Overview of phishing techniques

What is Phishing?

In this day and age everybody knows what is Phishing. The fact that E-mail 📥 ✉️ is used for phishing 100% of the time is extremely important to note.

Without you as user/bait opening an email that is worded with urgency and authority and asking to share your bank or credit card details no phishing will make money.

And if they do not make money, then phishing will go out of business.

The wide variety of techniques they adopt to defraud you will make a crime thriller. According to the FBI, phishing accounts for twice as much online fraud as anything else.

Products like SpamCheetah have a very deep role in protecting you against such threats.

In this article we are going to present some important categories of phishing and explore the terms , what they mean and how we can combat them.

Phishing schematic

What is Vishing?

Vishing or voice phishing is a form of IVR scam in which the telephone is used to steal your account information.

Unlike other forms of spam phishing does not seem obvious like Nigerian widow scam or that you received a million dollars in inheritance.

It is more subtle and when people resort to even faking voice calls things get a little more serious.

What is Spearphishing?

The topic of spearphishing is perhaps the most important aspect of phishing today. Unlike typical spam which is a volume business, spearphishing is very targeted and this involves specifically crafting the message text such that some employees/group of individuals fall prey to this scheme.

As of today there is no method to fight this effectively.

E-mail addresses can very easily be spoofed and one clear sign of fraud is detected when you find that the From address does not match the Reply-to field. Or if the domain looks fishy.

Phishing is all about using a bunch of similar looking domains, email addresses and body text that makes you do something which you would not normally do otherwise.

There are companies in the spear phishing protection space, not sure how effective their spam filters are.

SpamCheetah does remove all weaponized URLs from your email , so not sure if this works against spearphishing.

If the intent of the attack is to install malware then yes SpamCheetah has measures to counter it.

But it if it is social engineering then nothing can be done.

What is whaling?

A whaling attack is a technique employed by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive data or to gain access to their systems for nefarious purposes.

Also known as CEO fraud, whaling is similar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money.

Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling not only targets those key individuals, but doing so in a way that the communication appears to come with authority.

They might use reference to something that an attacker may have gleaned online, for example, when they’ve seen said person on some social media or news item.

The email address typically looks like it’s from a believable source and may even contain

  • corporate logos
  • links to a fraudulent website
  • Site designed to look legitimate.

Since a whale’s importance is high attackers invest the time and effort to gain credibility with the victims.

Defending against whaling attacks involves but are not limited to

  • Education/awareness

  • Always be suspicious about online activities

  • Try to map email behavior to real behavior

  • When in doubt cross check

Other types of less harmful phishing methods

Phishing has been around for a while now and as I mentioned above this is by far the most popular form of fraud. So naturally there will be several attempts made in several forms to cheat victims.

Although everybody seems to be aware of phishing in some form, the ingenuity of the attackers seem no less.

They are constantly getting on top of their game since there is lot of money to be stolen.

Every year billions worth of hard cash and other forms of corporate assets are stolen or compromised by this technique.

Let us explore some here in this blog.

Brandjacking

Brandjacking is as its name sounds a method to get access to the brand’s standing and is similar to identity theft at a higher level.

Typically this attack works with

  • politicians
  • celebrities
  • business

Some examples from wikipedia

  • Coca-Cola - in 2013, a commercial, “The Bitter Taste of Sugar”, for Oxfam (Oxfam Novib Netherlands) parodied a Coca-Cola Zero commercial, drawing attention to its unsustainable business practices

  • Starbucks - in 2006, a YouTube-hosted video presented a spoof advert for a Starbucks Frappuccino underlining the contrast between consumption and poverty.

In-session phishing – type of phishing attack

Normally phishing happens out of band or not when the victim is doing something but this type of phishing is different.

This is a form of phishing that counts on one browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser.

You then launch a modal window that appears to have been opened from the targeted session.

This window, which the user now believes to be part of the session, is used to steal account info like other phishing attacks.

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying on data leak in browser, the ability of web browsers to run active content, the ability of modern browsers to support more than one session.

All these attacks involve social engineering of the user in some form.

SMS phishing

As must be obvious from the heading SMS phishing stands for using text based SMS with 140 character limit to trick users into clicking a fake URL to steal information.

In today’s whatsapp centric world this attack must be less prevalent.

Typosquatting [Form of cybersquatting which relies on mistakes when inputting a website address]

This form of fraud occurs in real world very often.

There are always products that appear to have similar names to popular ones.

The typosquatter’s URL will usually be one of five kinds, all similar to the victim site address:

  • common misspelling, or foreign language spelling, of the intended site misspelling based on a typographical error

  • plural of a singular domain name different top-level domain: (i.e. .com instead of .org)

  • Doppelganger domain - omitting a period or inserting an extra period

  • abuse of the Country Code Top-Level Domain (ccTLD) (.cm, .co, or .om instead of .com)

  • Appending terms such as “sucks” or -suckes to a domain name

Site like these appear to help to save from this form of attack.

Mousetrapping

A mousetrap traps an internet user when they are clicking their mouse on different parts of a website and puts them into a situation which seems to have no way out. Mousetrapping is the term used to describe the unethical practice that forces users to stay on a particular website.

This is an attack we often see in browser when we visit bad websites, the thing to do in such situations is to simply close the browser tab.

Unscrupulous site owners that have crafted malicious code within their website navigation , seizing the visiting user’s browser with controls that prevent the users from leaving that site.

These controls can be

  • disabled backward
  • disabled forward
  • disabled close button,

This is done to force you into a call to action that benefits the site owner.

Clickjacking

This is an attack that tricks a user into clicking an invisible element which is invisible or masqueraded as another element.

This has effect of one of the following

  • download malware,
  • visit malicious web pages,
  • provide credentials
  • provide sensitive information,
  • transfer money
  • purchase products online.

The iframe HTML tag is used above the user sees. The user is led to think he/she is clicking on underlying page but some other page is getting the clicks.

Such attacks can be somewhat easily fixed by security measures inside the browser sandbox but it is good to know that they still work in today’s world where CORS is so commonly and strictly enforced and so is SSL.

Now let us look at what leads to phishing from human psychology point of view.

List of cognitive biases [ Systematic patterns of deviation from norm or rationality in judgment, many abusable by phishing]

Normally the human brain works in patterns and phishing malware writers know that. They ride on top of gullible people, emotional persons and even perfectly normal folks with a predisposition towards authority or rank.

The cognitive biases in us cloud our judgement many times. And the social engineering aspect of phishing attacks are very significant.

The only way you can safeguard yourself against phishing is by constant vigilance, education and using powerful anti phishing products.

Anti-phishing software

The task of safeguarding a company’s employees from Internet click fraud or phishing is not easy. Not at all.

But security companies are tasked with this for a really long time and there is only so much that legal enforcement can do to address this.

We must be pretty clear that phishing is very sophisticated, dangerous and can damage not only your reputation or finances but also drain you emotionally.

Phishing internal structure