Phishing

Published by Robert Brounstein on

2/4/2019

It is amazing the impact computers have had on the English lexicon.  Here are some of the terms that are regularly used in today’s conversations. Upload, bits, bytes, blogs, internet, browser, reboot, the cloud, cookie, spam, firewall….it is an endless list.  And of course, from the clandestine side, there’s virus, malware, spyware, trojan, worm and, of course…phishing. People from the 1960’s would be completely lost in a modern-day conversation.

Phishing is an example of social engineering techniques being used to deceive users. Thus, it is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website: the look and feel of which are identical to the legitimate site.

The word, phishing, is a homophone of fishing, due to the similarity of using bait in an attempt to catch a victim. Phishing is a general term and includes a host of more specific actions. Phishing attempts directed at specific individuals or companies have been termed spear phishing. In contrast to bulk phishing, spear phishing attackers (aka hackers) send emails to groups of people with specific common characteristics or other identifiers. Spear phishing emails appear to come from a trusted source but are designed to help hackers obtain trade secrets or other classified information.

A famous example of spear phishing was the cyber espionage group, Threat Group-4127 (Fancy Bear),  where spear phishing tactics to target email accounts linked to Hillary Clinton‘s 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented the accounts-google.com domain to threaten targeted users.

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address that is designed to appear to come from the original sender (today, this is referred to as “spoofing”). It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

The term whaling has been coined for spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.

Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures — because phishing attacks also often exploit weaknesses in current web security.

The term ‘phishing’ is said to have been coined by the well-known spammer and hacker in the mid-90s, Khan C Smith. The first recorded mention of the term is found in the hacking tool AOHell (according to its creator), which included a function for attempting to steal the passwords or financial details of America Online users (aka AOL – one of the original internet service providers). In 2017, 76% of organizations experienced phishing attacks.

There are anti-phishing websites which publish exact messages that have been recently circulating the internet, such as FraudWatch International and Millersmiles. Such sites often provide specific details about the messages.

People can be trained to recognize phishing attempts, and to deal with them through a variety of approaches. Such education can be effective, especially where training emphasizes conceptual knowledge and provides direct feedback.  And many organizations run regular simulated phishing campaigns targeting their staff to measure the effectiveness of their training.

People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be “verified” (or any other topic used by phishers), it is a sensible precaution to contact the company from which the email apparently originates to check that the email is legitimate. Alternatively, the address that the individual knows is the company’s genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message.

Nearly all legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers. Some companies, for example, PayPal, always address their customers by their username in emails, so if an email addresses the recipient in a generic fashion (“Dear PayPal customer“) it is likely to be an attempt at phishing.  However, it is it unsafe to assume that the presence of personal information alone guarantees that a message is legitimate, as a number of studies have shown that the presence of personal information does not significantly affect the success rate of phishing attacks. This suggests that most people do not pay attention to such details.

Emails from banks and credit card companies often include partial account numbers. However, recent research has shown that the public does not typically distinguish between the first few digits and the last few digits of an account number—a significant problem since the first few digits are often the same for all clients of a financial institution.

At work, if you suspect that you are a target of a phishing expedition, DO NOT RESPOND and notify your IT department immediately. These days there is a significant chance that what you perceive as an illicit attempt to hack into your computer is probably a correct assumption. Always let your IT department handle this situation and follow their instructions verbatim.  Techniques to hack into computers and business systems are always advancing.  And, unfortunately, that means being a target for someone or some group that is attempting to get important personal information is now a part of living in our modern world.  Complacency is no longer an option.

A computer would deserve to be called intelligent if it could deceive a human into believing that it was human

Alan Turing

Categories: Ethics