What is Phishing Attack? How this cyber attack works, its types and how to prevent it
In this blog, I would like to introduce one of the concept of cyber security — Phishing Attack.
What is a phishing attack?
Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
How this cyber attack works?
The following illustrates a common phishing scam attempt:
· A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
· The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
· The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
· The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.
6 Common Phishing Attacks-
1. Deceptive Phishing
Deceptive phishing is by far the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.
2. Spear Phishing
In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: trick the victim into clicking on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
3. CEO Fraud
Spear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
4. Vishing
This type of phishing attack dispenses with sending out an email and instead goes for placing a phone call. As noted by Comparitech, an attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds.
5. Smishing
Vishing isn’t the only type of phishing that digital fraudsters can perpetrate using a phone. They can also conduct what’s known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information.
6. Pharming
As users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming. This method of phishing leverages cache poisoning against the domain name system (DNS), a naming system which the Internet uses to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices.
In a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That’s the case even if the victim enters the correct site name.
How to prevent phishing
Phishing attack protection requires steps to be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
There are number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:
· Always check the spelling of the URLs in email links before you click or enter sensitive information
· Watch out for URL redirects, where you’re subtly sent to a different website with identical design
· If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
· Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media
For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:
· Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
· In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse a password for multiple applications.
· Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.
If you work in your company’s IT security department, you can implement proactive measures to protect the organization, including:
· “Sandboxing” inbound email, checking the safety of each link a user clicks
· Inspecting and analyzing web traffic
· Pen-testing your organization to find weak spots and use the results to educate employees
· Rewarding good behavior, perhaps by showcasing a “catch of the day” if someone spots a phishing email
Using the above guide, I hope organizations will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.