Blog
5 April 2021

How To Catch A Phish

INTRODUCTION

Working in the Cyber Security sector there are many topics I discuss with people when talking about the work I do, and admittedly a lot of it sounds like complete jargon. One topic that immediately hits home with everyone I speak to is phishing awareness – the elephant in the room, the issue that keeps coming up again and again.

An image showing phishing

Stat time:

Around 3.4 billion phishing emails are sent every day across the world, and nearly 1.5 million phishing sites are created every month, to be used in phishing attacks. There is such a huge market here for criminals to exploit, so the threat must be taken seriously, no matter what size organisation you are, both from a professional and personal account perspective. If you haven’t already checked out our blog on general cyber security hygiene, you can do so here. Need some advice protecting yourself or your organisation against phishing attacks, or have you already been the victim of one? Get in touch today at sales@digif9.co.uk to talk to our helpful team about how we can help you moving forward.

TYPES OF PHISHING

Wait a second it is ‘fishing’ with a ‘ph’…

6 Phishing Rods

If you hadn’t already guessed the terminology around phishing comes from the fishing industry itself, as the attacks that cyber threat actors carry out mirror similar processes conducted by fisherman around the world. On a side note, for those wanting to learn more about the impact of humans on marine species, check out the latest documentary on Netflix which has got parties on both sides of the discussion riled up. – Seaspiracy. 

Let’s break down the 4 most common types of phishing attacks.

  1. Phishing

    So how does a fisherman typically go about their day? They throw out some bait to a large potential area and sees what they get back. Or in the case of commercial fisherman, they throw out a huge net to catch as many fish as possible.

    This sums up how the first form of phishing occurs, the classic process involves an attacker creating a generic email template, for example “You have won £5,000 please click here to claim it now”, and throwing it out as virtual bait to see who bites. This is the quickest and easiest method for an attacker, but doesn’t usually derive huge success rates – they will be expecting a small percentage of their target radius to fall for the scam, but each click is success for them.

  2. Spear Phishing

    As the name suggests this is a far more calculated and targeted approach. Fisherman throwing in a rod with some bait on it are hoping to catch something, whereas spear fishing targets a particular fish.

    This distinction rings true in the cyber domain also, where spear phishing involves targeting a specific user with a more sophisticated approach. This will typically involve a certain degree of reconnaissance or recon work on the attacker’s part, profiling their intended victim, understanding their hobbies, common contacts and regular activities to find a particular topic to catch them out with.

  3. Whaling

    Similarly, the name here is a dead giveaway when it comes to the real world, with whaling representing the sheer size of the attacks, and the key target for the attack. Rather than going after a group of fish, or a specific individual fish, the eyes are set on a bigger prize.

    Whaling in the cyber domain involves targeting high profile and ranking employees within an organisation – typically senior management and the executive team. This will typically involve a highly customised and personalised approach from the attacker, using information collated about the target, as well as social engineering attempts, impersonations of members of staff and attempts to carry out financial transfers.

  4. Smishing & Vishing

    The final common area in the phishing space isn’t directly related to the fishing industry per say, but the same themes apply here also. The last few years have seen a growth in this area, particularly from the smishing side. Smishing involves the same phishing approach, but rather than through an email, the attacker uses a text message to their victim.

    These are particularly effective when you consider common alert texts that you receive, for example from your bank warning you about a suspicious transaction. Vishing, involves the use of phone calls, and is your typical run of the mill scam, where an attacker pretends to be a particular party, for example the bank or an investigator phoning the victim and asking for them to reveal sensitive information.

STEP 1: CHECKING THE SENDER DOMAIN

Wait, where did this come from again?

Image showing the actual email of the sender is different to the name displayed

The domain is often the first giveaway of a phishing email, as a poor choice of domain from the attacker can be an immediate red flag – I often receive emails from “PayPal”, but a quick glance at the sender domain reveals a personal Gmail account – no dice.

There are three main methods of deception to be wary of when it comes to the domain;

  1. Changing The Contact Details For The Domain

    The first area revolves around the red flag I discussed above for me straight away – where an attacker uses an unrelated email address, but changes the contact details (first name and second name) on the account to match the target for the attack. So in the case of a PayPal scam, I would change the contact information on my email account to “PayPal Security”, so that in my target’s email inbox, they would see an important email from PayPal Security.

    The aim here is to trick the victim into a state of panic so they immediately start reading the email, rather than focusing on a major red flag at the start, as hovering over the email sender will show you their email.

  2. Misspelling Or Using Special Characters For A Domain

    A more sophisticated approach involves setting up a domain specifically to send emails from. This is more time consuming and an expense on the attacker’s side, which is why you will see a large number of generic phishing emails come through on the first type. But more sophisticated attackers will use the second method as a way to add in authenticity.

    I will hold my hands up straight away in saying I have almost fallen for phishing scams before – I know all the checks and feel confident in spotting suspicious emails, and can safely say I wouldn’t fall for a phishing email in the first type. But the emails that have almost caught me out before use this approach, which is why you should take extra care when performing your checks as speed forces mistakes.

    Take “Microsoft” as an example. The domain “microsoft.com” is already taken by the legitimate company, but as an attacker I notice that “nnicrosoft.com” is freely available for purchase. Now if you look careful at that domain you see the issue with it, but a quick glance of that on a phone or laptop, while you are in a rush could very easily deceive you.

  3. Subdomains Versus Dashes

    I won’t bore you with a 10-hour lesson on website domains, subdomains and domain name services (DNS), so here is a quick 101 lesson. As the owner of the “facebook.com” domain I can not only post content on that domain, but I can set up a number of subdomains on that – “admin.facebook.com”, “messenger.facebook.com”, “whatsapp.facebook.com” for example. This full stop signifies a subdomain, however a clear distinction though needs to be made between a full stop and a dash “-“.

    “admin.facebook.com” is a subdomain of “facebook.com” so it belongs to the owner of that domain. However, “admin-facebook.com” is a completely separate domain entirely (take the piece before the .com as the domain name) which in this case is “admin-facebook”. So this is often used as a method to catch users out, as a check of the senders domain appears safe – it has the expected domain in there, however a dash is often used in this deception.

STEP 2: CHECKING FOR GRAMMAR AND PRESENTATION

Dude, have they not heard of spell check?

Image showing a phishing email with spelling and grammar mistakes

This is probably the first giveaway for me on 50% of the phishing emails I receive. As discussed early in the types of phishing attacks, those generic bulk phishing emails that you receive – think PayPal, eBay, Amazon, DPD, are put together to be quick and effective and often done within a custom program or tool that the attacker is using to send out bulk emails. One of the major issues attackers find here is that in a legitimate email platform, such as Microsoft Outlook or Gmail, there will be a spelling and grammar checking tool working in the background to clean up silly mistakes, but this will typically not be the case in their custom tools – leading to silly errors that come across as an unpolished email – therefore unlikely to have come from a professional company.

The other key factor here is the look and feel of the email. Admittedly you may not have received many emails from a company before, so it may be hard to determine if the email format is legitimate or not, but there are usually giveaways here, such as bad grammar, pixelated logos and images, inconsistent font, and colour schemes.

STEP 3: EMOTIONAL TONE

But I need to action this straight away it looks important!

Phishing email with a title designed to get an immediate action from a user

As an attacker your greatest weapon is the sense of urgency – as rushing leads to mistakes and checks being missed. A careful, calm, and patient target is likely to take their time reading through your email, performing their checks, and identifying anything suspicious or not quite right about it. Which is why phishing emails almost always contain a sense of urgency.

Your account has been locked, your credit card has been used fraudulently, you need to reset this password, you need to update your details now or your account will be deleted. These are some of the most common phrases seen in phishing emails because they immediately cause a sense of panic, which can lead to mistakes. Unless you are expecting an email or a phone call about something, this is the first time you have heard about an issue, treat the email as phishing until you finalise your checks. Take the time to digest the situation and understand what the next course of action should be, even if the email suggests otherwise.

STEP 4: LINKS & ATTACHMENTS

Wait a second, where are you trying to send me?

An image showing a malicious link in a phishing email

This is the bread and butter of a phishing email – it’s where the malicious content is and so the target of the whole process. The attacker wants their victim to panic, rush through the email and believe they need to take immediate action, and the quickest way to do so is to review an attached document, or click on the link to launch the website. Bam – this is where the malicious attack will take place.

Lets start with links first. You have received an email from “PayPal Security”, telling you that there has been fraudulent activity on your account, and you need to take action by clicking the link below, which appears to be “security.paypal.com”. All seems to check out so far right? Hovering over a link in an email or document however will reveal the true target of the link – and if this is different to what it says this is a major red flag to be wary of. Instead of the domain it should be going to, it’s taking you to “definitelynotascam.com”.

Next lets deal with attachments. Links are the most common form of phishing and as such are the area that users are most wary of, so criminals will continually seek out new ways to conduct these attacks. Attachments are a powerful way to add a sense of urgency without having to have a suspicious link in there – and you will often see these used on internal seeming emails, for example the spear phishing and whaling attacks we discussed earlier. “Hey boss, can you quickly review this document for me before I send it out to the client?” is one common method seen. Be sure to disable macros on your system, as these are commonly used within documents to store the malicious attack. To be safe, do not open an attachment you are not expecting. If possible, send a message (instant message or text message) to verify that the person is the genuine sender and the document was meant for your eyes.

STEP 5: TOO GOOD TO BE TRUE

I guess this is just my lucky day.

Phishing email example

Whilst phishing attacks focus on the element of urgency, some go down the line of intending to scare the victim – “You must do this now or this will happen!” Whilst fear and intimidation is one common tactic, another is to get a victim’s guard down by making them a fantastic offer that they have to action straight away!

Prize winnings, tax rebates, insurance claims are common tactics from scammers in this area, enticing the victim to ignore their safety measures and chase the reward. So, the best advice here is to be mindful of what you have actually applied for and remember that no company will give you anything for free out of the blue.

STEP 6: CONFIRMING BY ANOTHER MEANS

Let me just check this first.

An image showing a login to Facebook, this is a a means of checking notifications without clicking on a malicious link in an email.

This is probably the most effective way to inspect and handle a phishing email, and is my go to method of choice. For example, if I receive an email from Facebook instructing me to update my password, even if I am highly confident that the email is legitimate, I won’t click through the link in the email to launch Facebook – I will open a new tab in my browser and login myself.

Whilst following through links in emails is appealing from an efficiency perspective, taking those extra few seconds to action the request yourself provides that peace of mind that you haven’t been phished. Whenever you receive a ‘high alert’ or ‘urgent’ email from a particular website, if you login to your account manually you should also be greeted with the same notification – if you don’t, this is a potential sign that this email was not legitimate.

STEP 7: CONSENT PHISHING

Wait there’s another one!

An example of permissions given to an app which could lead to consent phishing

Consent phishing is a growing area of concern across the industry, primarily because of the expansion of federated identity. Through federated identity, a user can sign up for an account with a new website, for example Canva without actually having to create an account on Canva – they authenticate through a third party, such as Google, Facebook or Amazon. This provides the benefit of less accounts to manage for the user but it also emphasises why this attack vector has grown.

Now if an attacker is able to compromise a Federated Account, this could potentially grant access to more than just one account’s worth of access, with all the other linked logins tied to that account potentially vulnerable. Which is why there has been an increasing spike in phishing attacks attempting to harvest user logins for commonly used accounts for Federation, like Microsoft, Amazon, Facebook, and Google.

Consent phishing goes a step further, using pop ups to request extensive permissions on an application after sign in. The most common examples tend to involve Facebook, Microsoft, and Google accounts for good reason – this is where sensitive data is likely to be found, either in emails, messages, or documents.

When you link a third-party application to another provider, for example Facebook, a pop-up window requests you to approve a set of permissions that this third-party app can take on your behalf using your Facebook account. Attackers play on the fact that people are inherently busy and do not take time to read the small print, indicating what permissions you are agreeing to.

“Send messages as you”, “Read your mail”, “Read your contacts”, “Have full access to your files” are just some examples of permissions you should be extremely careful with! By agreeing to this, you are providing this third-party app with access rights, typically through API access tokens to read and potential write to this information. An important lesson here is to always know what you are agreeing to!

CONCLUSION

Phishing is such a challenging area to crack down on, with so many different techniques and variants available to attackers. The challenge for email providers, such as Microsoft and Google to identify suspicious emails is that if they use far too robust algorithms for identifying phishing content, there is likely to be a level of false positives, meaning that genuine emails can be missed by users, ending up in their junk / spam box. Whilst this article is not an exhaustive list of all the different ways to spot a phishing email, it should provide a useful guide in how you can take matters into your own hands and improve your protection against this form of attack. No one wants to be part of another statistic.

Interested in wanting to build a secure website, mobile application, or a visual identity for your organisation? Then get in touch today at sales@digif9.co.uk for a free, tailored quote to your requirements. We hope you enjoyed this week’s blog, stay tuned for next week’s edition!