Phishing : Click With Caution

There was no such thing as a fair fight. All vulnerabilities must be exploited.”-Cary Caffrey.

With increasing cyber attacks all over the globe, reports and statistics states that more than 60 percent of all attacks had the “human factor” as either the crux of or a major piece of the attack. Also, analysis of all hacking attacks concluded that “Social Engineering” is involved to a large majority.
Social Engineering is an art of tricking people, influencing or manipulating them to get the confidential information. The information these attackers or bad people are seeking can vary and how they use these information for what type of attacks can also vary.
So the attackers are using Social Engineering tactics and with the above stats we can understand that for the bad people it is now much easier to hack the Human mind(by influencing or manipulating) than to hack the passwords(unless its really weak).

Highlights

Phishing is one of the most common tactic the attackers use for social engineering attacks. With that being said, let’s understand what it really is?
According to the recent report on Email-Statistics by Radicati Group, an average of 306.4 billion emails are sent/receive per day that equates to nearly 112 trillion emails per year. Now try to swallow that about 85 percent of emails are spam, according to the Cisco Talos intelligence group for May 2020.
Phishing is defined as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information. We can also say that phishing involves sneaky e-mails from bad people.
Phishing e-mail could involve a link which will go to a malicious credential-harvesting site intended to steal passwords, usernames, account data, and more. Also, that email could involve attachment that loads malicious software onto your computer.

“We learn more by example than by words”. So here are few.

(Source: Google Images)
(Source: Google Images)
(Source: Google Images)

Furthermore, Spear Phishing is very targeted form of this activity. Phishers are smart and intelligent, they gather relevant information about the target and then create messages which are more of the target’s interest so the probability of target clicking the link increases. After gaining the access of one legitimate computer, phishers can send malicious emails to all the contacts. Let’s suppose, my friend Ashish’s computer get compromised and the phisher send the email having malicious link with the caption “check out the latest funny memes”. So, there are more chances of me clicking the link making it easier for the attacker. Because of this, spear phishing is hard to detect and even harder to defend against.

Some probable targets of it are the employees at any company. Attackers try to get the login information of the employee using phishing which can get the attacker into company network. This could lead to big threats to the organization. Attackers motive behind this can be personal or political but many a times organization had paid the price either in the form of money, business or even reputation.
For example the phishing emails led to the hack of “Associated Press” twitter account.

Hacked AP Tweet

Another company breach involved Coca-Cola in 2011.This case originated as a very targeted spear phish directed at Coca-Cola executives with the subject line “Save power is save money! (from CEO).” At that time of the attack the company was promoting an energy-saving campaign. (The attackers really had done their homework.) The executive opened the e-mail and clicked the link, which was supposed to lead to more information about the energy program. Instead, he ended up loading a bunch of malware, including a key logger that tracked everything he typed in the weeks to come. It was due to the critical information being leaked which deprived Coca-Cola’s attempt to purchase Chinese soft drink company.

Now to protect ourselves and get trained we must first know the psychological aspect behind the attackers thinking which led to our decision-making process. The decision we make either to click on the malicious link or to report it. Attackers can really short-circuit our logic if they somehow create strong emotion in us. The only challenge for them is to create a compelling message. The phish examples shown above include certain use of emotions or target interests.
Emotions-based phish can include sense of greed, sense of fear, curiosity or even sympathy.

You have a won a lottery price worth $5M, just register yourself to get the amount”-Appealing to the sense of greed.
We have found that you are suffering from cancer, please open the attachment for your detailed test report”-Appealing to the sense of fear.
Single women from Russia waiting for you, check out her profile link”-Appealing to sense of desire
More than 5000 coronavirus patients in your location don’t have enough money to get proper treatment. Please donate and help them.”-Appealing to sense of sympathy.

These examples are presented by the attackers in a way that they appear to be legitimate. Such emotion-based phish affects our decision making as emotion takes over logic.

So What should we do to protect ourselves and our organization? Critical Thinking.
Its a process of teaching yourself to not accept everything at face value. Do not accept that an e-mail is the real deal just because you are too busy to take time to evaluate it, because you are too stressed to spare a moment of thought for it, or because you have 150 other unread messages in your box. Stop for a minute and think about the e-mail. That may sound like a time-consuming task, but it doesn’t take too much time to ask yourself these few questions:

■ Does the e-mail come from someone I know?
■ Was I expecting this e-mail?
■ Are the requests being asked of me reasonable?
■ Does this e-mail employ the emotional content of fear, greed, or curiosity, or, most important, does it try to get me to take an action?

Hovering over the link can also tell us that it will go to a source which it pretend to be or to a malicious website. In the Amazon example( figure above), we can see on hovering, the link is not for actual amazon website.

What if you already clicked the link and then you realize it’s dangerous?
If you are working in an organization, immediately report it to the IT department of security department.
But if you’re not a part of a company, think what was asked when you clicked on a link. Some sort of credentials, account information, login details? Or you are asked to download or install a program?
If the site asked for a account and you have entered your username and password.Then you need to take some quick actions. Change your username and password for all the accounts having that same set of username and password.
If the site asked for downloading and installing a program then it might be some sort of Trojan or virus. You need to get the backup of your computer data and clean up your computer.

Also to protect against the phishers we need to pay more attention to the URL’s and the email-headers.

Hence,anytime you feel fear, anger, desire, or strong curiosity when reading an e-mail, take 30 seconds to pause. Then think through the steps you know you should take to verify whether the e-mail is real before you click, before you reply, before you take any action. Just spending some extra seconds of critical thinking can make your ability to detect phishing e-mails 100 times better.Bad guys know that if they can trigger your emotions, they can get you to take an “action that is not in your best interests,” and that is the key to social engineering.

Stay Safe.Stay Secure.

Cybersecurity Enthusiast