Evolution Of Phishing Attacks
What is a phishing attack?
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an evil-minded attacker/hacker masquerading as the trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information to the attacker.
An attack can have devastating results. for individuals, this includes unauthorized purchase, stealing of money or identity theft.
How a phishing attack is carried out?
The below-given diagram explains the working if a phishing attack.
The first Phishing Attack.
Back in the early-mid 1990s, the only Internet option was ‘dial-up’ access for a fee. Those who were reluctant to pay for the internet access was a thirty days free trial to access the internet via AOL floppy disk. Rather than face life without the internet after the trial period expired, some found a way to change their screen names to make it appear as if they were AOL administrators. Using these phone screen names, they would “phish” for log-in Credential to continue accessing the Internet for free.
As the Internet use increased in popularity, scammers adapted these tactics to disguise themselves as administrators from an ISP, emailing the accounts of the ISP’s customers to elicit user login credentials. Having spoofed someone, the hacker could access the Internet from that user’s account with the bonus of span from the user’s email address.
The Love Bug of 2000
A change in tactics saw the world fall victim to the Love Bug on May 4, 2000. starting in the Phillippines, mailboxes around the globe were filled with a message titled “I LOVE YOU”. The message body simply said, “kindly check the attached LOVELETTER coming from me”.
Those who could not resist unearthing their secret crush opened what they thought was a harmless ‘.txt’ file, only to unleash a worm that did damage to the local machine. The worm overwrote image files sent a copy of itself to all the user’s contacts in their Outlook address book.
‘LoveBug’ showed how to get spam to send itself and that, with a cleverly designed virus that preyed on human psychology and technical failings, malware could rack up enormous numbers of victims. In all, about 45 million Windows PCs were thought to have been hit.
Most of the phishing attacks are sent by email. the crook will register a fake domain that mimics a genuine organization and sends thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
Alternatively, they might use the organization’s name in the local part of the email address (such as email@example.com in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient's inbox.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.
There are two other more sophisticated types of phishing, which have evolved since phishing has started. The first spear-phishing describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
- Their name;
- Place of employment;
- Job title;
- Email address;
- Specific information about their job role.
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done with the help of spear phishing.
The first attack sent emails containing malicious attachments to more than 1000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
Till now phishing attacks were in the incubation period, after this the attacks started to show their severity and the real impact of the attacks.
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler
tricks such as fake links and malicious URLs aren’t useful in this instance, criminals are attempting to imitate senior staff.
Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: name, addresses, social security numbers, and bank account information.
Smishing and Vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending a text message(the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
A common vishing scam involves a criminal posing as a fraud investigator(either from the card company or the bank) telling the victim that their account has been breached.
The criminal will then as the victim to provide debit/credit card details to verify their identity or to transfer money into a so-called “secure account” — by which they mean the criminal’s account.
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs, cloned websites, posts, tweets & instant messaging(which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
I would mention an incident. In 2016, Thousands of Facebook users received messages telling them they’d been mentioned in the post. The message has been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on the user’s computer.
When the user next logged into Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data & spread infection through the victim’s Facebook friends.
Although on face value, it looks like phishing attacks are decreasing, it’s important to look beyond the surface of these phishing statistics. While the number of attacks is on the decline, cybercriminals aren’t giving up — they’re simply trying new tactics. Phishers & other threat actors are focusing more on the quality & effectiveness of their attacks than simply blasting out numerous phishing messages with the hope that one will stick. It's the difference between targeting victims with a metaphoric rifle instead of a shotgun.
This is why it’s just as important for your organization to strengthen your cybersecurity defenses and harden your “human firewall” through cyber awareness training. If you want to keep your business safe, it’s going to require more than just your basic email spam filters and self-awareness.