Five Things to Know about Phishing
Phishing is the attempt to steal sensitive data through tricking a person into revealing passwords or credit card data or downloading a computer virus. In a particularly unlucky scenario, phishing may become a triple loss, as the victims lose their data, money, and potentially access to devices and applications.
The term ‘phishing’ comes from ‘password’ and ‘fishing.’ The main difference with finishing is that phishers do not fish for fish but for sensitive data like credit card numbers, usernames, or passwords.
Phishing can take many forms: you might receive fraudulent emails that look deceptively real or a phone call from someone trying to impersonate someone else. This latter form is called ‘vishing’ (‘voice’ + ‘phishing’). And there is also spear phishing, the crown jewel of the cybercriminal world. It is using information about a person or organization to create very authentic-looking emails. They look so real that even white hackers might occasionally swallow the bait!
Types of phishing
Phishing attacks are the most common cause of a malicious breach, according to IBM X-Force. Despite much struggle, it is still a top entry point as a means of delivering RATS (remote access Trojans), other malware, or malicious links to recipients.
Yes, organizations must be alert and vigilant. But what precisely can businesses do to avoid falling into the ubiquitous phishers’ traps?
1. Train your employees to boost their anti-phishing skills
Practice makes perfect. You can hire a company or security consultant to give your employees a security training. A wallet-friendlier option for those with no IT training budgets would be to do a free online phishing test. Many IT companies and universities offering IT degrees deserve gratitude for making phishing tests available to broader audiences.
How can such online tests help you become phishing-savvy?
They are usually worth your time. You learn by taking a quiz in which you decide whether an email (e.g., an account access request from an app) is legitimate or a phish. You have the possibility to hover your mouse over the e-mail address of the sender and the recipient, the URLs, and other elements to analyze the data. Then you decide whether these are correct, legitimate messages or they are complicated phishes with look-alike URLs that try to redirect you to some cyber grief (e.g., a fake login page).
If you guessed wrong and would like to know the hard truth, you can have it explained what characterizes the e-mail under scrutiny as a phishing message.
Recognizing a threat is a first useful step. What do you do with this knowledge? It is not enough to delete the phish. You can do more…
2. Analyze phishes to prevent them
Header Analysis: MX Toolbox
In most cases, you will notice that already the sender’s email address looks strange. It is not even remotely close to a legitimate address a company would use.
Besides, we need to analyze the header. It provides valuable details about the email’s origin.
The exact steps depend on the email application you are using. In Gmail, for example, you can click the three dots in the top-right corner, and then click Show original. Once your email opens in a new window, you can try to make sense of the plethora of the raw data.
To make our analysis easier, we can use a free online tool that is very handy for email analysis: MX Toolbox, especially the tool called Analyze Headers. You can find it on the website’s home page as the rightmost option. All you do is copy and paste the full header into the blank window for the tool to separate the data into more readable fields.
We need to check two types of findings below the x-dmarc-info heading:
- SPF (Sender Policy Framework)
- DKIM (Domain Keys Identified Mails)
If both these records display as failed in the header, chances are great that you are dealing with a phish. It means that an adversary is trying to impersonate a well-known resource, but their IP address failed the checks.
For more details, check chapter 3 of Sam Grubb’s “How cybersecurity really works”.
URL Analysis: VirusTotal and Joe Sandbox
Once you have analyzed the headers, it is time to verify the URL itself. To determine whether it is malicious, we can use the VirusTotal tool. If one of the tool’s antivirus engines flags it as malicious, it is a safe bet that your link is malicious. Now you are even more convinced that you should not click it. But we as cybersecurity experts want to satisfy our curiosity: what would happen if we clicked the suspicious link? Yet another tool comes to our rescue.
What this tool lets you do is use its simulated computers that act like physical machines. These are irresistible for testing malware, because your real machine stays isolated and totally protected from the cyber grief.
Once you have created an account at Joe Sandbox, you can just copy and paste your link into the sandbox. It is important that you should not submit any personal information because the results will be made public unless you purchase a private account. After the report is ready, you are likely to learn a lot about the black hats’ plans. You might be able to determine the nature of attack – for example, a credential hijacking attack.
The Screenshots section is particularly intriguing to look at. Any cyber-savvy person will be enchanted to see all that action documented: what opened, ran, redirected, got installed, etc. when the sandbox executed your link. You can also use the animation feature and watch the cyber events as they happen in real-time.
Besides, the Behavior Graph features all the processes that happen when someone clicks the malicious link, like web pages that open or redirects that take place. And you can lean back, enjoy, and get the data ready for your system administrator or cybersecurity professional to help them curb the malware infection. That brings us to the next point.
3. How to act based on your analysis: configure your software and alert appropriate professionals
As we can see, our research in section 2 helped us gain some valuable insights. As we discovered:
- The email was a phish
- It came from someone impersonating a well-known resource
- It attempted to steal our credentials
What do we do with this information? As it turns out, we have some options:
- We can configure our email program by adding rules that send any other messages from the same malicious sender to the junk folder
- We can alert our system administrator or other appropriate staff to boost their defense efforts.
4. Spear phishing remains a top entry point regardless of security trainings
Even if you take precautions, there will be times when adversaries deploy phishing attacks that are extremely hard to recognize.
Spear phishing is using factual information about a person or organization to create very authentic-looking emails. Imagine that you receive an email from your IT administrator who addresses you by your first name and claims he needs some urgent data from you. As he is overwhelmed with some cybersecurity routines, he cannot find the time to visit you in person, so he would prefer if you could reply by email. What would you do in this case? Grab the phone and clarify. Kudos for being so vigilant! However, other colleagues might swallow the bait…
Did you know that 90% of all data leaks start with a successful spear phishing attack?
IBM X-Force IRIS has found that 84 percent of the APT groups it tracks use spear phishing as a primary infection vector. Of those, 68 percent use it as their only infection vector.
Business email compromise (BEC) is a type of spear phishing where adversaries hijack a business email account and use this access to persuade employees to send them money or information. BEC is one of the most high-impact spear phishing attacks that an organization can experience, costing businesses a total of more than $26 billion worldwide as of September 2019.
Of all the organizational phishing attacks X-Force IRIS has observed since June 2018, 42 percent involved BEC fraud.
Here is some practical advice to avoid falling in the traps hackers set up for us.
Listen to your inner voice and use common sense
- Does it sound too urgent to be real?
- Do they try to capitalize on emotions?
- Is it unsolicited communication?
- If you have not asked for it, it is safe to ignore it.
Always use another route to validate
5. Conduct red-teaming exercises to see whether your organization is gullible
It is extremely easy to find out how many of your employees will click that malicious link or believe an impersonator trying to steal their credentials. Test phishing campaigns are a popular assessment of an organization’s cyber resilience. Who would argue that it is better to discover your organization’s weaknesses as part of security training than in a real battle?
Here is how it works. You hire a team of white hackers to test how fast they will be able to find a way into your organization. Interestingly, such teams often spend more time gathering open-source intelligence (OSINT) than hacking. To penetrate an organization effectively, they just need to understand what might appear credible to the target’s employees in an email message. The rest is plain sailing: the hackers can craft a compelling phish that has all the chances to be opened.
Are your employees over-sharing online? Hackers are grateful. They can always investigate a business’s online footprint and then use this information to create those highly customized, authentic-looking messages.
Statistically, about one fourth of the recipients might click the fraudulent link contained in a phish. Even more disturbingly, virtually without exceptions, at least one recipient will interact with the test phishing campaign every time (Source: X-Force Red engagements from September 2018 to September 2019, https://securityintelligence.com).
It means that beyond employee education, businesses should also focus on response.
Related to the above, a best practice is to use a layered approach to cybersecurity that includes an advanced user behavior analytics (UBA) solution to help detect suspicious internal activity via your company’s security information and event management (SIEM) solution.
- Grubb, Sam. How cybersecurity really works: A hands-on guide for total beginners, San Francisco: No Starch Press, 2021.
- X-Force Red engagements from September 2018 to September 2019, https://securityintelligence.com