PRACTICAL SOLUTIONSTO PHISHING ATTACKS
- Sasanka Dahanayake
- Dec 14, 2022
- 16 min read
A project was done on my own as a research paper for an assignment.
(https://www.helixstorm.com/wp-content/uploads/2021/02/iStock-1291541351-2-1024x551.jpg)
Introduction
Phishing is a mostly use attack type among all other cyber- attacks like malware attacks, man-in-the-middle attack, DDoS (Distributed Denial of Service) attack etc. So, from decades of time it has become the mostly used attack type among more cyber criminals. Even thou we have high mechanisms to detect and dodge spam emails, phishing emails are very realistic and hard to detect and to be believe this is a phishing attack. When phishing attack is happening, attacker pretend to be a highly trusted person or a company like your coworkers, your bank or even government. With the use of phishing attacks, cyber criminals(attacker) can get your sensitive personal details. Like your passwords to your online banking services, credit/debit card details or your entire social media identity via social security numbers. From this report, let us dive in and discuss some main important questions,
What is phishing?
Risk of being a victim.
Type of phishing scam.
Finding and dodge phishing attacks.
History and Revolution of Phishing
We cannot tell exactly this is the date first phishing attack happens. The reason is in cyber security domain to tell an attack was done or on going we need to catch the attacker, or we need to find any damage happens to the system. So, what we can tell is this is the first phishing attack we found.
So, first found phishing attack done on 2nd January 1996. And it done against AOL company. The attacker's strategy is to pose as AOL administrators and phish for login information so they may have free access to the internet. As mentioned before, this happens in an era anyone do not know about phishing. But now phishing is a quite common attack, so companies need to be focused those type of attackers.
From 2000s is when phishing has started evolving rapidly. Before 2000s people still do not have a good understanding on phishing attacks. So, most of the time phishing attackers targeting those groups. Scammers pretend to be a trustful person or an organization to do a successful phishing attack.
Even thou first phishing attack happened 1996, that time attackers not targeting on payment gateways. But after like 2008, phishing attackers are focusing on payment gateways like PayPal and E-gold. Attackers send a phishing email by recommending that users update the password or credit card and stole their details.
Later 2008, new currency cryptocurrency method getting famous. With the help of that now attackers can completely hide their identity, because in cryptocurrency block chains we cannot track any transactions or the user who done it
Abstract of learning Phishing
Even thou we does not think about phishing or any type of cyber-attacks on early 2000s, nowadays we need to have a clear idea of cyber-crimes. In later 1990s or early 2000s they are on only few people afford for a computer, laptop, or a smart phone. And even thou companies are using technology their hire cyber security domain employees to manage them. So, no need to focus on those attacks.
But in early 2010s, with the fourth-generation computers, people start using technical equipment’s. First to third generations computers were awfully expensive and larger in size. So, they were only used by higher organizations. But in fourth generation, computer prices go down and larger computers become smaller in size like nowadays personal computers.
But this is a new experience to people. So, it took some time spread all around the world. With that in early 2010s personal computers become incredibly famous and start selling all over the world. But this time also mostly computers were used by people on 20-40 age group.
This situation completely changes with corona pandemic. With coronatine period all countries close their borders to foreigners and put curfew. So, people stuck in their houses. To my understanding this is the evolution of technology. With curfew all industries introduced online facilities. People start using internet all around the world. Everyone used to use a smart device. Specially those who do not even used a smart device, started using a one.
With this evolution everyone needs to know about cybercrimes, even if you are in its domain or not.
What is Phishing?
Phishing encourage victim to do specific actions which given and has control by the scammer to access victim devices, personal data, or accounts. By pretending to be a person or an organization you trust.
By forcing victim phishing attacker will steal victim credit card details or even his/her entire identity via social security number. After a successful phishing attack, now attacker can pretend to be the victim. So now attacker can do whatever he/she want as you.
To get access to victim data, mostly attackers will urge you to open an attachment, link, fill a form or reply to a person with details. They will keep those conversations high standard so victim cannot even think this is a phishing attack.
Most of the time victim will follow below process, (get access to bank details)
After you open email, you will see an email by telling your online bank account password was expired, you need to update the password to get uninterrupted secure service.
To change the password, click the below link. (This is the starting to trap the victim)
Then what you will do is, you click on that link and then it will direct you to the banking site.
Even thou that site look likes exact same original site, which is a copy of the original site. So, attacker has all controls with him to that site.
Now they will ask you to give a new password and the username to the account.
After you followed the path and complete the process, now attack has your password and username to your account.
Likewise, victim will catch to attacker’s trap. The danger of phishing is phishing attackers will not do any mistakes to leak identity. They will follow a very smart process.
Who is at risk of Phishing attacks?
Phishing attackers can target anyone in any age groups, whether it is your personal life or workplace if you are using internet on your devices. In workplace, if you are running a company that allowed employees to work on their own devices, then your company has phishing effects more than other companies that not allowed employees to work on their pc. They will supply company devices to do their office work and personal work. Benefit of this is if attacker do a phishing attack and if they try to get company data by your device, then company admins can erase all data from the device remotely.
But if your company is allowing employees to work on their own devices then you do not have authority to do a data clear process if attacker got access to that device. Company admins need device owner permission do it. So, Bring Your Own Device (BYOD) method opening more risk to the company, even its helps to spend less money on technical equipment’s.
In personal life, if you are using a device that has internet connection then you are at risk. And even thou you do not have internet connection if you have messaging facilities (normal messages via phone number…), then if your number cough to an attacker then also phishing attack can be done.
So best practice is to hide your number, email address, online messaging IDs (Facebook messenger, Telegram etc.) and social media accounts (Instagram, Facebook etc.). It is better only your close friends and relatives know those.
Spam Phishing
Most of Phishing attacks fall into this category. Process of spam phishing is sending spam messages to users. In here it will be annoying more than being attack. But most of systems has already invented mechanism to detect spam emails. So, this kind of phishing is controlled to some extent.
Spam messages are sent in mass quantities by spammers and cybercrimes to do one or more of following,
Make money
Run phishing attack to obtain passwords, credit card details, bank account details
Spread malicious codes on victim computer
(https://antivirusjar.com/wp-content/uploads/2019/10/phising-scam.jpg)
Targeted Phishing/ Spear Phishing
Target phishing also known as spear phishing is the most dangerous and impossible to finding phishing attack. And its most common variant is whaling.
In spear phishing attacker has a special target, that attacker done research. In normal phishing attacks, attackers are sending fraud email or message to bulk of group. As an example, most people are using e-commers sites such as E-bay, Ali Express. Now attacker will generate a fraud message by telling to update your credit card details or may be password to do something. As you can see this is a common mail sent to a group of people. Everyone gets the same mail.
But in spear phishing email was generated to special target. As an example,
You are requested to start online banking services from bank.
Attacker noted that you are going to enter online banking services.
Now attacker will do some research and find out what is the structure of the letter you will get from the bank and what need to be included with bank admins names and signatures.
Now attacker has every details. After that attacker will generate a scam letter that specially targeting you. Then send it to you by pretending as bank by telling, this is site URL. Now you can create an account and add your details to it.
When you got this email, nothing suspicious because you already request banking service, and that email was sent by bank.
Now you will click on that URL and then also everything looks like same.
In phishing attackers will create the same site with mostly same as it is. So, no one can tell this is the original site and this is the fake site.
In next stage after you create the account on that scammers site and add all details.
Now phishing is done …
As you can see this is specially targeting someone. Attacker will do more work and attacker needs more recourse compared to normal phishing. Phishing attacker will take this information via, social media profiles, Existing data breaches or other publicly discoverable info.
With this all details, there are two ways of doing the phishing attack. First one is an immediate attempt to encourage you to take actions. And second one is building a connection with the user for months and earn your trust before the attack.
So, comparing to spam phishing attacks this is the most dangerous type and unfortunately spear phishing is the attack most people are getting phished.
(https://www.le-vpn.com/spear-phishing/)
Types of Phishing Attacks
First, we must have an understanding what is done by phishing (Stole your password, credit card details, social identity and many more). To get that outcome, phishing can be delivered in all kinds of means, including phone calls, texts messages, and even by hijacked URLs on perfectly legitimate websites.
Phishing Email
Email comes to your mail inbox by forcing you to follow a link, send a payment, reply with private info, or open an attachment.
Those email structure is very closed to an original mail, so you might think it is coming from an original site.
With the modern technology those type of emails can be cough by mailbox AI, so nowadays email phishing can be suppressed to some extent.
Domain Spoofing
This also a type of email phishing where attacker might mimic valid email address and change it to looks like same. (Ex. @america.com to @arneria.com)
Voice Phishing (vishing)
Attackers call you as a valid person or a company that you trust to phished you.
They might use automate messages and mask their phone number, so you think this call is exactly coming from this person or the company.
They will try to keep you on call and force you to do actions.
SMS Phishing (smishing)
This type is like voice phishing, they will send you messages instead of calling.
Message will come from a person or an organization which you will trust.
In the text message you can find a link or a contact number which lead you to a phishing attacker.
Social Media Phishing
Social media phishing also exceedingly popular attack that led most people to attacker’s trap.
First attacker will publish a social media post and promote it. So that post can reach more views.
That post will hold with some giveaways or manipulated websites links which looks same.
Otherwise, they will create a relationship with you long term before stealing your details.
Clone Phishing
In this type of attacks, attacker will duplicate a real message which sent previously from the legitimate organization.
Then attach a malicious links to it.
Even thou this is another version of email phishing this can be happen in other means like fake profiles on social media.
Watering Hole Phishing
Attacker will target a popular website that many people visit. Then try to find an exploit (Vulnerability/a week point) in the site to do above phishing attacks.
Pharming (DNS cache poisoning)
Attacker will use malware or an onsite vulnerability to reroute traffic from the legitimate site to phishing site which looks exact same.
In here manually typed URL also led you to the phishing site instead of the original site.
Typo-squatting (URL hijacking)
When we type sometimes, we would make mistakes. This is the entry point to typo-squatting phishing. Attacker, catch people when they enter the wrong website.
It will lead you to a malicious site which attacker on control.
As an example, if you type “alexpress.com” instead of “aliexpress.com” it will lead you to wrong site.
Clickjacking
Attackers try to find out a website vulnerability to set a hidden capture box, so attacker can read everything thing you enter to that site.
It will enable attacker to get your login credentials, credit/debit card details and many more…
Tab-nabbing
Attacker will redirect you into an imitation of a valid site login. Then take your login credentials.
You will think this the real and unfortunately hand over your account access.
HTTPS phishing
Attacker will create a malicious website with the illusion of security with the classic “padlock next to the URL bar.”
Normally this says, this website is safe and secure so you can trust this site. But nowadays any site can get this.
So, even thou your connection is secure for sure, you are connected to a malicious site that attacker on control.
Evil Twin
Nowadays we can get free Wi-Fi facilities on public areas like coffee shops, airports, parks etc. Attacker will mimic that kind of official public Wi-Fi.
After you connect and start using Wi-Fi, attacker will track your eavesdrop on all your online activities.
Search Engine Results Phishing
Attacker will use methods to redirect you to a fraudulent webpage before the legitimate one.
This method also known as SEO phishing or SEM phishing.
If you not looked carefully you will go to a malicious site instead of the real site.
Angler Phishing
In this kind of phishing attacker pretend to be a customer service representative of a real company to trick you or by create a fake social media help accounts to trick you.
BEC (business email compromise)
includes a variety of strategies for breaking into a company's communications circle to gain valuable information. Impersonating a CEO or acting as a vendor with a phony invoice to execute activities such as wire transfers is one example.
Cryptocurrency Phishing
In crypto block chains users are earning money with long-term mining. It takes so much analyzing’s before place an order to buy or sell crypto.
What cryptocurrency phishing attacker do is they will target those cryptocurrency wallets, instead of trading for months.
They try to steal money form users’ wallets. In these crypto systems we cannot track who is the owner of this wallet or where my money went.
So even thou it is hard to steal money from a user, if it done successfully the attacker is perfectly safe. That is why nowadays ransomware (sending malicious code to users’ device and lock the device so user cannot access it anymore. Users need to give money to the attacker to get a key to unlock the device and get a backup) attackers also asking money using cryptocurrencies. So, they can be hidden forever.
In all kind of phishing attacks, we can see the concept is same. But the way is happening is different. First, they need the trust and after they gain it, they can force you to do whatever they want.
Above mentioned phishing types are only few of them. You experience a completely different phishing future. So, it is extremely hard to spot a phishing attacker.
Examples of Common Phishing Scams
It is impossible to list every phishing scam here, below list only holding some of them.
Iran Cyberattack Phishing Scams
Attacker, use an illegitimate Microsoft email and send you by telling login to your account to restore your data. Then they will steal your credentials. They will use your fear to lose data against you.
Office 365 deletion alerts
In here also attacker is use an illegitimate Microsoft email to steal your login credentials. But in an unusual way.
This email scam is telling you that high amount of data been dropped, if you are not the one done it use below link to restore them.
After you follow the attackers’ instructions, they will steal your credentials without giving you any hint.
Notice from bank
This type of emails will come from fake accounts. Normally they will supply a link which leads to a web form for asking your bank details for verify you.
Before giving details first you must contact the bank, so you can verify whether this email exactly came from the bank or not.
Email from a ‘friend’
In here attacker will pretend as your friend. They will ask for help. Normally help means asking money. In here also you must contact your friend first. Then you can verify whether it comes from the friend or not.
Contest winner/inheritance email
This is a quite common attack. I am sure that you also experienced this.
Attacker will send you notifications by telling you won the competition, and this is the prize for that.
Normally this prize amount is extremely high, so at least you would like to give a try.
Then they will ask you some money (it is incredibly low compared to the amount you will received as the prize) to ship it.
Quite simple type of attack but most people caught to attacker’s trap.
The tax refund/debate
This is a common phishing scam since many individuals have annual taxes that they must pay or make payment to.
These phishing mails usually claim that you are qualified for a tax refund or that you have been chosen to be audited.
It then suggests that you give a tax refund request or tax form (requesting your complete information), which fraudsters will then use to either steal your money or sell your data.
You can contact the tax agents and verify the mail before do any actions.
How to recognize and avoid phishing
The key to finding a phishing email is to look for any irregularities or inconsistencies. It might be challenging to distinguish between legitimate emails and phishing attempts at times. Before you click on any links, open any attachments, or comment, you should first calm down.
If you get a suspicious email, you should respond as shown in the following example: You get an email asking you to donate money to help those affected by the most recent hurricane to hit land. Although the sender's domain is "help@ushurricanessurvivors.net," you have not heard of the company, even if it may be authentic. These emails often land in your spam bin, but for some reason, this one is resting at the top of your inbox.
You know how to use computers, so you will not open any emails from businesses looking for money or personal information. This is particularly true if you did not ask for it and are unable to confirm its authenticity.
Instead of acting right away, you have made a crucial move to safeguard yourself by pausing. You must still decide whether this is a genuine offer or a con. To decide, you must now be fully aware of what to look for in a phishing email.
Phishing Email Format
The fact that phishing emails are designed to seem authentic is one of the evil reasons they are so pernicious—and too often effective.
The following characteristics are typically present in phishing emails and should raise caution flags:
Attachments or links
Spelling errors
Poor grammar
Unprofessional graphics
Unnecessary urgency about verifying your email address or other personal information at once
Generic greetings like "Dear Customer" instead of your name.
Some phishing sites will appear drastically different from the genuine organization since hackers often haste to get them up. These characteristics can be used to find a fraudulent email in your inbox.
However, it is not always obvious what to do if you get a phishing email that eluded your spam box.
Tips for Handling Known Phishing Emails
The trick is to be attentive in finding phishing emails. Use these tactics if you have come across one in your email (that has not been automatically filtered into spam) to prevent falling for a phishing scam.
Do not open the email; instead, remove it.
When you open an attachment or click a link in an email, most viruses start to run.
However, certain email programs include scripting, making it possible to catch a virus by merely opening an email that seems dubious.
It is advisable to delay opening them all at once.
Activate a manual sender block.
You ought to manually construct a block if your email program lets you. Then, add the sender to a prohibited list after noting the sender's email domain.
This is extremely clever and practical if you share your email account with any family members.
Someone else can get an email that appears to be real but is spam and act inappropriately.
Invest in an added layer of security.
Never err on the side of safety. Consider investing in antiviral software to keep an eye on your email.
Just keep in mind that blocking or removing phishing emails right away is the best course of action. It is a plus if you take any further steps to reduce your vulnerability to these assaults. In addition to finding the email and removing it, there are a few more precautions you may take.
Phishing Prevention Tips
You will be the target of these phishing emails every day, whether we like it or not. The majority of these are promptly removed by our email providers, and consumers are adept at recognizing these emails and using common sense to refuse their requests.
But you have already saw the deceitfulness of phishing. Additionally, you are aware that phishing attempts affect all forms of online communication and surfing, not simply emails.
You may significantly lower your likelihood of being a victim of fraud by heeding a few straightforward phishing prevention measures.
Steps to Protect from Phishing
You will be the target of these phishing emails every day, whether we like it or not. The majority of these are promptly removed by our email providers, and consumers are adept at recognizing these emails and using common sense to refuse their requests.
But you have already saw the deceitfulness of phishing. Additionally, you are aware that phishing attempts affect all forms of online communication and surfing, not simply emails.
You may significantly lower your likelihood of being a victim of fraud by heeding a few straightforward phishing prevention measures.
Use caution when showing sensitive information. Never click the link in an email notice you get from your bank or another significant organization. Instead, start a browser window and enter the URL straight into the URL field to verify the website is legitimate.
Never rely on alert signals. Most trustworthy businesses will not email you asking for account information or personally finding information. This includes any business you do with, such as your bank or insurance provider. Delete any emails that request account information right away, and then call the business to make sure everything is well with your account.
Avoid opening the Word, Excel, PowerPoint, or PDF files in these shady or unusual communications.
Avoid clicking any embedded links in emails since they might hold malware. Never click on URLs that are contained in messages that you get from merchants or other third parties. To confirm the request, go to the site directly by putting in the right URL address. You should also study the vendor's contact rules and processes before making any information requests.
Ensure that your operating system and applications are current. Make sure you are safe and up to date. Windows OS products are often the subject of phishing and other malicious attempts. Particularly for those who are still using any version of Windows before to ten.
Conclusion
Phishing means stealing someone details (account credentials, credit card details, etc.) or identity via social security number. To do this process scammers will force you to do some actions via pretending as a trusted party like close friend, trusted organization, government officer, etc.
In 1996 first phishing attack spotted. That day onwards you can experience many types of phishing attacks, and in many ways, them occurs. The sad news is we can’t say those are the phishing attacks you may face. You can experience completely different attack tomorrow.
There were some comment attacks happened and may be come with a new face tomorrow. Those are,
Phishing Email
Domain Spoofing
Voice Phishing
SMS Phishing
Social Media Phishing
Clone Phishing
Watering Hole Phishing
Pharming
Typo-squatting
Click-Jacking
Tab-nabbing
HTTPS Phishing
Evil Twin
Search Engine Result Phishing
Angler Phishing
BEC (Business Email Compromise
Cryptocurrency Phishing
In email they already invented AI facilities to detect spam mails. You can see them in spam folder. Best practice is not open those emails. It can contain malicious documents, executable files or URL’s directed to malicious sites that attacker on control.
But sometimes important mails also come under spam on email. So, it’s hard to identify a phishing email at first look. To avoid a phishing attack only thing you can do is do a verification process. If that mail come from the bank, then you can call the bank and verify the email.
We can’t stop phishing, only thing we can do is try to avoid phishing attackers. To that as a user use internet facility you must be responsible.
Comments