Dissection of a Phishing Attack, Part 1

Created 5 years 220 days ago
by Rita Palmisano

Tags:
Categories: categoryTechnology
Views: 3127
by Scott M. Lewis

We have all heard the term “phishing.” However, do we understand what it means and the overall magnitude of phishing attacks? According to a Digital Trends and Microsoft survey of Office 365 users, phishing attacks are up so far in 2019 by more than 250%. An analysis by the Microsoft Security Team that reports more than 6.5 trillion security-related signals a day and 470 billion emails per day says we see the tip of the iceberg. This thought is staggering when you realize that all it takes is one getting through; it could be costly to your organization.

You are most likely asking yourself: “How is this possible? I spend so much money on firewalls, anti-virus and spam malware protections; how is it possible that I am at more risk now than before?” Since protection research has improved, so have the methods scammers use to coordinate their attacks.

There are many moving parts to phishing attacks. How do you detect a phishing attack? How do you determine the damage? Could this be system damage via cryptovirus or financial harm to your organization? What responsibilities do you have to vendors and customers, and if you are a public company, how do you report this to shareholders and customers? How do you deal with mobile device security and remote access, the most common entry points for phishing attacks? The questions — both positive and negative — go on and on. In today’s always connected world, there is a need for full collaboration software and connected services, but are they opening you up to phishing attacks? Couple those business needs with our need for immediate access to data and then add the human factor, and you have all the dynamics for a robust phishing attack.

Before we get too far into this, let’s go through the different types of phishing scenarios and how they target different people and processes:

* Spear phishing. This is a very targeted attack based on a group of emails that were harvested through social media, such as Facebook, Twitter and LinkedIn, or email lists that were bought through tradeshows, conferences, online newsletters, or other organizations and companies to which you have provided your email address.

* Whaling. This is a more focused email attack, typically against high-profile individuals who are the public face of your company, which could include C-level individuals within organizations, such as CFOs, CIOs and COOs.

* Smishing. This is an attack via SMS focused primarily on mobile devices and is done through text messaging. Smishing is often confused with vishing, which is done via the phone and is more commonly referred to as robocalling.

* Content injection phishing. This is tougher to do. It is when phishers insert malicious code or misleading information into emails or websites. They encourage people to input in the user credentials or password information or perform other activities such as transfer of funds.

* Man in the middle phishing. This happens when phishers position themselves between the legitimate websites people use, such as social sites or banking sites. This is difficult to detect because it typically continues the transaction and does not create any disruptions.

Phishing attacks are typically more focused on the social engineering of the human and the assumptions that the human brain has been trained to make. Phishers have become experts at identifying weaknesses in human behavior and the assumptions that we all make every day. In most cases, we humans don’t understand that we are making these assumptions. When it comes to changing human behavior, according to a Forbes article from November 2018, 70% of change initiatives within organizations fail and 84% of companies undergoing a digital transformation process fail.

Companies see this human behavior in action in many forms. Companies spend millions on securing corporate email and networks only to find out that employees will use a Gmail account or some other third-party email to get around restrictions that were put in place to protect the company. Companies spend millions on software only to find out that employees continue to use Excel or other work processes that the new software was bought to improve.

These are simple examples but show how difficult it is to retrain human behavior even when we know it is in our best interest. That makes us susceptible to phishing attacks.

Now that we have outlined the magnitude of phishing and the different types of phishing and determined that for a phishing campaign to work, it does need the assistance of a human to help it along, you might be wondering: How did all this get started? According to Computerworld, the term “phishing” was first documented in 1996 in a hacker newsgroup while they were trying to steal America Online username and passwords.

This term came out of what is known as phreaking or phone phreaking, which is the original hacking of phone systems. The term phreaking was coined by John Draper, aka Captain Crunch, who created the now-infamous blue box that emitted an audible tone for hacking phone systems in the 1970s. The term “phishing” grew from this history, with hackers knowing that the more hooks they put out there, the more fish they would catch.

To be continued next month…

Scott Lewis is the President and CEO of Winning Technologies Group of Companies which includes Liberty One Software. Scott has more than 35 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.