Threats

Phishing and Spear Phishing

An old but successful technique in social engineering is the phishing attack. In these types of attacks, an individual is tricked into providing critical information (usually login credentials) to an attacker through a fake website or spoofed email. How are these attacks carried out? Can they affect larger companies? How do we mitigate them? Read more to find out!

Phishing

A phishing attack is a type of social engineering attack that attempts to trick users into providing login credentials to a site masquerading as a legitimate website. These attacks are usually randomly initiated, which is where the name comes from. They simply cast the line out and wait for a bite, so to speak.

The attacker will build a website on a server that they control, and then try to pass the link to a user. These links are usually sent through email, although these methods are growing in popularity over Facebook Messenger as well. The link will usually inform the user that there is a problem with their bank account, or a link to a “shocking video” of them. Once they click the link, they are taken to a page that looks identical to the page they think they are supposed to be going to. But once they enter their information in the login fields, it’s passed to the attacker instead of the actual server. In many phishing attacks, it will redirect the user to the legitimate website after the credentials are passed. This takes suspicion off the link, and the user may never know their credentials have been stolen.

Spear Phishing

Spear phishing is the name for a targeted phishing attack launched by someone actively trying to compromise a specific individual or company. The name conveys the idea of a fisherman specifically targeting the fish he wants to catch.

In spear phishing attacks, an email usually containing a malicious link is sent to several users of a company’s system. Many times, this type of attack is combined with email spoofing, to make it appear to be a legitimate internal email. This spoofing builds trust in the user, and they won’t find the email or request as suspicious as an unrecognized address. At this point, the rest is the same as a general phishing attack, although the fake website may be made to appear as an internal company login page. A lot of companies overlook training of lower level employees, thinking the only accounts an attacker would be interested in are administrator accounts. However, an attacker gaining entrance through an unprivileged account provides less suspicion and the opportunity for privilege escalation.

How to mitigate? Educate!

Both attacks have the same end goal: trick the user into providing their credentials to an attacker through a fake website or a trusted email. Likewise, both attacks can be prevented the same way. Because this is a social engineering attack, mitigating these attacks rests almost entirely on education rather than technical implementations. Attacks like these remind companies the importance of having information security programs and training for all users of a system, not just upper management. Any user’s account could be compromised, and any of those compromises could lead to problems for the network.

Login screen, always check for SSL certificate
Note the SSL icon and the URL in the address bar. Always make sure you are at a legitimate website before providing credentials.

What are the key points to cover in a security plan involving phishing mitigation?

  • Do not click links in emails from people the user doesn’t recognize.
  • Examine the link in question. Is it going to www.facebook.com, or www.facebook.someotherdomain.com?
  • Beware of shortened URLs from services such as bit.ly, as these can easily be used to obscure a malicious link.
  • If a link takes you to a login page, and anything seems suspicious (URL doesn’t look right, email seemed sketchy, no SSL icon, etc.), type the correct address manually in the address bar.
  • Make sure that there is a policy in place that credentials are never to be sent over email. Not only is sending email not secure, but this type of policy will prevent users sending login information to an outside attacker. If an email from another employee contains any strange requests, email or call the individual directly to confirm. Do not hit reply in the suspicious email, as the reply-to email may be different.
  • When users notice a suspicious email, notify whoever is in charge of the company’s information security.

We can help!

At Phoenix Security Labs, we can help you draft a Security Education Training and Awareness (SETA) program, and further develop your information security policy. These programs are used to train all employees of an organization responsible computer use, including how to recognize and report threats. In 2016 and 2017, the overwhelming majority of company breaches were caused by employee error, whether by falling for a phishing scam, opening an email with a virus, or other preventable measure. SETA plans are an important first step in drafting an information security policy for a company, and can help prevent devastating breaches through education. So schedule a consultation today, and see how we can help you!

Leave a Reply

Your email address will not be published. Required fields are marked *