History of phishing & What is phishing
Phishing
Welcome back, my novice hackers!
History of phishing
The history of the term phishing is not entirely clear.
One common explanation for the term is that phishing is a homophone of fishing. And it is named so because phishing scams use lures to catch unsuspecting victims, or fish.
Another explanation for the origin of phishing comes from a string -- <>< -- which is often found in AOL chat logs. Those characters were a common HTML tag found in chat transcripts. Because it occurred so frequently in those logs, AOL admins could not productively search for it as a marker of potentially improper activity. Black hat hackers would then replace any reference to illegal activity -- including credit card or account credentials theft -- with the string. All of which could have eventually given the activity its name, since the characters appear to be a simple rendering of a fish.
In the early 1990s, a group of individuals called the Warez Group created an algorithm that would generate credit card numbers. The numbers were created at random in the attempt to create fake AOL accounts. The faked account would then spam other AOL accounts. Some individuals would try to change their AOL screen names to appear as AOL administrators. Using these screen names, they would then "phish" people via AOL Messenger for their information.
In the early 2000s, phishing saw more changes in implementation. The "love bug of 2000" is an example of this. Potential victims were sent an email with a message saying "ILOVEYOU," pointing to an attachment letter. That attachment held a worm that would overwrite files on the victim's computer and copy itself to the user's contact list.
Also, in the early 2000s, different phishers began to register phishing websites. A phishing website is a domain similar in name and appearance to an official website. They’re made in order to fool someone into believing it is legitimate.
Today, phishing schemes have gotten more varied, and are potentially more dangerous than before. With the integration of social media and log in methods such as "login with Facebook," an attacker could potentially commit several data breaches on an individual using one phished password, making them vulnerable to ransomware attacks in the process. More modern technologies are also being utilized now. As an example, the CEO of an energy firm in the U.K. had thought they were speaking on the phone with their boss. They were being told to send funds to a specific supplier, when it was really a phishing scheme that used an AI to mimic the voice of the CEO's chief executive from their parent company. It is unclear whether the attackers used bots to react to the victim's questions. If the phisher used a bot to automate the attack, it would make it more difficult for law enforcement to investigate.
What Is Phishing
Phishing is the fraudulent attempt to obtain sensitive information, or data, such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.Typically carried out by email spoofing or instant messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.How phishing works
Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods. Some methods include direct messages sent over social networks and SMS text messages. Phishers can use public sources of information to gather background information about the victim's personal and work history, interests and activities. Typically through social networks like LinkedIn, Facebook and Twitter. These sources are normally used to uncover information such as names, job titles and email addresses of potential victims. This information can then be used to craft a believable email.
Typically, a victim receives a message that appears to have been sent by a known contact or organization. The attack is then carried out either through a malicious file attachment, or through links connecting to malicious websites. In either case, the objective is to install malware on the user's device or direct the victim to a fake website. Fake websites are set up to trick victims into divulging personal and financial information, such as passwords, account IDs or credit card details.
Although many phishing emails are poorly written and clearly fake, cybercriminal groups increasingly use the same techniques professional marketers use to identify the most effective types of messages.
The 7 most common types of phishing attack1. Email phishing
2. Spear phishing
3. Whaling
4. Smishing and vishing
5. Angler phishing
6. Vishing
7. SmiShing
___________________________________________________________________
1. Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands out thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
Alternatively, they might use the organisation’s name in the local part of the email address(such as paypal@domainregistrar.com) in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download a attachment.
2. Spear phishing
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:# Their name;
# Place of employment;
# Job title;
# Email address; and
# Specific information about their job role.
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done with the help of spear phishing.
The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
3. Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff.
Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers and bank account information.
4. Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached.
The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
5. Angler phishing
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks. In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.When the user next logged in to Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.
6. Vishing
VoIP (Voice) + Phishing = Vishing.Till now phishing attacks were made by sending emails. But when attacks are done by targeting mobile numbers, it’s called Vishing or Voice Phishing.
In Vishing attacks, the fraudsters call on mobile, and ask for personal information, posing themselves as a trust-worthy identity. For e.g. they may pretend to be a bank employee, extract bank account numbers, ATM numbers or passwords, and once you have handed that information, it’s like giving these thieves, access to your accounts and finances.
7. SmiShing
SMS + Phishing = SmiShing.Just like Vishing, mode of SmiShing attacks is also related to mobiles. Here the attacker sends a SMS message to the target person, to open a link or an SMS alert. Once they open the fake message or alert, the virus or malware is instantly downloaded in the mobile. In this way, the attacker can get all the desired information stored on your mobile, useful for stealing your money.
How to prevent phishing
To help prevent phishing messages from reaching end users, experts recommend layering security controls, including:* antivirus software;
* both desktop and network firewalls;
* antispyware software;
* antiphishing toolbar (installed in web browsers);
* gateway email filter;
* web security gateway;
* a spam filter; and
* phishing filters from vendors such as Microsoft.
Enterprise mail servers should make use of at least one email authentication standard in order to confirm inbound emails are verifiable. This can, include the DomainKeys Identified Mail (DKIM) protocol, which enables users to block all messages except for those that have been cryptographically signed. The Domain-based Message Authentication Reporting and Conformance (DMARC) protocol, is another example. DMARC provides a framework for using protocols to block unsolicited emails more effectively.
There are several resources on the internet that provide help to combat phishing. The Anti-Phishing Working Group Inc. and the federal government's OnGuardOnline.gov website both provide advice on how to spot, avoid and report phishing attacks. Interactive security awareness training aids, such as Wombat Security Technologies' PhishMe, can help teach employees how to avoid phishing traps. In addition, sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the internet.
--------------------Thank You For Given Your Time------------------
Comments
Post a Comment