From our previous article on what you need to know about phishing attacks, we know that phishing is the fraudulent act of acquiring private and sensitive information, such as credit card numbers, personal identification, account usernames, and passwords by using a complex set of social engineering techniques. The idea behind phishing is simple: to get you to click on a bogus link in an attempt to acquire sensitive information or access to systems. According to numerous studies done, phishing attacks apparently work nearly half of the time.
“But I’d never click on a link without knowing where it came from!” I can hear you say in indignation. Remember that attackers anticipate this resistance and have been busy creating an attack that you will fall for. So what are the many different ways that cybercriminals use to get you?
This is your basic phishing attack. Fraudsters impersonate a legitimate company and attempt to steal the members of your organization’s personal information or login credentials. They use threats and a sense of urgency to scare their victims into making a big mistake.
For example, you may get a spoofed email from your bank claiming there’s a problem with your bank balance. They will then require you to give them your login details so they can fix it. Unfortunately, when you do so, they will use the data you have so willingly given to withdraw cash from your bank. Now there really will be a problem with your bank balance.
The success often clings on how close the attack email resembles the legitimate company’s correspondence. As is ever the case, the devil is in the details. From generic salutations, grammar mistakes to spelling errors, these should set off red flags the size of Aladdin’s carpet.
Here, it gets personal.
See, you wouldn’t trust emails from just anyone, but there’s probably a particular person who says “Jump” and you oblige before he/she tells you how high. This attack, therefore, relies on that bond and exploits it by harvesting information about your peers or superiors. The attackers then customize the email to maximize their chances of success. This is especially popular on LinkedIn, where attackers wield multiple sources of information in order to create a targeted attack email.
It’s like pretending to be your child’s parent in order to steal their candy.
To prevent this, organizations must conduct continuous employee security awareness training in order to show them the risk that they pose on themselves and your business when divulging too much information on social media. Companies should also invest in solutions that are capable of analyzing inbound emails for known malicious links/email attachments.
This attack is named so probably because the attackers are aiming for the big fish or perhaps the targets are usually left blubbering a successful attack.
This attack mainly targets CEOs and other key decision-makers. If successful, details acquired can be used to wreak havoc within the company through what is referred to as a business email compromise. When it rains, it pours.
The success rate of this type of attack is high because CEOs don’t usually participate in security awareness training. This should change as ever the faithful General leads his/her troops. More importantly, the ability to authorize financial transactions via email should be mitigated or entirely nullified.
This attack requires that a legitimate email be sent first, so the attacker can send a fake email. The email will claim something like “the link expired”, counting on the fact that you will not notice the difference. In the event that you do, you may attribute the change to the resending of the link.
This usually works because of the legitimacy of the first email.
First, a quick lesson on how domain names work.
Machines use IP addresses to connect to other machines on the internet. As human beings, we have enough to remember – birthdays, appointments, and passwords without adding random numbers like 18.104.22.168 or 22.214.171.124 to the list. Take Facebook or Google domain names for example, these are easy to remember right?
So when you key in “google.com” into our web browser, the browser goes to a domain name system (DNS) server that picks the correct IP address and sends you the user there.
However, this all happens without most people’s knowledge. So what if attackers managed to switch the DNS record so that it redirects you to a site of their choosing? For example, what if you keyed in “google.com” and instead got redirected to “phoolofatook.com”, a site owned by the attacker? Assuming you as the end-user does not notice, the attack follows the same pattern as discussed earlier.
To prevent this, companies should encourage employees to enter login credentials only on https protected sites and implement regularly updated anti-virus software on all corporate devices.
Dropbox & Google Docs Phishing
Note: These are not types of phishing attacks per se, but they are known for the services they mimic.
Dropbox is a very helpful tool, using the versatility of the cloud to back up and share documents with people worlds away on a variety of devices. With this great capability comes a great amount of logins.
You probably see where I’m going with this. By posing as a legitimate Dropbox login page, users can be duped into entering their login credentials, leaving their data vulnerable to attackers.
One of these attackers used this attack on a page hosted by Dropbox itself.
If it isn’t broke, don’t fix it.
Google phishing attack is just a remix of the above attack but tweaked to exploit Google. Since Google Drive can host everything from documents to websites, it’s a treasure trove, the likes of which would make a leprechaun drool if data was gold. Not to mention the amount of damage that the hackers could cause on other Google services.
As illustrated above, just having a Google login is all one hacker needs.
In this case, two-step verification is your friend. Additionally, Google also ensured that this vulnerability was fixed but it is prudent to inform you of the lengths these cybercriminals can go.
Unfortunately, you may be reading this article too late. You might have already fallen prey to an Oceans 11 grade attack – one so clever you did not notice until the hackers executed their endgame.
Don’t worry, it happens to the best of us.
Luckily, there are steps you can and should take to prevent the situation from escalating.
- Disconnect your device from the network; this is to prevent malware (that might be used to look for ‘juicier’ targets) from spreading to other devices in the network.
- Scan your system for malware; this will occur in 2 phases:
- Run your antivirus; even though offline, the antivirus can still run. If it does not, it might be time to consider a new antivirus that will.
- Run an anti-malware software; you will need a different, uncompromised device to do so and transfer it to the unlucky one. While you may not be able to update databases, the stock version should run just fine. It should nab anything the antivirus missed.
- Change your credentials; ALL OF THEM and follow best password practices such as never the same password for all accounts even for the sake of convenience.
- Set up a fraud alert; it might be a good idea to tell your bank and any other relevant parties that your account is no longer under your control
- If you have a data backup system, whether onsite or offsite, stop the backup process immediately you realize your data has been compromised. This will prevent malicious content from being replicated to your backed up data.
- Employ data versioning; this means having multiple versions of data that is backed up such that you will still have more versions of your data even when a single version of backed up data is compromised.