Phishing – SY0-601 CompTIA Security+ : 1.1

One of the most prominent forms of social engineering is the phishing attack. In this video, you’ll learn about the methods used for phishing, pharming, and whaling attacks and how to protect yourself against phishing.

<< Previous Video: How to Pass Your SY0-601 Security+ Exam Next: Impersonation >>

 


If I look into my spam folder right now, I bet I could find a number of emails that are pretending to be from my internet service provider, my cable company, my bank, and many places that are not who they say they are. This is called phishing. They’re trying to get me to click a link so they can gather some type of personal information from me. This is generally a bit of social engineering combined with spoofing. So the email is going to pretend to be from my email provider or my internet service provider, but when I click the link, it’s going to bring up a page that looks almost exactly like the one that I would receive if I was at my actual internet service provider’s website.

The one thing that the attacker can’t do though is make the address bar show the actual URL of your internet service provider. It’s very often looking into your browser, you can see that this really did not come from the Rackspace website because the URL will not show Rackspace.com at the top. And usually there’s something that is not quite right with the screen that’s being presented.

In this example, it’s trying to get me to log in to my Rackspace email service, and you could see, it does look like a legitimate login page. Although you’ll notice, they didn’t quite get the graphics right on the page. There’s usually something about the page that isn’t quite right or doesn’t ring true. But you do have to make sure and validate any link that you see in an email. That’s why we often say, never click a link in an email. You should instead type in the website directly in the bar of the browser.

Here’s a comparison of the actual Rackspace Webmail login page and the one that I received on the left side when I was phished to the Webmail login page. If you weren’t paying attention, you might think that this is absolutely a legitimate page and you could type in your email address and your password, and when you click that Login button, you’ve now sent your credentials directly to the phishing attacker. The attackers try to use many different tricks to get us to click these links and input our personal information into these pages and making the pages look very common and similar to what we would expect is only one of the things that they do.

They also try to present to us a domain name in the address bar that looks very similar to what we are expecting. For example, you might find a bad guy using typosquatting, which is a type of URL hijacking. For example, professormessor.com almost looks like it’s legitimate, except my last name is spelled M-E-S-S-E-R. This one is spelled M-E-S-S-O-R. But if the bad guy wanted to use that particular domain name and then have a website that looked exactly like mine, they might be able to fool a few people into typing in their email address and their password.

Another example of something they might do is to prepend to the address, which means they add onto the beginning, and you could see pprofessormesser.com. It’s all spelled correctly except for the additional text at the beginning. And if you aren’t looking closely, you might not even realize that text is there.

Very commonly, these messages have some type of pretexting, which is a fancy way of saying that they’re going to lie to you. They put some type of situation in place, and they try to see if they can get you to act on it. For example, they may have a message that they’re calling with or an email that says, hi, we’re calling from Visa regarding an automated payment to your utility service. And then they might have click on something or offer to provide that particular payment over the phone.

Well, I definitely have an automated payment. I do pay my utility service automatically, and this might get me relaxed enough to think that the person who’s calling me really is from Visa, and they really are trying to take care of a financial problem. But of course, this is an attacker who’s trying to gather my credit card information, and I would simply be handing over all of the details of that account to whoever happened to be calling.

Of course, we often see these emails being sent to individuals, and the attackers are trying to gather this information one person at a time until they have all of the information they need. But there are times when the attacker might want to attack an entire group of people simultaneously. This is called pharming, and it’s usually created when the attacker is able to take over an entire domain name system server or be able to take over an entire website so that everybody who visited the DNS server or visited the website will be automatically directed to the attacker’s website. This means that you could be typing in the correct address in your browser, but because the DNS has been poisoned, now you’re at the attacker’s website, and you would simply put in your user credentials, because to you, it looks like the normal website.

So now there are two different kinds of attacks in place. The pharming is redirecting everybody who visits that DNS server to the attacker’s website, and then the phishing takes place once they arrive there, as they’re putting in their email address, username, password, and other personal information. In this particular scenario, it’s very difficult for the end user to even realize they’re being phished. They’ve gone to what they thought was a legitimate DNS, and they were able to go to a website that looks like the legitimate website. So of course, they’re going to provide their normal credentials. And because everything looks normal, it’s even difficult for third party products, like anti-malware or antivirus, to even recognize that there’s any type of problem happening at all. These types of pharming situations are thankfully relatively rare, but they do occur, and it’s something that you need to know how to mitigate if you happen to find this situation on your network.

The attackers have moved to the telephone as a way to gather your personal information. Performing this attack over a voice line is called vishing, for voice phishing. Very often, the attacker is spoofing the phone number that’s appearing on the incoming call so it looks like it’s a local phone number. But in reality, they could be calling from anywhere. The point of the phone call or the voicemail that they leave ultimately leads to you giving up some type of personal information that they can use to gain access to your accounts.

Of course, they may not even need to talk to you. They can do everything over SMS– that’s the Short Message Service, or what we commonly refer to as text messages. This is also referred to as smishing or SMS phishing, where this phishing is all done over a text message communication. Often these text messages have a link, and the attacker tries to entice you into clicking that link and providing them with more information.

There are many, many different ways that attackers try to entice you to give up your information or your money. Many of these scams can be found in a large list on Reddit. You can find it at reddit.com/r/Scams.

With some of these attacks, the attacker isn’t after an email password. They’re instead trying to get large sums of money transferred into their personal account. To be able to do that, they need to gather as much information as possible on the victim. So they’ll perform a number of different steps of reconnaissance prior to performing the actual phishing attack.

It’s remarkable how much open source information is available on the internet, and you can gather information about individuals, groups of individuals, or large organizations by simply visiting third party websites, Facebook, LinkedIn, and other locations. Based on the information they gather, they can create a very believable pretext. They might be able to determine where you live, where you work, who you work with, be able to use people’s names, be able to understand places that you shop, and put all of that information into a very believable phishing attack.

These types of very directed phishing attacks are called spear phishing attacks. They’re going after a very specific person or very specific group of people to be able to gather the information that they need. A spear phishing attack that goes after a person who has control of a lot of money or a lot of information is called whaling. It’s very common to go after the CEO or the head of the accounting department because they have access to the entire corporate bank account.

All you need is one very well-crafted phishing attack to be able to convince somebody to log into a fake user account that would then provide the attacker with all of the banking information for the organization. These types of whaling attacks happen all too often. And if you’re in an organization that has people who are in charge of these particular accounts, then you need to make sure that they are very familiar with the type of phishing attacks that they might run into.