CyberLabs #1 – Phishing being one of the most popular cyber threats

What is Phishing?

Phishing is a form of fraud that involves impersonating a trusted institution or person (e.g., a bank, courier company or public figure) to persuade a victim to take action in order to benefit the attacker, such as providing login credentials. According to the 2021 annual report, CERT Poland handled as many as 22,575 phishing-related incidents, classifying this cyber threat as one of the most popular in 2021.

When talking about phishing, we often deal with mass mailing. However, there are several types of popular phishing out there, which are worth distinguishing:

• • Spear phishing – spear phishing attacks target a single user. The cyber-offender puts a lot more effort into getting to know his victim, including details of his work, people he regularly contacts or leisure activities. In this way, he can send a highly personalized email message making it much harder to detect.

• • Whaling –is a phishing on high-profile employees. In whaling attempts, cybercriminals use spear phishing tactics aimed at senior executives and encourage them to send highly sensitive information, for example, large money transfers

• • Pharming –is a type of phishing in which people who want to visit a real website are redirected to a fake one. This attack occurs when DNS server security is compromised or DNS addresses are spoofed.

Evolution of phishing attacks

Phishing attacks have evolved significantly over the past few years. They are no longer inane messages which are very different from genuine emails, while fraudulent website looks similar to the original one. What’s more, phishing messages are more and more often being used to send malware that can lead to ransomware attacks.

Currently, attackers use various techniques to hide their true intentions while creating phishing campaigns. These include browser-in-the-browser, homography attack or using trusted web pages to embed malware. Phishing also owes its popularity mainly to a large number of automated tools which can set up entire phishing campaigns – so you don’t need to be a developer or technology expert to create such a campaign. At the same time, in the so-called darknet, it is more and more common to find “Phishing as a Service”, that is websites where, for a subscription fee, we have access to many templates of popular sites or fake payment gateways, allowing us to phish for e.g., BLIK codes. With a subscription, we also get domains on which the entire infrastructure required is automatically set up.

‘I believe in the next few years the popularity of phishing will increase even more. Looking at today’s techniques, I can say that unless we regularly educate our employees and keep our systems secure, we may reach a situation which makes us very vulnerable to all sorts of attacks.’

Michał Błaszczak,  Pentester EmailLabs

What needs to be remembered, however, is that phishing is not limited to email messages only. There is also Vishing or Voice Phishing, in which scammer call us (often impersonating bank operators) to trick us into revealing personal information, and Smishing or phishing via text message.

Smishing is phishing via SMS

Apart from traditional phishing, criminals are often using smishing, the above-mentioned phishing via SMS. Since it’s not a problem to impersonate a particular service provider, cyber attackers are using it as another way to spread fake websites or malware. The rules behind this attack are the same as for classic phishing. The offender tries to influence us with certain emotions and thus force us to enter a given website address. There are cases in which this cybercriminals are so confident they don’t even impersonate specific service providers and send messages from ‘normal’ phone numbers. One would think that nobody would read such a message, however, the reality is far from that.

Which tricks do cybercriminals use?

As I mentioned earlier, phishing has evolved strongly in recent years and attackers no longer limit themselves to creating a similar email address. So in this part of the article, we’ll have a closer look at some of the tactics used in ‘today’s’ phishing:

Browser in the Browser

This technique displays an allegedly new window within a visited browser website, which simulates a fake login panel. In fact, that window is actually a page element, so the visible address of the new window is a plain text controlled 100% by the attacker. As a result, users may believe they are logging from a real website, especially since nowadays signing-in via third party services, e.g. Facebook, Twitter, Github, is nothing new (for such logins, we may see a ‘pop-up’ window asking to sign-in). The easiest way to recognize such attacks is to try to ‘pull’ the new window out of the web page we are on. If we fail to do so, we can be sure a Browser in the Browser technique has been used to attack us.

Homograph attack

It’ an attack which takes advantage to create and display URLs that include characters from non-Latin alphabet. Since different alphabets can have very similar characters, it can be used to build a nearly identical URL for a phishing attack.

Smart link shorteners

Well-known link shorteners work in a rather simple and familiar way, however, it’s worth noting that there are shorteners much more sophisticated than the ones we know. That’s because some of them are able to trick websites which ‘expand’ links, letting us know if a particular shortened URL really leads to, e.g. a bank web page. Besides, such shorteners are able to redirect users to different pages based on a device which the link is opened on, so the attack can be more targeted and harder to detect.

Trusted websites used for phishing

Cybercriminals are increasingly using popular and thus, trusted websites for conducting i.a., phishing attacks. By taking advantage of such pages, attackers effectively lull victims into a false sense of security. As part of this technique, they embed malicious files in familiar sites or create fake login pages. A full list of such websites can be found at Lots Project.

Cyber-security: cybersecurity tips and best practices

• • Raising awareness of employees/individuals 
    One of the key defensive elements (it applies not only to this attack) is employee education. That’s why it’s worth to deliver awareness training sessions on a regular basis throughout the year, in which new threat techniques (after all, it’ s one of those attacks that are constantly evolving) and methods of detecting them will be demonstrated. Within users’ education, we may also perform a controlled phishing attack in order to present the actual level of employee awareness.

• • Detailed verification of sender’s address
     Verify whether the address is correct and there are no typos. Often, cybercriminals create very similar email addresses that resemble the real ones.

• • Verification if the link in the email is the real address of our service provider
    Remember that you don’t have to click on the link to verify its validity! Just move a cursor over the hyperlink in the message to know where it leads. If the attacker used a link shortener, we can use available websites that “expand” the link, to see a real destination address.

• • Keep in mind that social engineering is also used in most phishing attacks.
    Attackers try to exert fear (e.g., information about legal problems if an invoice is unpaid), embarrassment (e.g.,a message that someone has gained access to our private information) or euphoria (e.g., an email in which we are informed about a big win). So let’s not get carried away by our emotions!

• • Check SPF/DKIM/DMARC entries
    To send phishing messages, a cybercriminal may also use e.g. our colleague’s email address ( either by taking over their mailbox or by spoofing email address, so it’s worth verifying the correctness of SPF/DKIM/DMARC entries and implement BIMI). So if we receive a suspicious email from a workmate, it’s worth checking.

• • Let’s not forget that emails are not the only channel of communication
    If we have any doubts about a message, we can verify it e.g., by calling bank’s contact centre or asking a friend if this message was meant for us. It’ also important not to use phone numbers, email addresses included in, e.g., the message footer. You may find that these details are fake as well, and instead we’ ll contact an offender who’s going to confirm the message is genuine.