Phishing is an e-mail fraud scheme in which the phishers sends out thousands of legitimate looking e-mails in an attempt to gather personal and financial information from recipients. Fraudulent emails usually contains messages with notifications about urgent validation of bank account, notice about suspended email account, information about unknown device trying to log to victim’s account, too many failed login attempts, and other “scary marketing” tricks used to lure the recipient to visit a phisher’s website and update password, credit card details, email login, Paypal or bank details and other confidential personal information.
Phishing websites are copied, bogus versions of original websites, and their main purpose is to capture everything what victim type on them. In most cases logs with sensitive data are sent directly to phisher’s email account. Phishers use collected data for financial gain, identity theft, spam, and social engineering – to obtain more victims (through first victim’s email contacts and/or social media accounts). Most popular types of phishing websites are banks and other financial institutions (Chase, Bank of America, Barclays, Wells Fargo, PayPal), email providers Hotmail/Live, Yahoo, Gmail), cloud services (Google Docs, Dropbox, iCloud) online shopping websites (eBay, Amazon) and popular social media websites (Facebook, Twitter). Phishing websites usually looks very legitimate, trustworthy, good enough to trick the victims, but in many cases sites are obviously fake, with older or broken design, with misspellings and badly written text.
Spear phishing is similar to “regular” phishing but done on smaller scale, targeting specific business or organization. In general, they are professionally executed, organized with a specific goal, for example to gain access to company trade secrets, military information, product prototypes, and set permanent access to company assets. Well planned spear phishing involve gaining access to company email accounts, and from there emails are sent to other company employees and business contacts. If email account is from executive or some authority in the company, even better. Human factor is the weakest link in security. When CEO send email with a link or attachment, more clicking will happen. Email received from CEO is more trusted and less suspicious for giving sensitive data or executing task that CEO ask to do. Emails can be spoofed, too.
Recent example of spear phishing: http://www.scmagazine.com/joint-staffs-unclassified-emails-hacked/article/431251
in short: Russian hackers allegedly accessed the Pentagon’s Joint Staff unclassified email system, which led the agency to take the service offline for nearly two weeks.
Here is an short video that covers basics of spear phishing attack.
Whaling is a type of fraud that targets high-profile, important persons – VIP’s, celebrities, corporate executives, directors, politicians and other “big fishes”. Whaling phishing scheme is highly customized, sophisticated, emails are advanced and personalized to the finest details with the the victims job title, name, personal details collected from other company emails, social engineering, phone calls to close associates, and other sources. Whaling phishing scheme is not easy to detect, phishers are doing everything to keep the attack under the radar, focusing exclusively on important persons, managers, executives where financial gain is much bigger.
Recent example of whaling: https://www.hackread.com/bbb-malware-dropbox-phishing-email/
in short: Kathleen Calligan, the CEO of the BBB has spent a huge chunk of her entire career trying to educate consumers about the importance of internet safety, but she found out on Thursday about her email account being hacked and several emails with a malware attachment were sent as a result of this hacking. Calligan received an email that happens to be sent by one of her friends with some attachment of the Dropbox, few days back. However, soon she realized that it was someone who happens to be a scam expert sending out these emails, not her friend.
Here you can find many examples of phishing, spear phishing and whaling emails. Many of them are sent with malicious attachments, mostly documents with hidden macro scripts, trojan downloaders and banking trojans.
Less known but still very dangerous types of scam created to take over user data are Vishing and SMiShing.
Voice Phishing (Vishing,)
Voice phishing, also known as “vishing,” is an increasingly popular telephone scam designed to obtain your personal information for illegal means. Vishing is very similar to “phishing” but instead of occurring through e-mail it is over the phone. In these scams, fraudsters pose as a trusted bank or company and obtain personal information from a victim by requesting they “verify” the information on file. Vishing requires the potential victim to respond by phone to either an e-mail or telephone message. The information is then used to generate fraudulent transactions.
SMiShing (Phishing over SMS)
SMiShing requires the potential victim to respond by accessing a Web site or calling a particular telephone number – neither of which are legitimate. Attacks using SMiShing often indicate the message came from the number “5000” instead of displaying an actual telephone number. Messages often claim the user has ordered something that they never ordered.
How the phishing attacks can be so successful? One of factors that can make or break phishing attack is link structure. Good combination of sub-domains, tricking domain name, folder names and link parameters can be misleading enough to trick unsuspected users.
Link like http://bankofamerica.com.user-confirmation.refermarvin.com/user/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin looks pretty valid, specially when link get “broken” in email and just first part of the link is visible (bankofamerica.com.user-confirmation).
In many cases phisher’s social engineering skills are bad, his reassuring sentences are literally retarded, English language is basic or even translated in Google Translator, so messages like in this examples are pretty good sign that something is wrong:
“Dear Bank of America Customer,
There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
Because email is not a secure form of communication, please do not reply to this email.”
“If you recognize your SiteKey image, you’ll know for sure that you are at the valid Bank of America site. Confirming your SiteKey image is also how you’ll know that it’s safe to enter your Passcode.”
“We do not recognize the computer you are using. Please answer your SiteKey Challenge Question so that we can confirm your identity from this unrecognized computer.”
“To ensure that Your account is not a bot.. We require your FaceBook ID and Password..And dont worry it is checked in Hashes and Your Information is 100% secure”
“Dear Chase costumer ,
We determine that your card is not securised . For your protection, we’ve suspended your credit card. To lift the suspension, Click here and follow the instructions indicate to update your credit card. If you fail this procedure before 3 Days, we will be forced to suspend your card indefinitely, because of the risk which can contain.”
or misspelling errors, similar to this:
– Card Vericifation Code
– Payza Logiin | Send & Reeceive Paayments Onmline
– Banc of America Investment Services, Inc.
Yeah, totally legit. Whoever leave their bank credentials believing to this type of messages, should stick to cash payments. But hey, it’s just my opinion.
Anyway, here is a few tips to prevent most common issues with phishing and identity theft:
- check email and website for grammatical, spelling, and punctuation errors
- Check the tone of email, urgency for some action related to giving usernames, passwords, changing credit card data, etc. Bank will never ask you to do that stuff over email
- Never click on links in emails unless you’re sure who sent you the message. Always doubt, because their email is maybe hacked or spoofed from another person. If possible, call the person who sent email and ask is it email sent by him/her. It’s ok to be paranoid on internet
- Don’t respond to any emails that ask for personal or financial information. Email isn’t a secure way to send that information.
- Banks and websites that works with sensitive data use https:// . Don’t submit personal or financial information at a website unless the URL begins with https:// (the “s” stands for secure) And again, do not blindly click on links and trust websites even if site have https://, for example quick setup on Cloudflare can add free https “protection” to any site, giving phishers one more “trust” element to trick potential victims.
- Even if an email looks very convincing, contact customer service to confirm that it is really from them (bank, paypal, etc). Remember – they will never ask for your passwords in email.
- Keep your anti-virus software updated, and occasionally do a PC scan with another security software (MalwareBytes, for example). Bank trojans are hard to detect with regular anti-virus products; they are dormant, inactive until victim type credit card number and bank login details.
- Passwords that you use should be different for each website and account. Use minimum 16 to 20 big and small characters, numbers and signs randomly mixed. You don’t need to remember it, there is a plenty of applications ready to keep your passwords safe and encrypted. On that way if someone hack one website and get your details, he don’t know passwords for other sites.
- Forward phish messages to firstname.lastname@example.org and to the company impersonated in the email.
- You should never trust a file by its icon, always pay attention to the file extension in email attachments and make sure that Windows Explorer is set to show file extensions. You need to enable them in folder properties. If you don’t know how, ask some tech guy to do it for you. When extensions are hidden, you are missing obvious threat and malicious stuff with fake extension (that you see) and actual extension (that you don’t see because is hidden by retarded windows default settings). When you enable it, you might see extensions like .pdf.scr, .pdf.exe, .doc.scr, .zip.exe, and similar.
- Even when attachment extension looks legit, for example .pdf or .doc, be careful because in them can be hidden malicious macro script, hidden redirect to malware site, etc.
- Do not save your passwords in browsers. Every trojan have capability to steal your passwords, from all browsers. If you really need to save them, use Master Password option to lock down access to passwords with one master password.