Thanks for joining us for the first release in our Cyber Security Awareness Month series. Check out our other recent posts on “Pro-Russian Hacktivism” and “Ransomware in Q3 of 2022!” In addition, see our previous articles on phishing: “The Ecosystem of Phishing: From Minnows to Marlins”, “The Phight Against Phishing,” and “Fight the Phish!”
Several years ago, I played a video game with tradable items in it. I received a suspicious message: A friend of mine asked me to view a picture that he sent over. The picture’s thumbnail made it look like he had some valuable items, so I went to click on the picture to verify. Within a second, two large charges were submitted to the saved payment card on the account, and most of my items were transferred over. Phishing can happen to anyone. However, there are some consistent tricks that attackers rely on to exploit the human emotions and tendencies of victims like myself.
This blog post is focused on the often-forgotten threat of phishing. Whether you’re a veteran cyber-security analyst or new to the scene, there’s always more to learn about the ever-changing field of threat intelligence. This blog post will detail some of the newer methods and types of phishing.
According to IBM’s 2022 report on threat intelligence, phishing remains the most common attack method. However, attackers are changing their methodology and technology to try to gain access to your devices.
We all know not to answer “that” email. You know the one: It’s from an anonymous stranger who has fallen on hard times. They just need some cash to free up their sizable inheritance. Then, after just a few business days, they can return a small fortune to you in return for your donation. The email is riddled with spelling errors and blocked by your spam filter. Despite a massive increase in spending on security awareness, attackers keep phishing because it keeps working.
Regardless of how many of their messages get caught in the spam filter or ignored, it’s still worthwhile for them to persist in their efforts. According to a report from the US Treasury, in the US alone, phishing made attackers around USD 300 million per month in 2019. The suspicious email described above is an example of phishing. An attacker or group throws out a wide net to try to catch anyone they can in it. However, this is not the only type of phishing.
New Methods, New Technology
As phishing continues to be exceptionally common and effective, newer methods have gained popularity in recent years.
- Spearphishing is phishing with a much more limited target—a single organization or person, perhaps a CEO. Attackers who target individuals typically devote much more energy to studying and impersonating people and organizations close to the targets. These attacks can use knowledge of company or personal schedules, program or application usage, and internal or personal vernacular to deceive targets and escalate access. A common example of this tactic can be seen below: Someone claiming to be Digital Shadows (now ReliaQuest) founder Alastair Paterson sends an email to an employee, but there are some warning signs that should set off alarms in the recipient’s head.
With the advent of spearphishing, employees should take extra care when receiving communications from company executives, as attackers can use the authority of executives to attempt to exploit victims.
- Multi-factor authentication (MFA) fatigue: Even the most sophisticated defenses can be defeated with a simple human error. As we saw with the recent Uber breach, multi-factor authentication was in place, requiring user verification on every login. The issue was that the user in question was being sent login requests and mistakenly clicked “Approve”. The attacker simply repeated the process until the victim was fed up with or overwhelmed by the notifications and let the intruder in.
- These two other methods generally involve the same capability: phone number spoofing. This is when attackers impersonate someone else’s phone. This can become exceptionally useful over text messages or phone calls. Attackers can use the area code of potential victims to improve their chances of convincing the victims to pick up. This type of attack used to be challenging to conduct but is now much more accessible. Modern attackers usually utilize a voice over IP (VoIP) connection to change the caller ID for the recipient.
- First, attackers can use the fake caller ID to get you to answer the phone more readily. This is called vishing. The word “vishing” comes from a combination of “voice” and “phishing”. Attackers can utilize caller ID spoofing to impersonate banks, dealerships, hospitals, bosses, the government, or even your loved ones to attempt to gain access to your devices or take your money.
- Alternatively, attackers can use the fake caller ID to get you to respond to or click a link in a text message. This is called smishing, which is phishing via text. The name comes from a combination of “Short Message Service”, which is texting, and “phishing”. For more on this attack method, view our blog posts on smishing by Ivan Righi and Michael Marriott.
To revisit my story from several years ago, there were a few things I could have done to avoid being phished and having money stolen. First, I could have stopped and taken a second to think. Next, I could have noticed that this friend who had supposedly contacted me had not talked to me in three years and had no reason to talk to me out of the blue. Third, I could have checked their account, which had multiple people commenting on it, warning the public not to interact with them because they were a scammer. I did none of those things. Below, you can find some helpful suggestions on how to avoid being phished so you don’t end up like I did, tearfully explaining to your dad why there is about to be a USD 600 charge on his card.
These methods prey on our emotions and our tendencies. The example from my past is tied to envy: I didn’t believe my friend had valuable items, so I clicked. From the example of spearphishing, an employee could easily be hit with a wave of emotions if their company’s founder emails them personally to ask for a favor. From the example of MFA fatigue with Uber, the user in question could quite easily have been frustrated or confused when faced with multiple authentication requests in a short period of time.
Although new methods and technologies will continue to fade in and out of use, the key framework of phishing remains. An attacker attempts to fool a victim into believing the attacker is someone trustworthy. The attacker uses the identity of the trustworthy person or organization to gain access, information, or money. The advice will always remain the same (adapted from another Digital Shadows (now ReliaQuest) blog post):
- Limit the information you share online, including on social-media sites. The most successful phishers perform detailed reconnaissance so they can craft the most effective emails and social-engineering lures.
- Protect your accounts in case phishers do manage to steal your credentials. Two-factor authentication measures and password managers should be implemented whenever possible across your accounts.
- Train yourself on how to respond to these messages: Rely on your instincts. If something feels wrong, it probably is. Contact the sender on another platform, ignore fraudulent emails, and do not click.