Despite the many tools in place to prevent them, phishing attacks continue to be a menace to employees and businesses. In Q3 of 2016, the Anti-Phishing Working Group detected at least 340 hijacked brands per month. In the last month of that same period, they also found 104,973 unique phishing sites. In order to understand the implications of these statistics, one needs to gain a better understanding of phishing attacks, the motivations behind them, why they succeed, and their impact to business.
In a nutshell, a phishing attack is a fraudulent message, usually in the form of an email, which lures users into clicking a link. That link in turn either leads the victim to a malicious website or initiates a malicious download.
Anatomy of a Phishing Attack
Phishing email is a form of spam email; it’s an undesirable message sent in bulk to a large number of recipients. While traditional spam emails are mostly part of advertising campaigns, phishing emails are more sinister. The main goal of a phishing email is usually to obtain confidential information from the email’s recipient.
In essence, the following is what takes place during a phishing attack:
- First, the phishing email is sent to a large collection of email addresses. These days, the mass mailings are launched from zombie computers or devices that belong to botnets.
- If the phishing email was well crafted, the victim would be compelled to either click on a link found in the email body, or download an attachment.
- If the victim clicks on the link, he or she will likely be redirected to a landing page closely resembling a legitimate webpage of a popular and trusted company. Most of the organizations impersonated are banks, credit card companies, online payment service providers (e.g. PayPal), and even social networking sites. The use of a reputable brand name increases the probability of the victim performing the desired action (e.g. fill out a form or download a file).
- If the victim downloads an email attachment, he or she will likely end up installing a trojan that might contain a key logger, botnet client, ransomware, or just about any other type of malware.
Why Cyber Criminals Phish
The goal of most phishing attacks is to acquire what is known as personally identifiable information, or PII. This information includes data that, either individually or combined with other relevant data, can be used to identify an individual. Examples of this kind of data would include social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and so on.
Stolen PII is often sold in shady online marketplaces, where they will then be purchased by identity thieves. These cybercriminals then use the information to carry out credit card or banking fraud and other fraudulent transactions. The cost of a single piece of stolen personal information can range from a few dollars to thousands of dollars, depending on the specific information that has been obtained. For example, a random credit card number can cost $5; a medical record, $50; and a bank account credential, $1,000.
Looking at the total value of PII belonging to thousands of individuals makes it is easy to understand why phishing can be so lucrative.
How Phishing Attacks Succeed
Phishing relies on the time-tested art of deception. These days, cyber security experts and cyber criminals have dubbed these deceptive acts “social engineering.” Social engineering plays on people’s emotions, curiosity, fear, or plain gullibility.
A simplified example of what one might read in a phishing email would be as follows:
“Congratulations! You just won in the 2017 Online Lottery. Please claim your prize by clicking the link below.”
Most people get excited when they are told they won something – even if they never bought a ticket for any “2017 Online Lottery” in the first place.
Some phishing emails play on fear and take advantage of recent events, for example, a massive data breach. The following is what one might receive in the wake of a PayPal data breach:
“Dear [insert your name here]
Earlier today, PayPal’s databases were hacked and several user accounts were compromised. We regret to inform you that your account was one of them. While no funds have been stolen yet, we can confirm that the hackers were able to acquire your login credentials. To prevent any financial loss, you need to reset your password immediately. Click the link below and follow the instructions to carry out the reset.”
The message above can be quite alarming and can spur a sense of urgency. For this reason, some recipients of this email would no longer stop to think and just do as instructed.
These deceptive messages are made more believable with the advent of HTML-based emails. Unlike plain text emails, HTML-based emails can be spruced up with graphics and formatted text. Hence, it’s easier to make them resemble official communications from a trusted or reputable source – like a bank or, in the example above, Paypal.
When people are faced with a well-written and professionally formatted email bearing a trusted logo, most of them won’t bother to verify its authenticity.
Increasing Email Open Rates and Clicks Through Spear Phishing
Traditionally, phishing emails followed a spray and pray tactic. Attackers typically sent out large volumes of emails without any regard as to who would end up receiving them. For example, of the thousands who would receive the “Paypal” email, only a few may actually own a PayPal account. As a result, the majority of those who would receive the email would mark it as spam.
To increase the efficiency of their attacks, phishers started resorting to more sophisticated techniques. One of these techniques is known as spear phishing. This is a more targeted phishing attack aimed at a specific individual or group of people.
Spear phishing emails contain elements closely associated with the target. For example, a spear phishing email may mention and may appear to originate from the target’s boss, their organization’s network administrator, or HR manager. In addition, it may follow the company’s standard email format and include the corporate letterhead.
Because spear phishing emails are so customized, their open rates and click-through rates are quite high. The people who conduct spear phishing attacks usually have even more sinister intentions in mind than just stealing PII.
Many of these attackers are often after high value targets buried deep inside the organization. Hence, the main purpose of the phishing attack might be to acquire administrative credentials for privilege escalation or to infiltrate the network in preparation for an APT (advanced persistent threat) campaign.
Spear phishing emails are typically laced with malicious attachments that often take the form of corporate files like PowerPoint presentations, reports, spreadsheets, resumes, and business documents. While these files appear as common file formats like .PDFs, .PPTs, .DOCXs, and .XLSs, they are actually executable (.EXE) files containing trojans that may even connect to remote command-and-control (C&C) servers.
Although phishing attacks are primarily aimed at individuals (more specifically, their PII), they can have other unintended, but nevertheless unavoidable casualties as well.
When phishers launch an attack, they usually need to hijack a legitimate brand. As discussed earlier, attackers typically set up a malicious landing page that closely resembles the web page of a trusted brand. This makes it easier to convince victims into responding to a call-to-action, such as filling out a form or downloading something.
These brands become casualties once the phishing campaign is discovered and later disclosed in news outlets or social media. This type of publicity can hurt the brand’s image, leaving the impression that its web pages are unsafe. Some customers might end up avoiding the brand’s legitimate websites for fear of accidentally landing on a fake web page.
In most cases, the people who do land on a hijacked brand’s website are likely customers of that organization. These people can lose confidence in the brand and may ultimately drop it for a competitor. Worse, if they actually become victims (i.e. their personal data get stolen), they might even file a lawsuit, or, if the data is covered by data protection regulations, the company can be levied fines for noncompliance.
How to Defend a Business against Phishing Attacks
There are a couple of ways to thwart phishing attacks, the first of which being user education. This method of avoidance is primarily designed to counter the social engineering aspect of the attack. Because users are the recipients of phishing emails, your employees must be trained to determine when an email can be considered suspicious.
Some indicators include:
- Requests for personal information
- Deceptive domain names (e.g. paypal.somebank.com is certainly not a legitimate PayPal domain)
- Generic salutations (e.g. Dear Sir instead of Dear [your name])
- URLs that don’t match what is being displayed on the link (You can verify this by hovering your mouse on the link and inspecting the link that appears on your browser’s bar)
- Emails with executable file attachments (the common file types include exe, com, jar, msi, bat, and scr, but there are many others)
- Any email attachment that wasn’t expected (you can always verify with the sender)
- Messages that elicit heightened emotions, whether of happiness, fear, pity, etc.
- A sender who’s not familiar to you
Although user education is an important component in countering phishing attacks, it is by no means ironclad. Employees can forget or even disregard warning signs; hence, one will need to augment user education with something immune to human shortcomings.
Learn how our DNS Security Solutions can help detect and block fraudulent links, phishing campaigns, rogue antivirus downloads, and forced redirection to malicious domains.
*APWG Phishing Activity Trends Report – 3rd Quarter 2016