Author: Dan Ballinger
Dan is Expert of Technology at PointWire. Experienced Information Technology Manager with a demonstrated history of working in the computer software industry.
Let us talk about phishing in the IT world. Unlike traditional fishing, you are the target with bait dangling in front of your nose. Anyone who has an email address (and checks it!) has likely been subject to a phishing email. The aim of phishing is to steal sensitive information from you. It is the most attacked vector in IT as it is cheap to carry out, very little technical knowledge is needed, most people have an email account, and humans are the weakest part of an IT security strategy.
Types of Phishing
The most used attack method. Malicious parties typically don’t have any other information about you, apart from your email address. They send the same email to many people across the globe and are easy to spot as they are not targeted to a recipient directly, meaning the content is quite generic. For example, you may receive an email stating your HSBC account has been compromised and to click the link to login, yet you have never banked with HSBC. These attacks have a low success rate, but given the sheer number of emails sent, enough people fall for the attack to make it profitable.
Spear phishing attacks are more sophisticated. They use the same underlying principles but include personal information which make the emails seem genuine. Information can include your name, employment history, job title and more. This can be obtained from your social media accounts. There has been an increase in personal information stolen from compromised websites. This makes the email seem official as it contains information that is not publicly available. Information can include past passwords, home address, DOB and relationship preferences. This information can be purchased in bulk from the dark net, usually filtered to meet the attackers target group.
Whaling targets are hand selected and well-researched, which can make it difficult to spot a fake. Attackers utilise other stolen accounts, from previous successful phishing campaigns, to target their whale. If a stolen account is trusted by the recipient, an email will bypass any security in place. The attacker will also read prior email communications to understand the current situation, whilst the owner of this compromised mailbox does not know they are under attack. Whaling attacks can cause a significant amount loss, being financial data or intellectual property.
A Real Life Example
An email was received by Mike, at Company A. Somebody had shared a file via Office365, and Mike was prompted to click the link to access the file. The link sent Mike to a cloned Office 365 login page, where he entered his credentials. An error message appeared, telling him his password was incorrect, and to re-enter. Unaware that he just gave his credentials to the attacker, he was redirected to the official Office 365 website. Mike enters his credentials, and he is logged in. There is no shared file present, but nothing strikes him as being out of place. Mike assumes that the sender made an error and doesn’t chase up on why the link didn’t work.
Fast forward a few weeks. Mike has forgotten about this incident. What he doesn’t realise is the attacker is spying on Mike’s mailbox, searching for valuable information they can use for leverage.
Then it comes, the motherload. Mike is discussing a multimillion-pound deal with Company B. Mike closes the deal, and the attacker seizes their opportunity. The attacker instructs new emails from Company B, to be placed into Mike’s RSS feeds folder.
The attacker emails Company B from Mike’s account. These emails are accepted through Company B’s spam filters because they appear genuine. The attacker requests payment for the deal, they modify a PDF document of a past invoice and insert the attacker’s bank details. Nothing is suspicious, Company B were expecting to pay this invoice.
As the attacker is waiting for the funds to deposit, everything goes quiet. They attempt to log into Mike’s account, but the account has been locked. What happened?
Company B noticed an extra address in the CC line of the invoice email and on closer inspection, the email domain differed from Mike’s original address. The email was forwarded to IT for investigation, and it was found that the domain was registered only two weeks prior. This raised alarm bells at Company B, the payment halted, and Company A were informed.
Next time you receive an email, look for inconsistencies, tread with caution, and report anything suspicious to your IT security department.