishing - those
annoying, sometimes dangerous emails attempting to trick us into giving away
money or sensitive information. Most of them are clearly scams, but some are
smarter and more difficult to spot.
Symantec identified in 2018 that 54%
of all emails were malicious (spam or phishing). As well as this, an average
user receives 16 suspicious emails per month. More astoundingly, Verizon
reports that 90% of breaches involve phishing.
So, who's behind these phishy emails? In short, anyone from amateur scammers to Russian GRU operatives and skilled cybercrime groups. Phishing is a cybercriminal's favourite tool, but why? Well, IT departments understand how important it is to build a cyber castle around the company's network; firewalls are everywhere which make it harder to attack company networks. And because we built castles, attackers invented a Trojan horse: phishing emails.
So, who's behind these phishy emails? In short, anyone from amateur scammers to Russian GRU operatives and skilled cybercrime groups. Phishing is a cybercriminal's favourite tool, but why? Well, IT departments understand how important it is to build a cyber castle around the company's network; firewalls are everywhere which make it harder to attack company networks. And because we built castles, attackers invented a Trojan horse: phishing emails.
It is nearly impossible for machines
to automatically distinguish between a legitimate and a well-crafted malicious
email. IT and security departments can’t guarantee a phish-free inbox, and with
each malicious email displayed to users comes the risk of someone inadvertently
giving away the castle's keys.
What are the remaining options, then? If
they are informed and trained, staff make up a company's immune system by
reporting phishing and helping the company fight back.
Phishes of all sorts and colours
There are several types of phishing - angling,
spear phishing, vishing, to name a few. The most common one is mass, automated
phishing, which consists of creating generic phishing emails aimed at the
largest possible number of recipients (usually millions). Even if only 1% of
the recipients fall for it, that’s still 10,000 victims.
More targeted attacks are called spear
phishing. These consist of selecting high-value, well-researched targets, finding
out information such as their online habits, relations and hobbies, and then
carefully crafting a high-quality phishing email to be sent to this recipient
only. These methods are usually employed by skilled cybercriminals or
state-sponsored hackers. Intermediate steps exist between these two, for
instance by targeting a specific company, department, or group of people. And what is the intention behind phishing
emails? Usually one of two things: assets (information or money) going out or
malicious content going in.
In preparation for the former, a
cybercriminal will attempt to lure the recipient into giving away the asset. The
most basic method is the scam; for instance, the criminal masquerades as a
legitimate service - PayPal, Gmail, OneDrive, SharePoint, etc. By disguising
the email as a notification or security notice, the sender lures the recipient
into clicking on a link.
Behind this link hides a fake login
page where the victim then gives away their credentials. To avoid suspicions,
the fake login page relays the almost-identical page of the legitimate service.
To perform the latter, phishers may
include a malicious attachment to the email like a Word or Excel file with
macros or a script file. Both macros and script files are a form of coding
which can be abused to download malware onto a computer. Alternatively, the
cybercriminal may use a malicious hyperlink; behind it hides a web page which
will attempt to install malware on the device. From there, the cybercriminal
can gain access to the user's files, emails, or use his position in the network
to compromise other company assets.
Avoid taking the bait: stay aware
Phishers use social engineering, the
art of hacking people using predictable human behaviour, to trick email
recipients into performing an action in their favour. Social engineering in
phishing emails can take many forms, but the following techniques are usually
employed in phishing:
- Masquerading: most of the time, phishing emails will be crafted to be misleading and impersonate something or someone else. For this purpose, the email will make use of attributes which are usual for the stolen identity, including writing style and font appearance, colour schemes, and URLs.
- A believable scenario: building on the stolen identity, phishing emails create a story. For example, HM Revenue & Customs sending an email about your latest tax return or a colleague reaching out about a project.
- Sense of authority: by masquerading as an authority figure, such as a professional body or manager, cybercriminals attempt to pressure the recipient without causing suspicion.
- Sense of urgency: cybercriminals will usually build up on this false authority with pressure and urgency to achieve the result before the recipient becomes suspicious. Using terms like ‘the request is urgent’, ‘a lack of action will result in <insert threat here>‘, etc. encourages the recipient to act fast.
- Sense of trust: some phishing emails may attempt to look like they originate from someone/something you trust like a friend or colleague.
Spotting phishing URLs
One of the easiest ways of spotting
phishing emails is to check the structure of the URL to which the email is
trying to redirect you. Let's take our previous fake URL and introduce how
domain names work. We'll read the URL from right to left.
A domain name is just like a Russian
doll, each ‘.’ represents a layer of doll. Here, the ‘.org’ is the largest
doll, and ‘myaccount.’ is the smallest one.
The best way to read a domain name is
to spot the rightmost ‘.’ (before the succession of a ‘/’ if applicable). This
is usually a ‘.com’, ‘.org’ or ‘.co.uk’. The domain name is to the left of this.
Here, our domain is ‘ml-security’. The URL confuses users by introducing a
misleading ‘myaccount.google.com’.
Another deception to keep in mind is
best illustrated through another example:
In the URL above, suspiciouslink.com
is disguised as accounts.google.com. If you click on a link, you should always
make sure it sent you to a legitimate place.
Taken the
bait by mistake?
All human beings are vulnerable to
social engineering. By hitting the right spot, a skilled cybercriminal can hack
anyone. If you suspect you’re a victim of phishing, here are the steps you
should follow:
- Don't panic, this can happen to anyone.
- Send an email without delay to your IT helpdesk or to your security team. A point of contact should always be available in your organisation for these incidents.
- Do not delete anything, unplug anything or turn your computer off, unless instructed by security or IT personnel, as the evidence may be needed. You can flag the suspicious email as spam or phishing.
- Pay attention to and report any further suspicious behaviour on your laptop and applications, such as freezes, slower performance, emails or files disappearing, mouse stutters, etc.
Take the test
Google created a tutorial test that
shows the typical techniques used in phishing. Don't worry, it isn’t a phishing
link.
You can find it here.
No comments:
Post a Comment