What is Phishing?
Phishing attacks are one of the most common attacks performed by cyber criminals to gain access to personal information or sensitive data including credit card numbers and login credentials. Bad actors trick victims into voluntarily sharing their data by impersonating trusted brands or people.
How Common Are Phishing Attacks?
According to the Anti-Phishing Working Group’s (APWG) latest Phishing Activity Trends Report, nearly 150,000 unique phishing websites were detected in Q2 2020. In the same period of time, over 125,000 unique phishing emails were reported. This means that at least 5% of the total amount of newly registered domains were used for phishing. Keep in mind that these figures only represent “detected” phishing attacks. In reality, the figures could be much larger.
The Purpose of Phishing Attacks
Phishing attacks are malicious in nature, with the intent of luring victims into submitting personal data without suspecting any wrong-doing. Oftentimes, the acquired sensitive data is used to achieve the bad actor’s ultimate goal: financial gain. However, there are various tactics that can be employed.
Anatomy of a Phishing Attack
While phishing attacks rely on various tactics, their general anatomy follows a similar pattern, shown here.
1. Purchased Domain
While not necessary in phishing attacks, a look-alike domain can be purchased to fool users into trusting the sender. Nearly 70% of domains used in phishing attacks come from legacy generic Top Level Domains (TLDs) such as .com.
2. Spoofed Sender
Email spoofing involves the creation of an email message with a forged address. With access to an SMTP server or various online tools, the “mail from” field can be replaced with any email address. Although this won’t pass SPF, DKIM, or DMARC checks, an untrained email user could fall victim to the phishing attempt. To check if the sender is legitimate on Gmail, users can click on the “show original” option on the email message and check the headers. Verify that the sending address passed SPF, DKIM, and DMARC.
3. Look-alike Webpage
As the threat landscape evolves, it’s not necessary for cyber criminals to be tech-savvy. A phishing kit can be purchased online, providing hackers a ready-to-use phishing campaign. Phishing kits clone legitimate business websites, add malicious software, and are packaged for sale. The forms on the cloned website typically save off credentials or sensitive data to be exploited. Today, nearly 80% of phishing websites have SSL encryption enabled which creates a sense of security in victims. Seeing the ‘https’ and a small lock next to the URL makes the website seem safe. However, over 90% of these certificates were domain-validated. This is the weakest method of certificate validation and only requires an email to be sent to a specified contact; that contact is the phisher!
4. Message to Target Victim(s) With Call to Action
A message can be transmitted via email, text messages or common instant messaging platforms. Victims believe that the message came from a known sender. Example senders could be your company’s CEO or your bank. In the message, the phisher will create a sense of urgency causing the victim to click a link leading them to a fake webpage or prompting to download a file.
Examples of Phishing
While phishing is a common tactic performed, there are several different methods of phishing. Each method generally contains the same components but often has different targets.
With victims spending hours a day sifting through emails, it’s easy to mistakenly click on an email that is received from a spoofed email address. While these often direct victims to a web page, many request funds in the form of a wire transfer or gift cards.
Spear-phishing targets a specific person or enterprise instead of a wide group. Phishers may perform research on the user to make the attack more effective. Unsurprisingly, tons of data can be found on social media platforms such as LinkedIn. Phishers can understand your network, contact information, and experience to draft a highly personalized phishing message. For example, A fake or compromised email could be used in a Business Email Compromise (BEC) attack to trick employees into leaking credentials or sending funds.
Clone phishing is a phishing attack that leverages a user’s familiarity with the sender. A previously sent email with a link or attachment is intercepted and cloned. However, the original link or attachment has been replaced with a malicious link or attachment. It may be sent from a spoofed email address to appear like the original sender. By referencing the earlier message, the phisher may build trust with the recipient.
Whaling has all the same characteristics as a typical phishing attack, only the phish are much bigger. In this attack, cyber criminals will target key or senior figures at an organization. If a key member in the finance department receives a spoofed message that they believe to be from the CEO requesting a wire transfer, they may not think twice. Similar to spear phishing, these attacks are highly targeted.
How You Can Prevent Phishing
The reason phishing is a common attack vector for cyber criminals is because it works and is relatively low effort. There are several steps that individuals and organizations can take to prevent falling victim to phishing attempts.
Verify Email Links
Individuals should always be weary when viewing emails with attachments. By hovering over an attachment, your browser will show the actual destination of the link. If it doesn’t look like a website you are familiar with or recognize, don’t click it.
Verify Email Senders
If the email appears to be from someone you know, but it’s unexpected or has information that is too good to be true, there is a good chance it’s a phish. By viewing the email message headers and verifying the DKIM, SPF, and DMARC passed, you can verify it’s a legitimate sender. If the message still seems suspicious, just reach out to the sender directly over the phone or instant message to verify they actually sent it.
Don’t Trust the SSL Padlock
If the site is not HTTPS with an SSL certificate, your data is being transmitted in plain text to the hosting server, therefore you shouldn’t be entering sensitive data. However having an SSL certificate alone is not enough but that isn’t enough to verify safety. Check to see if the site was certified by a Certificate Authority and was not domain-verified. Remember, roughly 80% of domains have domain-verified SSL certificates and appear to be secure. To verify the certificate issuer: click on the SSL padlock, then click certificate and view the details.
Monitor Newly Registered Domains
Business organizations should use anti-phishing software to monitor newly registered domains to see if they mention their brand or trademark. If that is the case and the domain doesn’t belong to your organization, that’s a red flag. It’s imperative to continuously monitor these domains as they evolve because if they aren’t a threat today, tomorrow could be different.
Monitor Incoming Email Traffic
Business Email Compromise is a prime candidate for cyber criminals to trick victims into wiring money or navigating to a malicious domain to input credentials. By using anti-phishing tools that monitor incoming emails for authentication checks, members of your organization can be warned of malicious messages sent from spoofed email addresses.
What to Do If You Suspect a Phishing Attack
If you suspect a phishing attack, report it to your organization’s security team so that they are aware of on-going campaigns. The security team should be reporting phish to the registrar, email and/or web hosting providers involved. There are additional organizations and blacklists such as Google Safe Browsing that welcome phishing reports. Reporting phish for takedown prevents others from being victimized. Lastly, the security team should continually monitor the email and/or web pages used in the attack.
What Makes Phishing Protection With ZeroFox Unique
Continuously monitoring newly registered domains and incoming emails is a burdensome task for any security team. On top of that, building relationships with providers to effectively dismantle the killchain for phishing attacks makes it even more time intensive. With ZeroFox phishing protection, all newly registered domains are monitored continuously. Leveraging OCR and AI capabilities, live web pages are scanned daily for infringing content and indicators of phishing. With the click of a button, you can request takedown on phishing domains that damage your organization’s reputation.
Phishing is a common and highly successful attack vector for cyber criminals. As long as phishing attacks continue, organizations are at risk of financial loss and damaged reputations. With the proper anti-phishing software and employee training programs, you reduce the odds of becoming a phishing victim. Ultimately, it takes time, processes, and skilled analysts to identify ongoing campaigns and takedown domains used for phishing. You don’t have to do it alone, ZeroFox’s best-in-class phishing protection will help your organization detect, analyze, and remediate phishing attacks.