Phishing: How it Works and How to Prevent it
Adversaries use social engineering tactics because it is often easier and quicker to exploit human nature than to hack their way in. For example, it is much easier to fool someone into giving up their password than it is to guess their password (unless the password is weak, but that is a different blog in itself).
Security is all about knowing who and what to trust. It is important to know when to take a person for their word, and when to question the person you are communicating with is who they say they are. The same is true with any online transaction: how do you ensure that the website you are using is legitimate or is safe to provide your information?
Ask any security professional and they will tell you that the weakest link in the security chain is the human. The human who accepts a person or scenario at face value. It does not matter how many locks and deadbolts are on your doors and windows, or if there are guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel: If you trust the pizza delivery guy at the gate and let him in without first checking his legitimacy – you are completely exposed to whatever risk the social engineer introduces. In this blog we will focus on a popular form of social engineering that we are all very familiar with: Phishing.
The Phish Footman
When most people are asked what phishing is, they often think of poorly written emails asking to receive a donation, unlock frozen funds or a message about a long lost relative of Abraham Lincoln. However, in professional phishing scenarios, there is more than meets the eye. Typically, victims only see the front-end, but there is an intricate back-end and a massive market that makes the world of phishing go around.
A typical phishing scenario contains:
- Call to action: either asking the recipient to reply, click a link, open an attachment, or take another action. Some actions are simply put in place to verify if the email is valid, where others might aim to steal credentials directly or infect your machine with a malicious attachment.
- Spoof email domains: some emails are unbelievably bad, like obvious phishing sent from made-up or stolen email accounts at popular platform such as Gmail and Hotmail/Live. Sophisticated phishing campaign will use domains to make the email look like it was sent by a trusted source. An well-used tactic is using domains that look very close to the original (e.g. Outpost44.com or Outpost24.de) or by replacing letters with alternative letters or symbols that look similar (e.g. '0'utpost24.com).
- Links: most emails contain a link to a phishing website, or an alternative website used to 'stage' further attack such as a link to a filesharing platform such as OneDrive or Dropbox. These links often contain a specific ID that can be used for linking a click to your email address, so adversaries know you are the person that clicked the link.
- Malicious attachments: bold 'phishermen' might attach malware directly to the email, although this is the trickiest kind of email to get through spam filters, it is the fastest way to compromise.
- Tracking images: a tactic well-used by marketing departments to track email opens – an image embedded in the email is loaded from the server when the email is opened, indicating that the email has been opened by the user.
- Phishing landing page: If the email contains a link, it will direct users to a purpose-built phishing landing page. This page is often under full control of the adversary and are made to look like anything they want e.g. a social media page, Microsoft login page, your Gmail authentication portal or even fake marketing websites.
- Backend-system: Highly targeted (whaling) attacks may be sent manually, but most phishing is performed in bulk through automation. Luckily for us most emails are effectively filtered. The bad news is of the percentage that made it through, adversary only needs a handful of responses to make it worthwhile
The works that go into a phishing campaign are often overlooked. So why do phishers phish? The answer is simple, money! It can be part of a bigger operation, or as small as selling email addresses. At the lower-level, spam-lists are sold and bought on the dark web. These lists contain thousands to millions of email addresses. Phishers send a phishing email to all these emails, filter out which ones are 'active' when an email is opened or clicked, then cut-up ‘active’ emails in smaller batches and sold with a profit.
How to prevent phishing
The best way to recognize phishing emails is to study examples in the wild. Despite being a common attack, there are a number of steps you can take to prevent you and your employees from becoming the next phishing victim, including:
- Always check the email domain that it was sent from for any misspell or 'look-a-like'
- Always check the spelling of the URLs in email links before you click or hand over sensitive information
- Beware of URL redirects, where you are sent to a different website with similar design
- Actively detect phishing sites and hunt down malware samples targeting your organization and customers through threat intelligence
- If you receive an email from a source or person that seems suspicious, contact them with a new email, or call them directly to confirm
- Flag external emails as ‘external’ to avoid email spoofing
- "Sandbox" inbound email to check the safety of each link a user clicks
- Regularly inspect and analyze web traffic for suspicious activities ·
- Conduct red teaming phishing tests to identify weak spots and use the results to educate employees
- Educate employees on how to spot a phishing email and encourage them to send you suspected phishing emails
For those who wants to dive deeper into the topic read our ‘Better Proxy than Story’ blog as we walk through the detailed process and tools of the trade, with practical examples on the usage of proxy tools (Gophish and Evilginx2) to capture Microsoft Azure/Office365 credentials.