Phishing and its Variants

Apr 01, 2020

Find out how to define different phishing attacks, including spear phishing and whaling. Phishing is one of the most common and obvious cyber attack vectors.

OK, let's begin with one of the most common and obvious attack vectors, and that is phishing. P H I S H I N G, "Phishing attacks". It's a cyber attack that uses disguised email as a vector and the goal is to trick the recipient into believing that the message is legitimate to the click a link or download an attachment. This can happen in corporate email, personal email, web mail, any form of electronic mail.

Email phishing attacks or hoaxes are one of the most common exploit vectors available to crackers. There's different variants of phishing, for example, "Spear phishing" is when you target certain employees. For example, someone in the finance department or the accounting department, maybe a database administrator or a server administrator or a low level employee, there might be more likely to respond to a social engineering attack like a receptionist or a secretary.

Now, taking spear phishing to the next level is "Whaling". That's where you're going to target high level employees. For example, someone from the C suite or the C team, you know, the CEO, the CIO, the chief financial officer, CFO or senior management. It could be somebody on the board of directors. Then we have "Vishing" with a V. "Vishing" uses the same process as phising. However, it targets cell phones, telephones and voiceover IP systems. It uses that as the vector instead of email.

Often we call the attacker a visher, V I S H E R and the Visher may call spoofing the collection agency or claiming to be a lawyer trying to get personal information or personal health information or intellectual property. "Smishing" is all of the above, except we're using SMS texting as the vector, Instead of email or a telephone. There are some key indicators to look for in email and web mail to identify phishing attacks. You might see "Vague salutations", for example, dear valued customer or dear employee suspicious-looking domain names, display names.

For example, the company name is actually farther down into the url path or the domain is a common misspelling. You wouldn't look carefully at all of the text in the url path. Often companies will not register the wildcard domain. For example, asterisk, dot whatever dot com and phishers can use modified URLs to trick people into clicking on the links or typing those into the address bar. When you move or hover your mouse over hypertext links, If you look down at the bottom, you might see indicators of wrong information or actually just a random IP version for address.

Historically, phishing attacks would have awkward grammar and misspelled words. For example, somebody wrote the phishing email and English wasn't their first language. However, with tools like Grammarly this is becoming a lot less common. Sometimes the subject line of an email phishing attack has urgent or intimidating phrases like you must act immediately or attention or urgent.

There's often a lack of legitimate contact information in a phishing email as well, along with spoofed headers and logos and corporate graphics. One of the most prevalent types of phishing attacks is will be called "BEC" "Business E-mail Compromise". This is a form of attack that targets companies who outsource, conduct wire transfers and have suppliers abroad. They often target corporate email accounts of high level employees. They're either spoofed or compromised through tools known as keyloggers or other phishing attacks to perform fraudulent transfers.

In 2016, BEC attacks led to an average of $140,000 in losses for companies globally, and they can be ingenious in spoofing real internal e-mail accounts. "Common BEC Schemes" would be "Phony invoices and transfers". Companies with foreign suppliers are often targeted with this tactic. Fraud of the CEO or the "C-suite" or "C-Team", where an attacker will spoof a company's CEO or a CFO and send an email to employees in particular departments, for example, finance or accounting requesting a money transfer.

Obviously, "Email or webmail account compromise". Companies often do phishing campaigns in their own companies to further train and raise security awareness for their employees so they don't respond to the BEC schemes. They may impersonate attorneys or members of a legal team or a law firm. They may say they're in charge of critical and confidential information and "Data theft of personally identifiable information (PII)", personal health information, PHI and intellectual property. This information may be reconnaissance or information gathering that's going to be used in a future advanced persistent threat.

Finally, we have "Pharming". "Pharming" is a blend of the words "phishing" and "farming". And it describes a type of cybercrime that's like phishing with farming. A Web site's traffic is manipulated or spoofed and confidential information is stolen. Attackers may install a virus or a trojan on a target that changes the computer hosts file to direct traffic away from its intended target and toward a fake or hoax web site.

Crackers may also poison a DNS server to redirect multiple users to unintentionally go to the fake site, which in turn can be used to install malware on the victim's computer. For the exam, remember that pharming has to do with name resolution or DNS.