Phishing, Part 1: On the Lookout

Cybersecurity has gone mainstream, thanks in part to the hacking of the 2016 Presidential election. But how many of us know how the attackers in this case actually achieved their ends? The truth is, that one of the oldest, but most effective weapons in the cybercriminal’s arsenal, undoubtedly used in those attacks, is a threat still facing all of us today: phishing.

Phishing can be the first stage in a sophisticated information-stealing attack on a large organization. But the same techniques are used by cybercriminals the world over to steal your personal information for ID theft and to spread dangerous malware. With this in mind, Trend Micro has put together a handy two-part guide giving you the lowdown on phishing attacks—what they’re designed to do, what they look like, and how you can avoid getting caught by the hoax.

Why do cybercriminals phish?

Phishing is fundamentally a confidence trick. It’s an attempt by hackers to get their hands on your online log-ins, your financial information, or other sensitive details they can use to impersonate you for monetary gain. They do this by persuading you they’re someone else—typically a familiar organization you work with. They might want to steal your bank log-ins, your Apple ID, even your Uber account credentials. ID theft is particularly dangerous, since it can open up a world of credit or purchases for them. Or they might try to trick you into downloading ransomware, crypto-mining software, banking Trojans, adware or even info-stealing malware, to help them generate profits. Phishing represents a potential cornucopia for them, of ill-gotten gain.

How do they phish?

The bad guys have a wealth of techniques at their disposal, but they mostly boil down to one thing: social engineering. Fundamentally, this is the art of persuasion. As mentioned, it could mean spoofing an email to appear as if it came from your bank, asking you to update your details with them. Or perhaps it’s a ‘security alert’ that appears to have been sent by Apple or Microsoft. Or maybe it’s a required software update from Adobe, typically around Adobe Flash. Or it might even be a too-good-to-miss offer or piece of outrageous gossip to click on social media.

It’s all about getting you to click on that malicious link, open that malware-laden attachment, or submit your log-ins and personal details. Sometimes you’re taken to a separate website to submit those details, also spoofed to appear legitimate. The idea is to first target the user, rather than attack the machine directly. That being the case, if you improve your awareness of the characteristics of phishing, you can minimize the effectiveness of the phishers.

Phishing types

Here a few common generic phishing attacks:

  • Email: This is still the primary channel for phishing. More than 85 percent of the online threats Trend Micro blocked last year were emails such as those containing malicious content. But users must also beware of scammers using IM (instant messaging), or SMS (the short message service) on their mobile phones.
  • Social media: This is an increasingly popular channel for phishing, as users tend to be more trusting of posts and messages sent by their ‘friends’. Phishers know this and can hack your friends accounts to increase their chances of success. Malicious URLs can be found in Facebook Live comments, Twitter DMs and LinkedIn InMail. Fake promotions and competitions are also rife on social media, as are messages designed to trick you into clicking on some ‘unbelievable’ content.
  • Gaming: Attackers may look to send you a message spoofed to appear as if sent from an online gaming provider. They often contain extra inducement to click through or provide details, such as by offering a prize or bonus points. Stolen account details are then sold on the black market.
  • Tech support: These warning emails are spoofed to come from popular online providers like PayPal, Amazon, eBay, Microsoft, etc. They typically claim to have spotted ‘unusual activity’ on your account and want you to provide more details or to click on a link to sort it out. You might even get an unsolicited email or phone call claiming there’s something wrong with your computer and urging you to pay for tech support to resolve the issue. Sometimes these scammers end up installing remote access software and malware on your machine in the process of ‘cleaning it’.

The scammers are getting smarter

The bad news is that the phishers are refining their tactics all the time. Mobile phishing attacks are increasingly popular as users tend to be distracted and therefore more likely to click through in malicious SMS messages. Phishers are also increasingly likely to use popular events in the news to trick you into clicking, as with a major data breach like Yahoo or Uber, which you may have been caught up in.

Another tactic designed to increase the chances of phishing success is to use to spoof the domains of legitimate sites by using internationalized domain name text. Then too, you need to beware of new “angler” attacks, which typically involve the creation of fake social media profiles resembling brands’ support accounts. Criminals will search for users contacting those companies and hijack the conversation with phishing links.

So what can you do to protect yourself from phishing attacks?

Stay tuned for Phishing, Part 2: Staying Safe, where we’ll brief you on ways to stay safe from phishing attacks.

Read More HERE