![]() | If you’re studying for a security certification such as the Security+ and other security certifications like SSCP |
Phishing
Phishing emails go to a wide group of people without targeting anyone. It’s like a fisherman casting a wide net trying to see what he can catch. The attackers know that not everyone will respond, but they know that if they send enough emails out, enough people will respond.
As one example, attackers often load malicious software onto websites. The malicious code is downloaded as soon as a user visits (called a drive-by download). Attackers can either attack a legitimate site and add their drive-by download, or create their own. They then send a phishing email out hoping a user clicks. Once the user clicks, the drive-by download infects their system.
In other cases, a phishing attack will send the user to a malicious web site that appears to the user as a legitimate site and try to entice them to enter their username and password. In a common example, they send an email to the user indicating that their PayPal account needs to be validated and if the user clicks the link, they’ll be taken to a site that looks very similar to the actual PayPal site but with a different URL. If the user enters credentials, the attacker quickly harvests them and goes to action.
In other cases, they simply try to get the user to respond with sensitive information. As one example, I frequently receive an email similar to this:
========
THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM
This message is sent automatically by the computer. If you are receiving this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code:505) received from this email address. To resolve this problem you must reset your email address.
In order to reset this email address, you must reply to this e-mail by providing us the following Information for confirmation.
Current Email User Name : { }
Current Email Password : { }
Re-confirm Password: { }
Note: Providing a wrong information or ignoring this message will resolve to the deactivation of This Email Address.
Technical Support Team.
========
This example shows the basic components of a phishing email. It indicates a problem that the user needs to address and includes a sense of urgency. In this case, if a user fails to respond, their email will be deactivated. Other times, the email threatens deactivate a banking account, freeze funds, or take a similar action. The From field of this email indicated it came from “HELPDESK Cox Customer Safety”, though the actual email was not from Cox Communications.
When attackers get a response, they can log on as the user and hijack the account. If it’s a financial account, they’ll empty the account in short order. Even if it’s only an email account, many people use the same email address and password to log onto other accounts. The attacker simply tries to log onto banking and financial sites with this information.
Spear Phishing
Spear phishing targets a group of people. For example, a spear phishing email can target employees of a specific company, customers of a specific company, or even a specific person.
Whaling
Whaling targets high-level executives. As an example, a whaling attack targeted senior corporate executives using their actual name, company name, and phone number. The attackers drafted an email that looked like an official subpoena requiring the executive to appear before a federal grand jury and included a link for more details about the subpoena. If the whale clicked the link, it took them to a website that indicated they needed to install a browser add-on to read it. If they OK’d the install, it actually installed a keylogger and a back door. From here on, the executive’s keystrokes were logged and attackers were able to periodically access their system to retrieve the keylogger file.
Vishing
Vishing is a form of phishing that uses the phone system or voice over IP (VoIP) technologies. The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. If they call, an automated recording prompts them to provide detailed information to verify their account such as credit card number, expiration date, birthdate, and so on.
Protection Against Phishing, Spear Phishing, and Whaling
The best protection against phishing, spear phishing, and whaling is education and up-to-date antivirus software. If users understand the tactics and the risks, they are less likely to respond to the phishing emails or click the links. And even if they do click a link, up-to-date antivirus software will often prevent an infection.