Main menu


How to prevent phishing

Methods of typical cyberattack "phishing" and how to prevent it ?

Phishing is a cyberattack that uses forged email as a weapon. The goal of phishing is to trick email recipients into thinking they need or want the message. For example, an email requesting information from a bank or a message from a colleague within the company induces them to click on a link or download an attachment.

The biggest characteristic of phishing is the format of the message. An attacker impersonates an entity or a real person, a real person, or a trading partner trusted by the recipient. Phishing is one of the oldest forms of cyberattacks, dating back to the 1990s, and remains the most widely used and deadly as phishing messages and techniques become increasingly sophisticated.

The pronunciation of "phish" is the same as "fish". It means that the angler throws a baited fishing rod (phishing email) to catch people. The term phishing first began to be used in the mid-1990s among hackers who tricked users into exposing their AOL login information. "ph" is a playful hacker's spell, and it appears to have been influenced by the "phreaking" of "phone phreaking," an early hacking method that made free calls by playing a certain sound into the phone.

Some phishing scams have been successful enough to cause a huge stir.

- The biggest wave of phishing attacks in history was the one that tricked John Podesta, the head of Hillary Clinton's 2016 election campaign, into exposing her own Gmail password.

- The "fappening" attack, in which private photos of several celebrities were released to the public, was initially known as a result of the unstable security of Apple's iCloud servers, but in fact, it was the result of several successful phishing attacks.

- In 2016, University of Kansas employees lost their paycheck when they were tricked into sending payroll account information in a reply to a phishing email.

Phishing kits that led to the popularization of phishing attacks 

Phishing kits make it easy for cybercriminals with little technical knowledge to launch phishing campaigns. Phishing kits consist of phishing website resources and tools that you install on your server. After installing the tool, the attacker only needs to send an email to the potential victim. Both phishing kits and mailing lists are available for purchase on the Dark Web. Sites like Phishtank and OpenPhish provide lists of known phishing kits based on user reports.

A report called 'Phish in a Barrel' by Duo Labs included an analysis of phishing kit reuse. Of the 3,200 phishing kits the duo discovered, 900 (27%) were found on two or more hosts. 

Actual figures may be higher. Jordan Wright, who wrote the report as the duo's senior research and development engineer, said, "Why aren't the kit reuse rates higher? It's probably because we're measuring it based on the SHA1 hash of the kit's content. If you change just one part of one file in the kit, you can Even if the rest of the parts are all the same, they are measured with different kits.”

Security teams can analyze phishing kits to track who is using them. "The most useful piece of information from phishing kit analysis is where authentication information is being sent," Wright said in the report. "Tracking email addresses found in phishing kits can help you connect specific campaigns, their leaders, and even specific kits." "Not only do we know where the credentials are being sent, but we also know where the credential claims are being sent. Phishing kit creators usually use the 'From' header as a signature card, so they can use multiple kits from the same author. can be found," he said.

Different types of phishing

A common feature of phishing attacks is camouflage. By spoofing their email addresses, attackers impersonate others, build fake websites that victims can trust, and use foreign character sets to disguise URLs.

However, there are various techniques with the common denominator of phishing. There are two ways to categorize an attack. One is the purpose of a phishing attempt. In general, phishing campaigns convince the target to do the following:

- Passing over sensitive information Tricks

users into exposing themselves to sensitive data (in many cases usernames and passwords that attackers can use to compromise systems or accounts). The traditional trick is to send e-mail messages that are disguised as messages from major banks. 

The idea is that if you send a message to millions of people, at least a few of them are likely to be customers of that bank. When a victim clicks on a link in the message, they are taken to a malicious site that mimics a bank's website, where they enter their username and password, and the attack is successful. The attacker gains access to the victim's account.

- Downloading malware 

Like most spam, this type of phishing email tricks victims into infecting their own computers with malware. In many cases, messages are written in the form of "soft targets". For example, sending an attachment masquerading as a job seeker's resume to a company's HR manager. 

Attachments are often .zip files with embedded malware or Microsoft Office documents. The most common form of malware is ransomware. Ransomware attachments were included in 93% of phishing emails in 2017.

There are many other ways to target phishing emails. In some cases, a specific target is not specified. This includes sending emails to millions of potential victims, tricking them into logging into fake websites that mimic popular websites. 

Vade Secure analyzed the brands most frequently used by hackers in phishing attacks (see infographic). In some cases, attackers may also send emails as "soft targets" to people performing specific roles in an organization. This technique is also used without knowing anything personally about the recipient of the mail.

There are also phishing attacks that attempt to steal the login information of a specific person or infect a computer. In this case, the attacker chooses a victim with a high potential reward, and therefore goes much further to deceive them.

Spear phishing targeting specific individuals

When an attacker writes a message to deceive a specific individual, it is called spear phishing (a term used to describe an angler who targets a specific fish, rather than throwing a rod and waiting for someone to take the bait). Attackers target their attacks (sometimes using information from sites like LinkedIn) and use the spoofed address to send an email that appears to be from a colleague. A spear-phishing attacker, for example, targets someone in the finance department, pretending to be the victim's boss and instructing them to send a large sum of money from a bank.

"Aiming for large prey" Whale Fishing

Whale phishing, or simply whaling, is a form of spear phishing that targets very large fish (CEOs or other senior positions). It specifically targets directors of companies considered vulnerable to attack. Directors have considerable authority within the company, but are not full-time employees, so they often use personal email addresses not protected by the company's email system for business-related contacts.

Gathering enough information to deceive a potentially valuable target can take a lot of time, but the rewards are great. In 2008, cybercriminals sent emails to corporate CEOs with fake FBI subpoenas. What these CEOs downloaded were actually keyloggers that were installed on their computers. The attack's success rate was 10%, with nearly 2,000 victims falling victim to the tactic.

There are other phishing types such as clone phishing, vishing, and snowshoeing. 

How to stop phishing ?

The best way to catch phishing emails is to study real cases of phishing emails. This webinar from Cyren shows you a real phishing website that impersonates your PayPal login and tricks you into entering your login credentials. Just looking at the first minute or so of the video, you can see the distinct characteristics of a phishing website.

More examples of phishing can be found on the website of a gallery of phishing emails recently received by students and faculty, maintained by the Technical Services Department at Lehigh University, USA. Here are some other steps and tips to help you avoid phishing attacks.

- Always carefully check the URL of an email link before entering sensitive information or clicking on anything.

- Beware of URL redirects that swipe to other websites of the same design.

- If you get an email from someone you know and it looks suspicious, do not click Reply and contact that person with a new email.

- Do not publicly post personal data such as birthdays, vacation plans or addresses or phone numbers on social media.

The following infographic shows the most clicked phishing messages from the Q2 2018 report from security awareness training company KnowBe4.

If you work in a company's IT security department, you can take the following proactive steps to protect your organization:

- Put incoming emails in a "sandbox" to ensure that each link that users click is secure

- Inspect and analyze web traffic

- Find weaknesses through organizational penetration testing and use the results to train