Phishing – CompTIA Security+ SY0-401: 3.2

The bad guys know that the easiest way to steal your information is to have you type it in for them yourself. In this video, you’ll learn how phishing happens and things you can do to protect against phishing and spear phishing.

<< Previous Video: SpamNext: Vishing >>


Phishing is a very specific kind of social engineering that takes advantage of misdirection. It makes us appear that we are logging into our Paypal account, that we’re were logging into our bank account, that we’re logging into our email account. But, in reality, we’re logging into a page that has nothing to do with PayPal. It has nothing to do with our bank. And it has nothing to do with our email.

You’ll usually get a message in your email that says, we’ve detected some unusual things happening on your PayPal account. You should log in right now. Click this link. And let’s make sure you’re adding in information and confirming the information that’s in your account is correct. But the reality is, when you click that link, you’re actually brought to a page that looks exactly like PayPal. But the reality is, it’s on another site. I blurred it out, so you would not see what the site is. But you can see this is definitely not a Paypal.com address that you can see here. It does have the word Paypal.com in it, though.

So if you aren’t familiar with this, you might be taken aback a little bit, initially, for seeing this message that pops up, warning you. But you may want to go right to this site and log in. And it says Paypal right there. So let’s go log in and make sure everything is OK with our account. But don’t be fooled by this. Usually the URL is going to tell you that this is definitely not Paypal. You should look for that Paypal.com or your website.com.

In fact, what you should do is never click a link inside of an email, never click a link inside of an instant message. If you get a message that says, we think there’s a problem with your account, open up a browser window, type the name of your bank into that browser window, and go there directly. That way you can be sure you are going to the right site.

In fact, with this particular site, you’ll notice that this looks very similar to Paypal. Everything is almost exactly the way it should be. But notice there is something that is a little bit off. You may find that certain images don’t load. Or you may find that, say, there’s a misspelling on the page. That’s very, very common for some reason, to find misspellings in the email that’s sent to you and to find misspellings in the page. This one does not have any misspellings, I don’t think. This one is very, very well done. It looks just like PayPal.

More and more, though, this is done over the phone. People will call you and say, we understand there’s a problem in your account. We’ve been looking at your purchases and your credit card. We think there are problems with that. Let’s confirm this. Can you give me your credit card number? Thank you very much. Now, can you give me the last four digits of your social security number? Why, thank you so much. Now, tell me more about your family life and what your mother’s maiden name might be.

So the vishers, we call them, which is phishing over voice, over the phone, have gotten very, very good at the social engineering aspect. And we trust the phone a lot more than we trust what’s on the web sometimes. But don’t be fooled. These people are really out to get your personal information.

Here’s the same Paypal page, blown up, so you can really see it. And, boy, it looks really legitimate. It looks exactly like my Paypal site. There’s nothing about this that would make me think that this is unusual, except for the URL that’s up here. And that’s really the thing you should be looking for, is to determine, is this really a legitimate site? Or is this something that’s trying to fool me into typing this in? And that’s the reason you’d never a click a link in an email and never click a link in instant messaging, even if it is a legitimate message from Paypal. I don’t click those links. I make sure I go directly to the site, by opening my browser and typing Paypal.com right here on the top.

Traditional phishing just throws a net out there and tries to catch whatever it can. Sometimes you’re catching a big fish, but more often than not, you’re pulling up the tiny little fishes. You’re pulling up an old tire or a rusty can. And if somebody was to get my Paypal information, they would find, this wasn’t really worth my time.

So what the bad guys are doing is something called spear phishing. They’re going after the really big gets. They’re really focusing their efforts on getting a particular amount of information, particular logins to financial sites, or something that really, really interests them. And by doing this and getting a little bit of background information, they can make their emails more believable. They can add real-world information into them, add friend’s names to the list, and be able to make you think that this really came from a friend, therefore, you should trust it.

If you were to spear fish the CEO, you’d call that whaling. You’re going after a really big fish and trying to get something good out of that. Some examples of this, in April 2011, there was a company named Epsilon. They handle emails, sending out a lot of emails for third parties. They had less than 3,000 email addresses directly attacked inside of their organizations. So somebody knew the internal email addresses for Epsilon and started sending a bunch of emails internally. They really hit 100% of the operation staff. Because they knew if they got access to the operations logins, they would have access to the entire database of email addresses and, in fact, they absolutely did. And they were able to get millions ‘ of email addresses.

Now, initially, you think, big deal, they’ve got millions of email addresses. But, the reality is, they’re now going to use those to send additional phishing attacks and try to get additional information from there. When they send a message into a particular group of people that had them click a link and that link downloaded anti-virus disabler. It loaded a key logger. It loaded a back door that got a remote administration tool on it. And then they started gathering a lot more information.

It seemed like a legitimate login page. They logged in and, ultimately, they were infected. But what if it isn’t emails? In also April 2011, Oak Ridge National Laboratory was hit as well with a phishing attack, a spear phishing attack. It was an email that was sent. And the From came from the Human Resources Department. Boy, if I saw an email from the Human Resources Department, I’d want to open that up. And it said, you need to log into your HR account. You need to make sure that your benefits, or something of that sort, were available. You can send all kinds of interesting things in an email from the HR department. It targeted only 530 employees. And there were 57 people that clicked on the link. There’s probably another story here about why all of these other people didn’t read the emails from the HR department or didn’t feel that they needed to click, maybe they were trained very well, not to click links inside of their email, but 57 people did.

And, of those 57 people, two machines were not updated with malware protection. They were infected. They went to the site. They logged in and immediately were infected. Data was downloaded. Servers were infected with malware from there. This was a big problem, because the Oak Ridge National Laboratory performs research on nuclear testing and other types of research for the federal government. So once you get those two machines infected inside that organization, now it can start hopping around and doing other things, because the security on the inside of the network, generally, is much more open than the security from the outside.

So you get that malware inside the organization and, in this particular case, information was stolen. This becomes a big issue for organizations that want to be sure none of their internal information gets out. And, from the point of a spear phisher, they’re going to focus on those particular users, make it very, very believable, in the efforts that they can get inside, get infected on those machines. And now they have access to a lot more information.