Spear Phishing and other types of Phishing attacks: Here’s what they are and how to recognize them in your workplace
At The Saturn Partners, we have spent years working in the social engineering field helping clients in banking, health care, technology, utilities and education identify external and internal threats to their network security.
“Phishing” as a way to hijack information and gain unauthorized access to the same has been around for quite some time. This writing reviews what it is and the latest threats in this area, with instruction as to how to alert users in the enterprise to the different forms of it before a user is tempted to respond to a phishing message of any type, compromising sensitive data.
Specific types of phishing:
Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged over the past few years:
Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing.” Since these attacks are so pointed and directed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success. We believe the ego involved wants to be challenged that they can create a “bigger and better” type of attack, going to greater and greater effort.
The best defense against spear phishing is to carefully and securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Using the Best Tactics to Avoid Phishing Scams:
No reputable organization will email to request that you reply with your passphrase, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a web site or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company’s web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
Note: Whereas attacks in past years were almost laughably easy to spot (and even so many users fell for it much to their peril) the most recent are much more tricky to spot unless you are watching for them. We are constantly surprised at the lack of training within the user enterprise we find when conducting social engineering work about this ever present threat in the network environment!
When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.
Important: Always read your email as plain text.
Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to all types of virus activity, worms, and Trojans.
Additional Warnings: Watch Those Redirects.
Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all. Some legitimate sites use redirect scripts that don’t check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones.
Reporting phishing attempts:
- If phishing attempt targets your environment in any way (e.g., asks for your enterprise’s Webmail users to “verify their accounts”, includes a malicious PDF directed to human resources, or impersonates in any way, you should forward it with full headers to IT Director/Director of Information Security at your organization immediately for help with headers.
- You can report a phishing scam attempt to the company that is being spoofed.
- You can also send reports to the Federal Trade Commission (FTC).
- Depending on where you live, some local authorities also accept phishing scam reports.
- Finally, you can send details to the Anti-Phishing Working Group, which is building a database of common scams to which people can refer.
For more information on Network and Infrastructure Security topics affecting your organization, please visit us at www.saturnpartners.com, email us at firstname.lastname@example.org