Identify and Prevent Phishing
Phishing is the attempt to exploit weaknesses in current web security and obtain sensitive information such as usernames, passwords, and credit card details. This can be accomplished by email spoofing or instant messaging. The messages often direct users to enter personal information at a fake website that appears to be legitimate. Alternatively, the messages may contain links to websites that are infected with malware. According to the 2013 Microsoft Computing Safety Index, the annual worldwide impact of phishing was approximately 5 Billion USD. The paragraphs below identify 12 different types of phishing attacks followed by how users can prevent phishing attacks.
The 1st and most successful type of phishing is called “Spear Phishing”. Spear Phishing is a focused approach of targeting specific companies or individuals. Prior to the attack, attackers typically gather personal information about their target. After gathering information, a hand-crafted message is emailed to the user. This message is an attempt to trick the victim into divulging personal or confidential data for unauthorized use. If the user falls for the trap, then their computer is typically compromised with malicious software.
The 2nd type of phishing is called “Clone Phishing”. Clone Phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced by a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
The 3rd type of phishing is called “Whaling”. Whaling is a phishing attack directed specifically at senior executives and other high-profile targets within businesses. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.
The 4th type of phishing is called “Link Manipulation”. Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually, this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination, when the link actually goes to the phishers’ site. Many desktop email clients and web browsers will show a link’s target URL in the status bar while hovering the mouse over it. This behavior, however, may in some circumstances be overridden by the phisher. Equivalent mobile apps generally do not have this preview feature. A further problem with URLs has been found in the handling of internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website, or, to host the phish site without SSL at all.
The 5th type of phishing is called “Filter Evasion”. Phishers have even started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use Optimal Character Recognition to optically scan the image and filter it. Some anti-phishing filters have even used Intelligent Word Recognition, which is not meant to completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different directions) text, as well as text on colored backgrounds.
The 6th type of phishing is called “Website Forgery”. Some phishing scams use JavaScript commands in order to alter the address bar. This is done by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. An attacker can even use flaws in a trusted website’s own scrips against the victim. These types of cross-site scripting attacks are problematic because they direct the user to sign in at their bank of service’s own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot.
The 7th type of phishing is called “Covert Redirect”. Covert redirect is a subtle method to perform phishing attacks that makes links appear legitimate, but actually redirect a victim to an attacker’s website. The flaw is usually masqueraded under a log-in popup based on an affected site’s domain. It can affect OAuth 2.0 and OpenID based on well-known exploit parameters as well. This often makes use of open redirect and XSS vulnerabilities in the third-party application websites. Normal phishing attempts can be easy to spot because the malicious page’s URL will usually be different from the real site link. For covert redirect, an attacker could use a real website instead by corrupting the site with a malicious login popup dialogue box. This makes covert redirect different from others. For example, suppose a victim clicks a malicious phishing link beginning with Facebook. A popup window from Facebook will ask whether the victim would like to authorize the app. If the victim chooses to authorize the app, a “token” will be sent to the attacker and the victim’s personal sensitive information could be exposed. This information may include the email address, birth date, contacts, and work history. In case the “token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, online presence, and friends list. Worse still, the attacker may possibly control and operate the user’s account. Even if the victim does not choose to authorize the app, he or she will still get redirected to a website controlled by the attacker. This could potentially further compromise the victim.
The 8th type of phishing is called “Social Engineering”. Users can be incentivized to click on various kinds of unexpected content for a variety of technical and social reasons. For example, a malicious attachment might masquerade as a benign linked Google doc. Alternatively, users might be outraged by a fake news story, click a link and become infected.
The 9th type of phishing is called “Phone Phishing”. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization. SMS phishing uses cell phone text messages to induce people to divulge their personal information.
The 10th type of phishing is called “Tabnabbing” Tabnabbing takes advantage of tabbed browsing, with multiple open tabs. This method silently redirects the user to the affected site. This technique operates in reverse to most phishing techniques in that it doesn’t directly take the user to the fraudulent site, but instead loads the fake page in one of the browser’s open tabs.
The 11th type of phishing is called “Evil Twin”. Evil twin is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.
The 12th type of phishing forwards the client to a bank’s legitimate website, and then places a popup window requesting credentials on top of the page in a way that makes many users think the bank is requesting this sensitive information.
To prevent phishing attacks, users should constantly be educated via training, company newsletters, and face-to-face so as attacks change, training and avoidance tactics evolve as well. To train, companies typically enlist their employees into a security awareness program. A security awareness program teaches users to use their company email for corporate use only. Users are also taught not to open attachments from sources they are not familiar with, and not to enter information into websites that seems strange. Additionally, your company should consider a social networking policy to hide or limit the information that employees can show on their social media page (i.e. LinkedIn). Finally, your IT specialist should configure your spam gateways to block any executable programs from coming into network via mail.
