One Phish, Two Phish, Red Phish, Blue Phish
One of the interesting things about working for a cybersecurity company is that you get to talk to people who, if it weren’t for their ethics, would have the perfect skill set and tool chest to make for great black hat hackers. And so yesterday, I sat down for a chat with George Skouroupathis, our phishing expert at Resonance Security.
In this article, I look at how phishing attacks work at a deeper level than just the “don’t click on suspicious links in random emails that you get.”
Some of you may be wondering, “Aren’t you just providing a blueprint for phishing attackers?”
No — they already know how to scam you. This article is the equivalent of demonstrating how a “find the queen” card game street con works. Just telling you not to engage does not provide the underlying education required to fully understand and hence avoid being taken advantage of.
So, let’s dive in and swim among the phishes.
What exactly is phishing?
Phishing is a security attack in which a malicious entity pretends to be a legitimate entity to trick people into handing over sensitive information: passwords, credit card numbers, or other personal data, that can subsequently be used to hack into computer systems, engage in identity theft, and a whole load of other nefarious activities.
Phishing is often the first step taken by hackers in a larger scam.
The name is a bit odd — a misspelling of “fishing”, as in “fishing for information”, with the “ph” probably taken from an earlier hacking term, “phreaking”, which is a shortened term for “phone hacking.” This term appeared back when hackers messed about with homemade hardware to subvert the landline phone system to make free long-distance calls; such phone hackers being called “phreakers”.
There are lots of different kinds of phishing attacks, but one of the most prevalent is spear phishing, in which the hacker produces spoof emails that look like they are company official, for example from someone in the HR department, or a client or partner of the company.
The aim is to get company employees to click on malicious links that encourage them to enter confidential information or open email attachments that contain malware as a way past the company’s defenses.
How does phishing work?
Although I already knew the basics of phishing (don’t click on links in suspicious emails), George talked me through some of the subtle tricks hackers use to get past phishing defenses that email servers now have in place, and the education that time and experience provide employees with to detect potential phishing attacks.
Phishing is a cat-and-mouse game in which new techniques are developed by hackers all the time, and the security systems and our security education have to evolve to deal with them.
There are two main aspects to a successful phishing attack: the technical, and the psychological.
The technical
The main technical problem phishers face is getting past modern-day spam filters. Email clients and servers scan emails to detect content that may be harmful, and they even examine and follow web page links in making their decision.
If a user gets a phishing email with a big red “this is suspicious” banner at the top or doesn’t even get to see the email because it’s moved straight into quarantine, then the phishing campaign is going to fail.
Get a domain
And so, phishers start by buying an old domain with a decent-looking history — a domain that was previously registered and subsequently allowed to lapse. This is like buying a fake identity based on a real person.
The domain is bought several months before the phishing campaign, registered with a known email provider such as Google Mail, Microsoft Outlook, or some other email service provider, and then used to send a few legitimate emails every day to build up a history on those mail servers to improve the sending reputation of the email addresses to be used.
Ideally, the domain should be relevant to the content of the phishing email.
Build a site
The phisher also builds a website before the campaign that looks legit:
- uses SSL,
- no broken links,
- the HTTP headers make sense,
- the main page has a redirect to a non-malicious first page, and
- when a web crawler visits the site just “looks right”
One approach is to replicate the landing page of the client, or the website of a partner, client, or known service. Each website on the web is categorized by search engines, with categories such as health, management consultancy, technical services, media, and so on, and the aim is for the malicious website to fall squarely into one of the desirable categories that match the nature of the phishing campaign.
On the day that the phishing email is sent, the phisher will swap out the innocuous site for the malicious one. In some cases, a dynamic redirect page is used, so the first page is non-malicious when the spam scanner acts, but when someone from the target company follows the link they are led into the trap.
Use marketing techniques
When the phishing email is sent, phishers will often use tracking pixels to determine if and when the email is opened, which allows them to subsequently fine-tune further phishing email templates. Similarly, if the phishing link is clicked on is logged, what the conversion rate is for a malicious login page is, and other metrics are tracked.
Those of you in search engine optimization and marketing technical analytics will find this horribly familiar because phishing uses all the known marketing techniques out there to improve the success rate in getting the target to: read the email, visit the site, and then “sign up”.
In this section, I’ve looked at email as the initial attack vector, but Facebook adverts, text messages, Telegram channels, and even Google calendar invites (defaulted to show the invite) can be used.
The psychological
I previously mentioned that technical marketing techniques are extremely useful for the phisher. That extends to building a target email list: the phisher will be checking social media, bulletin boards, and even the target company website for email addresses.
Or even buying them from a marketing services company that has gathered the required information in a list, for a few tens of dollars.
Another marketing technique that works is psychology — thinking about what would motivate the email recipients to click on the links. One way to achieve this is through emotions. When people are thinking emotionally, the rational part of their brain is turned down, and they are more likely to make a foolish mistake.
- Greed, especially when combined with a fear of missing out. A time-limited offer of value puts pressure on the recipient to act now and regret later.
- Pride. A fake award that looks significant or a spot as an expert on a well-known news program might just get the target to click on the link.
- Conformity and duty. For example, a request to complete a diversity training questionnaire, know-your-customer compliance process, or even, ironically, security training, can cause people to do what the email claims is required.
A further approach is to keep an eye on what is happening in public relations releases and the media in general concerning the company. If a senior director was recently arrested for insider trading, a phisher might send a link to what looks like a financial ethics survey. If the company is having a round of lay-offs, pushing an upskilling course in front of them could be the approach.
The trick used is to produce something so specifically aimed at the target’s interests that they end up with a gut feeling that no hacker would have bothered to make something so specifically relevant. That means considering who they are trying to trap, for example, the CEO’s assistant, or someone in the IT admin team.
Conclusion
Sometimes companies conduct internal phishing campaigns to train their employees in the risks, or if they are feeling particularly harsh, to identify individual weak links in the company. Unfortunately, not all such training exercises are handled with tact and an appreciation of the embarrassment falling for a phishing scam might cause the unwitting participants.
Hopefully, with the above insights into the minds of the phishers that I’ve provided, the chances of you being fooled are much lower now.
Let me know in the comments if you feel this has helped, and if you want to run an ethical and compassionate phishing training exercise for your organization, feel free to reach out to Resonance Security.
