Phishing — What you need to know
- What’s phishing?
- What’s a malware?
- Hold on, what s cybersecurity btw?
- Stats about phishing
- What’s social engineering?
- What’s OSINT?
- How phishing is done
- Main phishing techniques
- Psychology behind phishing
- How to prevent phishing — for users
- How to prevent phishing — for sysadmins
1. What’s phishing?
Phishing is a technique used by hackers to get into people computers. That’s the simplest definition for phishing. Why do hacker to that? Phishing is used mainly for 3 reasons: exfiltrate data, stealing creds and planting malwares.
2. What’s a malware?
Hold up, what’s this malware thing? Most people know malwares as viruses and or computer viruses. Actually a virus is just a type of malware. Let me explain. Malware is a word which is composed by 2 concepts: Malicious + Software. Not to get too much into details, a malware is just a program design for some very specific. Of course.. with malicious intent! But from a technical perspective it’s just a computer program. There are several different types (like dozens) of malwares and the field keeps on evolving, i’d say the grandpa of malwares was a virus called “Creeper” designed back in 1971! Wow time flies!
3. Hold on, what s cybersecurity btw?!
What s cybersecurity? IBM defines it as follows:
“Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security, cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organization.”
I fancy this part “protecting critical systems and sensitive information from digital attacks”, explains the idea in real simple terms.
To give you a number about cybersecurity, the global cybersecurity market was valued USD 140 billion in 2021 and it s expected to reach USD 400 billion in 2030.
One last figure, jaw dropping tbh, is the damage cybercrime causes every year. In 2021 was estimated to be USD 6 trillion that is considered as higher that all the drug markets combined. Astonishing.
4. Stats about phishing
- 80% of cybersecurity breaches involves social engineering attack where we know phishing is king
- An employee receives between 14 to 49 phishing emails per year
- Average cost of a data breach $4.3 M
- 287 days to detect a data breach
Consequences of phishing attacks:
- 60% of organizations lost data
- 52% of organizations had credentials or accounts compromised
- 47% of organizations were infected with ransomware
- 29% of organizations were infected with malware
- 18% of organizations experienced financial losses
That s pretty much scary, isn't it!?
5. What’s Social Engineering?
Social engineering it s a practice used by hackers to get sensitive information from people and or making them doing things they not supposed to. Most times without even them noticing.
So as you can imagine hackers use this practice to exploit people weaknesses to get info and other stuff.
6. What’s OSINT?
OSINT stands for Open Source Intelligence. Basically it’s the first phase of a pentest where hackers try to gather information about their target. OSINT is mainly done using publicly available informations like social media and the Internet in general.
7. How phishing is done
Hackers use several tools for phishing but for sure the most famous and reliable is called Gophish, below more details:
8. Main phishing techniques
- Phishing: spam email sent to large nr of people usually with a malicious link or a malware hidden in an attachment. Email looks legit but not very well tailored.
- Spear fishing: email designed to reach a very specific group of ppl in a company, let s say the sales dept for instance.
- Whaling: email crafted for top managers also known as C level executives
- Vishing: phishing done over the phone where a social engineer calls the victim and tries to get info, to make him her send data and or just click on a link he s about to send.
- Smishing: phishing over mobiles using SMSs
9. Psychology behind phishing
Why phishing is so effective? Because hackers leverage on psychology principles to craft their attacks, here they are:
- Authority: It’s hard to say no to top managers..
- Intimidation: Hackers intimidate victims to do some which they are not supposed to threatening that if they dont organization may lose money and or C level executive may get angry
- Consensus: Hackers create fake stories to make victims think others agree on some and or have already done a given action, so why cant I do the same?
- Scarcity: Principle often used in sales as well.. We are encouraged to take action when we think some is available in a limited quantity.
- Urgency: Used in sales too! Time is limited so we must do it.. now!
- Familiarity: If you like me, you likely do what I ask you to do.
- Trust: Building trust is another way hackers use to persuade victims.
10. How to prevent phishing — for users
First thing is training employees! So cybersecurity awareness trainings are really recommended. Possibly followed by tests and phishing campaigns to gauge how much was learnt and retained by the workforce.
In general employees should be skeptical about:
- Emails or calls whose content is asking for sensitive information or money
- Detecting sense of: authority, intimidation, consensus, scarcity, urgency, familiarity and trust
- Checking the sender: always review the email address which was used to send the email. Be really cautious here, a technique called typo squatting is used to make small changes in an email address to that the victim thinks it s legit and boom party is over.
- Be suspicious about links and attachments: why would a supplier send you a link or a pdf, is that a common practice? do you have doubts? You think it s legit? just call em before opening or clicking!
11. How to prevent phishing — for sysadmins
- Design and implement a strong password policy
- Implement MFA (avoiding SMS for they usually not encrypted and easiest to intercept)
- Implement usage of Password Managers
- Implement WAF, Anti Phishing SW (like Proofpoint), Anti Malwares
- Add a banner in the email title with “[EXTERNAL SENDER]” when the email comes from outside the organization
- Design and implement a policy where employees are recommended not to post online company’s information like: sw in use, pictures of the offices, company s email, also details about projects they working on or troubles with vendors or applications they use.
- Be skeptical about partners and suppliers security posture so always be extremely careful
- Create subnets, disallow unused services, sw and ports, patch and update constantly, limit wifi reach outside the offices (wardriving comes into play..)
- Disable Macros
- Make attachments detonate in sandboxes
- Have you disabled the LAN socket in the loung room?..
- Possibly hire a SOC, schedule pentests and red team activity periodically.
Hope you found this useful, wish you a good day and see you soon!
Sources
