Most of us will not click on the email claiming we are lottery winners nowadays. However, phishing attacks have evolved and remained the most dangerous cyberattack for individuals or enterprises since the first phishing attack in 1995.
According to a report by email security company Valimail, over three billion spoofing messages are sent each day, nearly 1% of all email traffic. And this is costing quite costly damage to our society. By 2021, global cybercrime damages will rise from $3 trillion in 2015 to $6 trillion yearly, according to the estimation from the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures.
What is Phishing?
The term "phishing" is the play on the word "fishing." According to IETF RFC 4949 Ver 2, phishing is defined as:
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.
For example, the message may have a "New iPhone giveaway," "Malware Alert," or another type of attractive subject line. In addition, the phishing email may contain the company's logo, address, phone number, to any other information that can make it look legitimate.
Another common tactic is to get it to look like a personal email from someone you know or a friend who wants to share something with you. Finally, the phishing technique often waits for someone to "get hooked." As in conventional fishing, these scammers send out "hooks" and only require a relative few to take the "bait" (i.e., click the link).
What makes this attack so successful?
Nowadays, most of us would be able to spot a phishing email, most of us. And scammers also know that. So they enhance the phishing techniques (more about that later). But before we recognize that as phishing, it's too late. Someone may already click on the link.
One # Human is the Weakest Link in Cybersecurity
Social engineering is leveraging our psychological elements to establish access to information or financial gain. For example, a phishing email is one most common ways hackers try to gain knowledge or financial gain from individuals. In cybersecurity, we categorize this kind of technique as "Social Engineering."
According to NIST SP800–63–3 - Digital Identity Guidelines, Social Engineering is:
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
There is no signature to update in our mind or install a firewall. Thus, hackers exploit unpatched psychological vulnerabilities, and the easiest way to do that is by phishing.
Two # Work From Home + BYOD
The COVID-19 situation is not getting better soon, as many companies strive for business survival. As a result, contingency plans like remote workforce and work from home are becoming the new normal for many employees (me included).
Working from home means that employees are more relaxed and may often use their own devices for work (i.e., BYOD), meaning that, if a cybercriminal compromises an employee's device, they could gain access to not only the data sit inside the device, but also the entrance to the corporate network.
Employees are more remote from the IT and cybersecurity team, implying that they are less monitored and supported when needed (especially when BYOD is in place), like seeing a suspicious but urgent email; usually, they may report it to their internal team. However, when they are at home, they may treat it differently.
Three # Easy to Begin
If you want to be a cybercriminal, you can now with a much lower hurdle. A growing number of hacking tools are intended to help amateurs with little computer knowledge get into the cybercrime industry. Among all tools, phishing toolkits are low-cost and widespread.
The availability of phishing kits online and the rise of ransomware-as-a-service (RaaS) lower the rank to begin. This has resulted in an outburst of ransomware and other exploits coming from an ever-growing swamp of amateur cybercriminals.
Special Types of Phishing
In the following, I will introduce several new types of phishing to provide awareness.
Advanced Malware Phishing
Proofpoint researchers identified a new variant of the Buer malware loader circulated via emails masquerading as DHL shipping notices in early April. The emails impacted over 200 organizations across more than 50 verticals. (Buer is a downloader sold on underground marketplaces used as a "base " in compromised networks to distribute other malware, including ransomware.)
The phishing email contained a link to a malicious Microsoft Word or Excel document that used macros to drop the new malware. In addition, the new strain is rewritten in a coding language called Rust - a malware written entirely differently. As a result, phishing is more challenging to be detected and more harmful.
While conventional phishing campaigns go after large numbers of comparatively low-yield targets, spear-phishing aims at particular targets, especially emails crafted to their designated victims. It is a different kind of phishing purposefully created to penetrate a target (usually an organization).
Mass phishing primarily involves using automated off-the-shelf toolkits to gather credentials at a massive scale. On the other hand, targeted campaigns commonly involve documents containing malware or links to credential-stealing sites to solely steal sensitive information or intellectual property or compromise payment systems.
QRishing combines the words: "QR Codes" + "Phishing," which indicates the attack is in the form of a QR code.
QR codes are a popular tool for threat actors, significantly since the Pandemic limits physical contact. We use it to access menus, check for vaccines, and get public information. In addition, social distancing guidelines and trends like "contactless for everything" have popularised the use of QR codes.
Kaspersky reported in one example from Q1 2020 that clients of several Dutch banks received a fake email that asked them to"unlock" mobile banking by scanning a QR code. Instead, the QR code directed them to a malware-embedded web link.
Another tactic is by inserting fake QR codes into a phishing email, text, or social media platform. Upon scanning the false code, users are redirected to fabricated websites, where the victim may be prompted to log in to steal their credentials.
A scam QR code can connect to an unsecured WiFi network, while someone can effortlessly capture what you are typing. Phony codes may also take you to websites where malware can be automatically downloaded and used to gain access to your device, steal data, or make further attacks such as ransomware.
Meanwhile, Smishing is a combination of the words "phishing" and "SMS." That means it is one kind of phishing sent across your mobile network in the form of text messages. Although the name use SMS, this kind of attack can also happen on other messenger platforms, such as Facebook Messenger or WhatsApp.
You may think of it as the latest scam on the block. Like me, if you see the SMS of suspending your MetaMask wallet, someone may feel the urgency to click on the link. However, it's been expected for a few years now. The Pandemic, combined with a rise in home deliveries, has boosted its popularity.
Common Smishing attempts to focus on everyday necessities. Missed deliveries, late payments, bank notifications, fines, and urgent notices are excellent examples of a smishing attack.
We're awash in cardboard with so many people staying at home and so many daily online purchases. It's very challenging to keep track of everything coming into the house. Combining well-known delivery services with fake "delivery fee" notifications is the best recipe for successful Smishing. Next time you see something like this, make sure you check the URL carefully and try accessing your accounts with other means first.
Previously I wrote about my encounter with a phone scammer📱. This is also one type of phishing known as "vishing." It is often referred to as "voice phishing," indicating cybercriminals use social engineering tactics to lure victims into acting and giving up personal information.
Like phishing or smishing, vishing relies on luring targets that they do the right thing by responding to the caller. Often the caller will pretend to be people from the government, tax department, police, or the bank (Like Mr. Li in my case).
Cybercriminals use threats and persuasive language to make victims feel they have no other choice than to give up the information being asked for. Some cybercriminals use strong and forceful language, and others suggest helping the victim avoid criminal charges.
Another common tactic is to leave threatening voicemails that tell the recipient to call back immediately or risk being arrested, having bank accounts shut down, or worse.
Recently, in Hong Kong, a woman has contracted out HK$20 million (around 2.58 million USD) via a vishing attack. This is particularly effective in Hong Kong. Since scammer now can disguise as the ultimate power special police force for the national security law.
Final Words: What Should We Do to Avoid Phishing
The reality of this situation is, no one can stop phishing completely. For sure, there are multiple steps a company can use anti-phishing protection. You must also keep up-to-date on the contemporary phishing strategies and ensure your security policies and solutions can eliminate threats as they evolve.
Remember, a phishing attack is a key to social engineering. Therefore, you need to make sure that employees understand the risks when opening email attachments or clicking links from unfamiliar sources. And for these, that can lead to malware infection. The best way to cover this is a training program that actually works.
You should include a session showing them what good and bad emails tend to look like. By that, users can have an idea of how to check the validity of an email. To verify the effectiveness of training is with testing.
Performing phishing trials against your own organization will help you know if your staff is ready to manage a real phishing attack. Also, it can help to assess their level of sophistication in handling phishing attempts.
If you, unfortunately, fall for a phishing attack, please do the followings:
- Contact IT department and let them know the situation
- Reset password for related applications
- Do not use a repeated password. Reset the account with the same password as the applications above.
- Monitor the account with care for 30 days
Finally, NIST developed a method to help the security team to see why users click on the phishing email:
Thank you for reading. May InfoSec be with you🖖.