PHISHING ATTACKS

WHAT IS A PHISHING ATTACK

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

What is a phishing kit?

The availability of phishing kits makes it easy for cyber criminals, even those with minimal technical skills, to launch phishing campaigns. A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims. Phishing kits as well as mailing lists are available on the dark web. A couple of sites, Phishtank and OpenPhish, keep crowd-sourced lists of known phishing kits.

The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse. Of the 3,200 phishing kits that Duo discovered, 900 (27 percent) were found on more than one host. That number might actually be higher, however. “Why don’t we see a higher percentage of kit reuse? Perhaps because we were measuring based on the SHA1 hash of the kit contents. A single change to just one file in the kit would appear as two separate kits even when they are otherwise identical,” said Jordan Wright, a senior R&D engineer at Duo and the report’s author.

 Duo Security

Analyzing phishing kits allows security teams to track who is using them. “One of the most useful things we can learn from analyzing phishing kits is where credentials are being sent. By tracking email addresses found in phishing kits, we can correlate actors to specific campaigns and even specific kits,” said Wright in the report. “It gets even better. Not only can we see where credentials are sent, but we also see where credentials claim to be sent from. Creators of phishing kits commonly use the ‘From’ header like a signing card, letting us find multiple kits created by the same author.”

PHISHING ATTACK EXAMPLES

The following illustrates a common phishing scam attempt:

• A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
• The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

• The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
• The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

PHISHING TECHNIQUES

EMAIL PHISHING SCAMS

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.

For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.

In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.

Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.

SPEAR PHISHING

Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in depth version of phishing that requires special knowledge about an organization, including its power structure.

An attack might play out as follows:

• A perpetrator researches names of employees within an organization’s marketing department and gains access to the latest project invoices.
• Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
• A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
• The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.

By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.

PHISHING PROTECTION

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.

For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

• Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
• In addition to using 2FA, organizations should enforce strict password managment policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse password for multiple applications.
• Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on extrenal email links.

How to prevent phishing

The best way to learn to spot phishing emails is to study examples captured in the wild! This webinar from Cyren starts with a look at a real live phishing website, masquerading as a PayPal login, tempting victims hand over their credentials. Check out the first minute or so of the video to see the telltale signs of a phishing website.

More examples can be found on a website maintained by Lehigh University's technology services department where they keep a gallery of recent phishing emails received by students and staff.

There also are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:

• Always check the spelling of the URLs in email links before you click or enter sensitive information
• Watch out for URL redirects, where you're subtly sent to a different website with identical design
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
• Don't post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

PHISHING PROTECTION FROM IMPERVA

Imperva offers a combination of access management and web application security solutions to counter phishing attempts:
• Imperva Login Protect lets you deploy 2FA protection for URL addresses in your website or web application. This includes addresses having URL parameters or AJAX pages, where 2FA protection is normally harder to implement. The solution can be deployed in seconds with just a few clicks of a mouse. It doesn’t require any hardware or software installation and enables easy management of user roles and privileges directly from your Imperva dashboard.
• Working within the cloud, Imperva Web Application Firewall (WAF) blocks malicious requests at the edge of your network. This includes preventing malware injection attempts by compromised insiders in addition to reflected XSS attacks deriving from a phishing episode