_ __It appears you need to update your information. Click here to tell us all your secrets._
_ __No really, it's totally safe. We're not going to steal your identity, we swear._
If only phishing attempts were that obvious.
Instead, these days it's hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let's go back to the first instance of phishing.
Back in the early days of the Internet, you could marvel at your "You've Got Mail" message and freely open any email that came your way. You'd get one email a day, tops, from your new best friend you met in the "grunge 4EVA" chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn't cross your mind that going online could bring about danger.
Then came the Nigerian prince.
Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation's longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as "urgent" or "private," and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.
Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.
Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.
"Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective," says Adam Kujawa, Director of Malware Intelligence. "That is because it attacks the most vulnerable and powerful computer on the planet: the human mind."
While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.
"Phishers had no other choice but to evolve and improve on where they fell short," says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. "Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones."
Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).
So how can we learn from these lessons? Let's start by identifying the different types of phishing in use today.
The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.
Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.
Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.
Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.
Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system's host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.
Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.
Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it's being entered. This type of phishing is more difficult to detect because attackers continue to pass on users' information (after collecting it) so as not to disrupt any transactions.
And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.
There truly are a lot of phish in the sea.
So, if your head isn't completely swimming in fish puns, it's time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.
If you suspect or can verify that you've been phished, it's best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)
Now the next time someone attempts to scam you with fraudulent emails, you won't have to wonder if the message is for real. You'll scope out a phish hook, line, and sinker.
The post Something's phishy: How to detect phishing attempts appeared first on Malwarebytes Labs.