A phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.
Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.
Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.
There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals' techniques being used are also more advanced.
To prevent Internet phishing, users should have knowledge of how the bad guys do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims.
.Think of spear phishing as professional phishing. Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success.
In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.
Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.
Some phishing scams involve search engines where the user is directed to product sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.
Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.
In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.
Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.
Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.
A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.
Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.
Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
Forged websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.
One example is CEO fraud and similar attacks. The victim gets an email that looks like it's coming from the boss or a colleague, with the attacker asking for things like W-2 information or funds transfers. We have a free domain spoof test to see if your organization is vulnerable to this technique.
Hackers use devices like a pineapple - a tool used by hackers containing two radios to set up their own wi-fi network. They will use a popular name like AT&T Wi-Fi, which is pretty common in a lot of public places. If you're not paying attention and access the network controlled by hackers, they can intercept any info you may enter in your session like banking data.
Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network.
Curious about what users are actually clicking on? Every quarter we release which subjects users click on the most!
Our customers run millions of phishing tests per year and we get numbers on what top-clicked templates are. The infographic below shows the latest data, broken down into 3 categories. The first two sections rank email subjects related to social media and general emails. 'In The Wild' attacks are the most common email subjects we receive from our customers by employees clicking the Phish Alert Button on real phishing emails and sending the email to us for analysis..
KnowBe4 Q4 2017 Top-Clicked Social Phishing Email Subjects
Over the past few years online service providers have been stepping up their security game by messaging customers when they detect unusual or worrisome activity on their users' accounts. Not surprisingly, the bad guys are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention:
Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts. Hovering over the links would be enough to stop you from ending up on a credentials stealing web site. The first example is a fake Microsoft notice, almost identical in appearance to an actual notice from Microsoft concerning "Unusual sign-in activity". The second example email points users to a phony 1-800 number instead of kicking users to a credentials phish.
Malicious .HTML attachments aren't seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions so people are used to seeing them in their inboxes. Here are a few examples of credential phishes we've seen using this attack vector.
Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the past year. These documents too often get past antivirus programs with no problem. The phishing emails contain a sense of urgency for the recipient and as you can see in the below screenshot, the documents step users through the process. If users fail to enable the macros, the attack is unsuccessful.
Several Facebook users received messages in their Messenger accounts from other users already familiar to them. The message consisted of a single .SVG (Scaleable Vector Graphic) image file which, notably, bypassed Facebook's file extensions filter. Users who clicked the file to open it were redirected to a spoofed Youtube page that prompted users to install two Chrome extensions allegedly needed to view the (non-existent) video on the page.
For most users, the two Chrome extensions were used to allow the malware a limited degree of self-propagation by exploiting the "browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file."
LinkedIn has been the focus of online scams and phishing attacks for a number of years now, primarily because of the wealth of data it offers on employees at corporations. Malicious actors mine that data to identify potential marks for business email compromise attacks, including wire transfer and W-2 social engineering scams, as well as a number of other creative ruses. Here are some examples we've seen through KnowBe4's Phish Alert Button:
In one case a user reported receiving a standard Wells Fargo credentials phish through LinkedIn's InMail:
Note that this particular InMail appears to have originated from a fake Wells Fargo account. The supplied link leads to a fairly typical credentials phish (hosted on a malicious domain since taken down):
It looks like the bad guys set up a fake Wells Fargo profile in an attempt to appear more authentic.
Another similar phish was delivered to an email account outside of LinkedIn:
This email was delivered through LinkedIn, as did the URLs used for the several links included in the footer of this email ("Reply," "Not interested," "View Wells's LinkedIn profile"):
Those URLs were obviously auto-generated by LinkedIn itself when the malicious actors used LinkedIn's messaging features to generate this phish, which hit the external email account of the mark (as opposed to his InMail box, as was the case in the first phish discussed above).
Here's an example of a KnowBe4 customer being a target for CEO fraud. The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt.
When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought it was payday:
A new KnowBe4 study of phishing statistics for top industries, shows small insurance companies have the highest percentage of Phish-prone employees in the small to mid–size organization category. Not-for-profit organizations take the lead in large organizations.
The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results. Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).
Researchers anonymously tracked users by company size and industry at three points:
1. A baseline phishing security test
2. Results after 90 days of combined CBT and simulated phishing
3. The results after one year of combined CBT and phishing is encouraging:
With over 100 billion spam emails being sent daily, it's only a matter of time before you get hit. There are several ways you can and should report these: