Instructions
Phishing
Ed Moore
Lecture Outline
Faculty of Arts | Department of Security Studies and Criminology
2
What is phishing?
Types of phishing
Common Techniques
Spear phishing
Prevention
What is phishing
3
What is Phishing?
Phishing is a cyber attack where an attacker tries to trick a user to provide details or access using a fake form of communication.
The term phishing (pronounced “fishing”) comes from the analogy of an angler throwing a baited hook out there (the phishing email) and hoping you bite
Phishing almost always includes a degree of fraud
Often comes in the form of emails or websites
May appear to come from legitimate companies or trusted individuals
Often take advantage of natural disasters, epidemics, political or other events
4
What is Phishing?
Phishing can be
oken down to two general categories:
Hand-over information
This is where an attacker will try to trick the user into handing over information to the attacker. This often includes things like usernames, passwords, credit card information.
Typically the information is then used to access more detailed and important information.
Malware download
This is where an attacker will try to get a user to click on a link to download malware
to their system. This will then give the attacker access to the system and thus
information stored on it.
These are often in the form of keyloggers which will send the keystrokes
(including passwords) to the attacker.
5
Forms of phishing
Vishing – Voice phishing is when an attacker contacts the victim over the phone to try to elicit information
Smishing – SMS phishing, contact via SMS or DM
Common to see these emails with fake unsubscribe links
Clone Phishing – Cloned copy of a legitimate email or website with malicious links or attachments in place of legitimate ones
Whaling – When an attacker goes after a high profile target
6
Forms of phishing
Email Spoofing
When setting up your email account on a program, you can set your name, this is what is used when you send mail
This field (ie the sender name) cannot be trusted
The field can also be programmatically set when a program sends mail
Attackers often try to impersonate known individuals or companies
7
Forms of phishing
Mass Targeting
Attackers send phishing emails to groups of people based common interests
This is often targeting customers of a business
Accuracy is less important
Quantity over quality
Sending phishing emails is very cheap, a low success rate is still acceptable
Typically a spam email costs less than 0.00001c
Response rates are estimated to be around XXXXXXXXXX%
Researchers estimate that spammers can make $7,000/day
or $2,000,000/yea
8
Forms of phishing
URL Phishing
There are various techniques used within URL phishing that are worth mentioning
Hidden Links
When an email prompts you to “click here”, “Download now” or “subscribe”
URL Shorteners
A URL shortener is a service that allows you to take a long, unmemorable, messy URL and shorten it to something easier to manage
These are also frequently used for phishing emails as you can never tell
where they end up
Misspelt URLs
Intentionally using misspelt URLs in the hope that victims won’t notice
citiibank.com instead of citibank.com
Have you tried gooogle.com?
Use of alternative domains
citibank.xyz
9
Forms of phishing
URL Phishing
There are various techniques used within URL phishing that are worth mentioning
Homographic Attacks
The use of intentionally misleading characters to make it look like it’s a legitimate domain
arnazon.com vs amazon.com
10
Forms of phishing
Subdomain phishing
Exploits users who don’t fully understand the difference between a domain name and a subdomain
Companies own domain
amazon.com for example
Attacker could buy another domain like
techsupport.com
Then creates a subdomain for it
amazon.techsupport.com
11
Forms of phishing
Website Spoofing
Website spoofing is a common technique where an attacker will clone a website and redirect login details to their own serve
This is usually easy to perform and can be difficult to detect
Best way to not fall for this is to avoid entirely
12
Common Techniques
13
Baiting Techniques
Timely call for action
“Urgent” or time sensitive emails put pressure on potential victims to click on links without checking it properly
Seemingly legitimate email addresses
Inclusion of logos to seem more legitimate
14
Baiting Techniques
Work Environment
Phishing emails sent to targets in a work environment differ to those targeting individuals. They generally attempt to blend in with work emails, this makes them more successful
Attachments (such as “invoice”, “meeting minutes”, etc)
Third party providers (Microsoft, Google, etc)
Emails from managers
The CEO
Emails from “IT support”
Other colleagues
If a colleague has fallen for a phishing scam, one of
the first things an attacker will do is to secure thei
foothold inside the company. This means getting
more people infected
Emails sent from a colleague are much harder to
detect for phishing as they’re coming from a
legitimate source
15
Baiting Techniques
Personal Environment
Whereas personal phishing emails target you at an more personal level
Advertisements
Weight loss
Win an iPad
Social Media accounts
Credit card company
Threats or blackmail emails
Love
Takes advantage on going crisis
16
Spear Phishing
17
Spear Phishing
Spear Phishing is when a phishing attack is targeted at a single or small group of people
It’s largely different because it often involves research steps, rather than being board and generic
Often pulls information from social media platforms to use as an entrance and legitimise the phishing email
Think of the information you provide on LinkedIn
Cu
ent Jo
position
Previous employment
Plausible connections
Have you admitted to using a service publicly
Think about complaints on social media
Liked services on social media
18
Spear Phishing
Many of the most successful data
eaches in recent years started with a spear phishing attack
Spear phishing is the leading cause of data
eaches
Spear phishing attacks are “blended” or “multi-vector” threats
They combine various malicious techniques to create a very dangerous threat
Email Spoofing
Dynamic URLs
Zero-day vulnerabilities in
owsers
Unlike traditional phishing emails which are often poorly written,
spear phishing emails are usually well crafted
The average impact of a successful spear phishing attack to a business is
$1.6M
19
20
Prevention
21
Prevention
Spam filters
The only way to stop spam entirely is make it not profitable for the attackers
If we reduce the success rate of the emails then it becomes less profitable
Our best defence against phishing and spam is spam filters
The large majority of spam emails are filtered out by spam filters
Up to 99% of spam emails are filtered out before a user sees them
… Think about what your spam folder looks like
Spam filters often don’t work on spear phishing emails as they’re
specially crafted for the target
22
Prevention
Software
Mimecast
Mimecast is a service that redirects all links received in emails through their service. The service scans the page for malicious code and can help prevent employees clicking on malicious links.
This software attempts to save employees before the malicious code is executed.
modusCloud
modusCloud is a service that attempts to detect malicious links based on their URL. It looks for things like ‘I’ (uppercase i) instead of ‘l’ (lowercase L). It would detect something like GOOGIE.com as malicious as it is likely an attempt to direct a user towards a malicious website
Swordphish
Swordphish is able to extract features from millions of domains, to distinguish between good and bad, without looking further requiring support in an external environment. Swordphish is extremely fast with a time of 10 milliseconds per search and a measured accuracy of 95% in classifying URLs
23
Prevention
User Training
People are the weakest link in IT security
Training users to detect phishing/spam emails is the most important part
No legitimate company should ever ask for your password, bank account numbers or other information in an email
Don’t click links from people you don’t know or that look suspicious
Look out for weird capitalisation or misspelt URLs
Phishing emails often have poor grammar, spelling and structure - look out fo
this
No software is perfect and phishing emails (particularly spear phishing) will
eventually reach users – prepare for it!
24
Prevention
User Training
People are the weakest link in IT security
Look for the “HTTPS”, phishing websites often don’t use it
“HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan.” - Scott Hanselman
If you receive a phishing email from someone you know they have probably been compromised
Don’t click the link but report it to your IT admins
If it’s personal - Tell the person
Using a password manager can help
2FA helps a lot
Provide a way for employees to check the validity of an email or phone call
Remember that employees are outcome driven
25
The end
26
Resource List
https:
www.sitepoint.com/spam-roi-profit-on-1-in-125m-response-rate
https:
www.fo
es.com/2006/12/11/spam-security-email-tech-security-cz_bs_1212spam.html#1e6e35d04626
https:
info.phishlabs.com
log/phishing-number-1-data-
eaches-lessons-verizon
https:
www.digitalinformationworld.com/2019/03/phishing-attacks-by-numbers.html
https:
www.cisco.com/c/en_au/products/security/email-security/what-is-phishing.html
https:
log.syscloud.com/types-of-phishing
https:
www.csoonline.com/article/3077434/93-of-phishing-emails-are-now-ransomware.html
https:
digitalguardian.com
log/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing
https:
medium.com/@kratikal/humans-are-the-weakest-links-in-cyber-security-of-any-organisation-ac04c6e6e71
https:
esources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-hardware-software
https:
www.mimecast.com/the-state-of-email-security-2019
https:
www.fireeye.com