Newsletter & Blog

H2 Newsletter Edition 4

H2 Weekly Newsletter Edition 4

 

H2 Cyber Risk Advisory Services

 

Phishing – what exactly is it? 

Well, I think it’s well known now, what phishing is. But it’s worth a reminder as its something SMEs are subject to every day. Phishing is all about deception and it gets its name when a cybercriminal goes “fishing” with an attractive “bait” in order to hook victims from the vast “ocean” of internet users.  Generally, there are 3 ways they carry this out:

  • The attack is conducted via electronic communications, such as email or a phone call.
  • The attacker pretends to be an individual or organization you can trust.
  • The goal is to obtain sensitive personal information, such as login credentials or credit card numbers.

How does phishing work?

Whether conducted over email, social media, SMS, or another vector, all phishing attacks follow the same basic principles. The attacker sends a targeted pitch aimed at persuading the victim to click a link, download an attachment, send requested information, or even complete an actual payment.

As for what phishing can do, that’s left up to the imagination and skill of the phisher.  Social media followers give phishers have access to more personal info than ever before. Armed with all this data, phishers can precisely tailor their attacks to the needs, wants, and life circumstances of their targets, resulting in a much more attractive proposition. Social media, in these cases, fuels more powerful social engineering. This can apply to the work place just as much as to the individual in that it is commonplace for employees to associate themselves with the work place on their personal media and for company sites to impart data about their employees.

What are the effects of phishing?

Most phishing can lead to identity or financial theft, and it’s also an effective technique for corporate espionage or data theft. Some hackers will go so far as to create fake social media profiles and invest time into building a rapport with potential victims, only springing the trap after establishing trust.

What’s the cost of phishing? Not just financial damages, but in these cases, a loss of trust. It hurts to get scammed by someone you thought you could count on, and recovery can take a long time.

Common phishing strategies

Let’s take a look at some common strategies. Hackers can conduct a wide range of attacks from technical wizardry to good, old-fashioned con jobs:

  • Deceptive phishing: You will have picked up from above that all phishing is deceptive. Phishing is all about fooling you. But “deceptive phishing” as a term specifically refers to when hackers masquerade as legitimate companies or individuals in order to gain your trust.
  • Spear phishing: Phishing castes a wide net, trying to catch as many people as possible, whereas spear phishing is when phishers personalize their attacks to target specific individuals.
  • Whaling: Completing the set of nautical metaphors is whaling, which is a phishing attack that targets a certain high-value individual. It’s the same as spear phishing, but with much more ambitious targets. Even C-suite execs aren’t immune to whaling attacks.
  • CEO fraud: Phishers will impersonate a company’s CEO or other high-ranking executive to extract either payment or insider info from employees. CEO fraud campaigns are frequent follow-ups to whaling attacks, since the attacker has already obtained the CEO’s login credentials.
  • Pharming: Pharming attacks — from the sea to the farmyard — this uses technological tricks that replace the need to fool you with bait. For example, DNS cache poisoning is a pharming technique that can automatically redirect you away from a legitimate website and instead to the attacker’s spoofed version. If you’re not paying attention, you won’t notice the scam until it’s too late.
  • Dropbox phishing & Google Docs phishing: Popular cloud services are attractive phishing targets. Attackers will whip up spoofed versions of the login screens, harvest your credentials when you enter them, then help themselves to all your files and data.
  • Clone phishing: Attackers can take a legitimate email and then “clone” it, sending the exact same email to all the previous recipients with one crucial twist: the links are malicious now.
  • Link manipulation: Phishers will send links that appear as though they’re leading to one URL, but when clicked go somewhere else. Common tricks include deliberate misspellings (e.g. “only” vs “onIy”; the second one has a capital i) or writing the name of a trusted website as the link’s display text. No one is spared. I recently received an email purporting to come from the company from which I rent my domain, informing me that the account has expired and if I didn’t click the link and renew, then my web services would cease immediately. Note the push for immediate action, designed to make me panic and cut down on my thinking time. A quick look at the address it came from told me that this wasn’t genuine, simply because of the misspelling.
  • Cross-site scripting: Sophisticated phishers can exploit weaknesses in a website’s scripts to hijack the site for their own ends. Cross-site scripting is hard to detect because everything on the website appears to be legitimate, from the URL to the security certificates.