History says that Phishing Attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. You should always be careful about giving out personal information over the Internet. Luckily, companies have begun to employ tactics to fight against phishers, but they cannot fully protect you on their own. Remember that you may be targeted almost anywhere online, so always keep an eye out for those “Phishy” schemes and never feel pressurize to give up personal information online.
What Is Phishing ?
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Communications purporting to be from popular social websites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware etc. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Different Types Of Phishing Techniques:
1# Spear Phishing: Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.
2# Clone Phishing: A type of phishing attack whereby a legitimate, and previously delivered, the email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
3# Whaling: Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails and claimed that the manager needs to click a link and install special software to view the subpoena.
4# Link Manipulation: Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are the common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually, this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination when the link actually goes to the phishers’ site. Many email clients or web browsers will show previews of where a link will take the user to the bottom left of the screen while hovering the mouse cursor over a link. This behavior, however, may in some circumstances be overridden by the phisher.
5# Filter Evasion: Phishers have even started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use OCR (Optical Character Recognition) to optically scan the image and filter it. Some anti-phishing filters have even used IWR (Intelligent Word Recognition), which is not meant to completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different directions) text, as well as text on colored backgrounds.
An attacker can even use flaws in a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.
A Universal Man-In-The-Middle (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.
To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites (a technique known as “Phlashing”). These look much like the real website but hide the text in a multimedia object.
7# Covert Redirect: Covert Redirect is a subtle method to perform phishing attacks that make links appear legitimate, but actually redirect a victim to an attacker’s website. The flaw is usually masqueraded under a login popup based on an affected site’s domain. It can affect OAuth 2.0 and OpenID based on well-known exploit parameters as well. This often makes use of Open Redirect and XSS vulnerabilities in the third-party application websites.
Normal phishing attempts can be easy to spot because the malicious page’s URL will usually be different from the real site link. For Covert Redirect, an attacker could use a real website instead by corrupting the site with a malicious login popup dialogue box. This makes Covert Redirect different from others.
8# Phone Phishing: Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
9# Tabnabbing: This technique takes advantage of tabbed browsing, with multiple open tabs. This method silently redirects the user to the affected site. This technique operates in reverse to most phishing techniques in that it doesn’t directly take you to the fraudulent site, but instead loads their fake page in one of your open tabs.
10# Evil Twins: This is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.
Precautions Against Phishing:
- Guard Against Spam: Be especially cautious of emails that Come from unrecognized senders and ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information.
- Communicate personal information only via phone or secure websites. In fact, When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or a “https:” URL whereby the “s” stands for “secure” rather than an “http:”.
- Beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.
- Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender.
- Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.
- Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. Phishing web sites often copy the entire look of a legitimate web site, making it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you. After all, businesses should not request personal information to be sent via email.
- Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.
- Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made.
Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.
We hope that HACKAGON matched our readers expectations regarding Phishing Attacks. so, if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.