Hook, line and sinker
A fisherman baits a hook and launches it on the surface of a lake, waiting for something to bite. Phishing attempts work in a similar way, only instead of sitting by the shore and launching baited hooks, attackers sit behind their computer screens and send out attention-grabbing messages. The technique is now decades old, having started sometime around 1995, and it was first mentioned on January 2nd, 1996 in a Usenet newsgroup aptly named AOHell. As years have come and gone, phishers have diversified and perfected their trade, but the same concept lies behind both modern and ancient phishing techniques.
Fishermen use baits and lures to attract the attention of fish and make them grab the hook. Phishing e-mails, on the other hand, make use of social engineering techniques so that they can get their hands on login credentials, credit card information and other type of data. Attackers attempt to replicate the messages sent out by trusted entities, such as friends, government or healthcare in order to gain the trust of their victims, much like lures are designed to imitate prey fish would normally go after.
This can be achieved by spoofing e-mail addresses, websites or usernames, among others. Consider bankofamerica.com vs. bankofarnerica.com, where a slight difference in the spelling may trick users into believing they are on the right website. Everyone is familiar with the hack carried out on the Clinton campaign by now. However, not as many know that the attackers gained their initial foothold by using a phishing e-mail sent out from the address ‘firstname.lastname@example.org’. This has tricked the campaign’s help desk into clicking on a link contained within the message, in spite of the suspicious ‘googlemail.com’ extension.
Once they have replicated the look and feel of a genuine message, those launching phishing attempts will try and convey a sense of urgency by claiming their message is a limited-time offer or that something bad will happen unless the victim does not reply quickly enough. One of the most common spam circulated around the Internet is ‘Go Directly to Jail’, which preys on the guilty conscience of victims. Other examples circulate offers which are too good to be true, such as promiscuous content from would-be singles in search of a partner, generous discounts on popular products or even huge inheritances left by princes with no heirs.
Phishing has traditionally been carried out by e-mail or instant messaging, but the past decade has seen attackers diversify their portfolio, which can now include every imaginable channel of communication, including SMS (smishing) or telephone (vishing). The way phishing attempts are initiated is not the only thing that has changed, as hackers now use a wider range of attack vectors than ever before.
What has not changed are the two main goals of attackers:
- to trick the victim into revealing personal information
- to convince the victim to install malware or spyware
Scams such as the Nigerian prince or help a friend have already become part of Internet popular culture, due both to their success and their flimsical nature. This has created the false impression that only fools fall for these tricks, thus downplaying both the impact such attempts can have and generating a false sense of security for other possible victims. The truth is phishing is one of most used tools in the hacker’s arsenal – one that has proved effective against victims in all walks of life, ranging from the average Joe to high-ranking politicians.
Large companies are not immune, either. Following its disastrous data breach in 2017, Equifax registered the domain equifaxsecurity2017.com. Soon after, a software engineer copied the website to another address, securityequifax2017.com, in an attempt to show that the company had set up a domain which was easy to impersonate. This attempt was so successful that the twitter account of Equifax linked to the spoofed page, redirecting its users to it. While this could have turned into another disaster for the credit score giant, the fake website made no false claims about its purpose and did not collect customer information.
Phishers understand that behind all monitors there are people – and people can be fooled by attacks which are sufficiently complex. Considering that the sophistication of an attack depends only on the person carrying it out, we can infer that any person can be tricked by an attacker who is clever enough. Those working in the military or cybersecurity are no exception: in October 2017, Cisco Talos uncovered a phishing campaign spearheaded by the Russian intelligence group Fancy Bear. The effort targeted cybersecurity professionals that had an interest in the Cyber Conflict U.S. conference and was carried out by way of a digital flyer sent via e-mail. Ironically, the attackers were successful in disseminating the script.
This is a great example of phishing becoming weaponized. The success of this weapon depends on the amount of information the attackers have on their victim. If hackers can replicate the style of writing of someone close to the victim, the latter is less likely to check for spoofed addresses and other tell-tale signs of phishing. The example above is an illustration of copy-phishing, where attackers copy content the mark would expect to find in a genuine message and subtly modify it by adding malicious scripting. As phishing becomes increasingly sophisticated, attackers learn to address their target audience in a way that better captures their interest.
This move from general and undefined audiences to smaller groups culminates in spear phishing, where hackers customize their attacks for a single individual; the image is that of a fisherman aiming for a specific fish instead of just casting the hook and waiting for a bite. Spear phishing attacks are extremely successful because attackers spend a lot of time crafting their message, making it appear as if it originates from someone the mark knows, from a company he works with or from the organizers of an event he is interested in. A nation-state employed hacker may target an employee working for another government agency, or a government official, to steal state records or military technology. Such is the case of the U.S. military drone, the MQ-9 Reaper. The blueprints for the unmanned aerial vehicle were stolen by Chinese attackers and used to develop the Caihong-4, China’s own version of the drone.
All this being said, there are a number of ways you can defend yourself against phishing attacks:
- Keep yourself informed about the latest phishing techniques – the biggest advantage of hackers is that of information. If you already know their tricks it is much less likely you will fall prey to them.
- Always double-check the addresses and domains from which you receive e-mails before giving out any information. If the content of the e-mail encourages you to go to a certain website, check the spelling of the URL before clicking on it.
- Watch out for URL redirects, where you are subtly sent to a different website with the same design. Also, hover the cursor over a link before clicking on it to make sure that you are being directed to the correct web resource.
- Do not post personal information, such as your birthday, address, phone number or plans on social media or any other public resource, since that information can be used to craft highly customized attack messages.
- Verify a site’s security. Before submitting any information, make sure the site’s URL begins with ‘https’ and that there is a closed lock icon to the left of the address bar. Keep in mind that search engines may direct users to phishing webpages which bait victims with low-cost offers on popular products. If it’s too good to be true, it probably is.
- Never trust a pop-up. Pop-up windows are a favorite of hackers, which they oftentimes masquerade as legitimate components of websites. However, most of them serve to redirect victims to phishing sites. Since pop-ups can be coded to redirect or download files on the victim’s computer even if the ‘Cancel’ button is clicked, the only way to safely close a pop-up is by clicking the ‘x’ button.
- Think before you click! Phishing works because people are naturally inclined to be trusting, curious and helpful. Our openness towards the world and the others is both our greatest strength and weakness.