Although phishing attacks can occur against individuals, we will primarily focus on attacks against organizations in this post. We will use the term organization to represent governments, educational and healthcare institutions, and commercial businesses, but we will draw distinctions in the “bounty” sought after in each industry. So, let’s get started…
What is Phishing?
There are lot of “nice” or “polite” ways to describe phishing. At the end of the day, it is where a thief is trying to get access to confidential information through nefarious means. Why is the thief trying to get access to the confidential information? Like thieves in the physical world (e.g. bank robbers), there are many different motivations (i.e. fame, fortune, desperation due to unfortunate life circumstances that are leading one down an ill-advised path of crime, political domination, etc.). It is important for us all not to lose sight of the fact that criminal activities occur in the virtual world just as they do in the physical world and, in many ways, there are striking parallels.
What Motivates a Phishing Attack?
As always, it is important to look at root causes. Why is the phisher motivated to pursue access to information through illegal activities? As previously mentioned, phishers may be pursuing fame, fortune, a means to escape their desperate circumstances, or an ability to dominate a country, a region, or the world.
If the phisher is pursuing fame, then the individual behind the attack is ultimately looking for some type of attention. They ultimately want the news of their success recognized. Otherwise, they will not achieve fame. Now this fame could be restricted to a select group of individuals (e.g. peers) or the phisher may want the world to know. Depending on the individual phisher, the use of the information obtained through illegal means may vary greatly.
If the phisher is pursuing fortune, then the phisher will more than likely want to keep the crime somewhat discreet. Why? Well if the phishing attack is successful, then they will want to carry it out again, and again, and again. Why rob one bank, when you can rob three, and make possibly three times as much money. Obviously, in this case, the motivation is money and the primary variable is how much money the phisher wants to make.
If the phisher is pursuing a means to escape desperate circumstances, then the attacker probably wants the attack to go unnoticed. The phisher may only attack one time and then no longer take on the risk of arrest.
If the phisher is pursuing political domination of some sort, then the phisher is probably not operating as a loner. More than likely, the phisher is part of a group, backed by an organization, ultimately backed by a government. The phisher or phishers want to achieve some level of success that will bring him or her glory in their homelands and some level of advantage to the phishers’ government. If you gain access to nuclear codes, then the phisher is probably going to get pretty much anything they want in their homelands. Of course, their newfound fame and fortune might be all for naught if their success contributes to World War III!
Who Performs Phishing Attacks?
What is a Bell Curve approach? A simplistic definition is that a Bell Curve assumes 20% of things will be on each extreme and 60% will fall in the middle. If we apply this thinking to phishers, then consider the following phisher groupings:
- Phisher Newbies (i.e. 20% of less educated and skilled phishers)
- Ordinary Phishers (i.e. 60% of phishers that are average)
- Exceptional Phishers (i.e. 20% of sophisticated or well-educated phishers)
So, if we think about phishers and their capabilities along the lines of a Bell Curve, then you will see a certain amount of phishing attacks that are silly and poorly constructed.
No doubt, you have seen attacks from Phisher Newbies.
Who is a Phisher Newbie?
The phisher newbie is a phisher who sends the email out with names and subject lines spelled wrong in the emails (i.e. assuming it is an email attack). Do these type attacks seem familiar to you in the physical world? Surely, you have seen the armed robber who goes into the convenience store, then asks the cashier for the money and then quickly runs back out only to encounter the door that he cannot open. It turns out that the robber is just pushing the door in the wrong direction (i.e. he or she needed to pull on the door versus push on the door).
Then you have the Ordinary Phisher in the middle of the Bell Curve.
Who is an Ordinary Phisher?
These phishers approach the attacks in a more polished manner. These phishers do a bit more research; making sure names and subject lines are correctly spelled and perhaps they add in a bit more color (e.g. time the attacks around major events in specific locations like tax time in the United States) to make it seem the attacks are more legitimate.
Lastly, you have the Exceptional Phishers.
Who is an Exceptional Phisher?
These attackers launch very sophisticated attacks that leverage significant research with more targeted attacks. By spending more time to refine the attack and tuning the communications to specific persons, the likelihood the attacks will be successful increases. While sophisticated attacks can be applied to virtually any situation, it is likely these types of attacks are after very significant targets and bounties.
How are Phishing Attacks Conducted?
Phishing attacks, executed in a variety of ways, can leverage different types of technology for successful execution. Consider the following steps used in carrying out a basic attack:
- Ordinary Phisher decides to make a fortune through phishing attacks.
- Ordinary Phisher meets Exceptional Phisher in a chatroom.
- Ordinary Phisher asks Exceptional Phisher how to launch a phishing attack. Exceptional Phisher explains the basics in terms of how to obtain email contacts on the Dark Web¹.
- Ordinary Phisher researches and finds a list of email contacts on the Dark Web. The email contact list is one that targets individuals working in Information Technology firms in the United States.
- Ordinary Phisher establishes a fictitious email and constructs an email capable of getting the attention of individuals in IT firms. The subject line indicates the email is from the specific firms’ Chief Financial Officers and requires immediate attention (e.g., send funds immediately via wire transfer).
- Within the body of the email, Ordinary Phisher indicates the email recipient needs to send the funds to a specific account (i.e. an account set-up by Ordinary Phisher).
- After finalizing the fraudulent email, Ordinary Phisher then sends the emails to the contacts purchased on the Dark Web.
- Ordinary Phisher typically sends the email out via a fictitious email account (Gmail, etc.) or an open relay found on the internet in order to prevent authorities from being able to find Ordinary Phisher. Ordinary Phisher learned how to launch the email-based attack from the Dark Web from Exceptional Phisher.
- Ordinary Phisher waits to see if anyone will respond to the fraudulent email. For unsuspecting victims who fall for these scams, the results can be disastrous ranging from stolen credentials to wire fraud.
- Upon receiving information back from email recipients, Ordinary Phisher will then start planning his/her next attack.
Preventing Phishing Attemps
Unfortunately, an organization cannot prevent phishing attacks from occurring (at least not yet). However, there are things you can do to defend against these attacks.
If we keep in mind the varied skill levels of the attackers (i.e. the Bell Curve discussion above), then we will need different types of defense mechanisms to deal with different types of attacks. Additionally, as always, you should take a risk management approach to everything you do when it comes to protecting your organizations’ information assets.
Let us consider some of the solutions available in the marketplace to help thwart phishing attacks. These include, but are not limited to the following:
- Improve the Security IQ of your team members with security awareness training.
- Simulate attacks with automated phishing offerings.
- Engage a third party testing firm to customize attacks for your organization.
Improve Security IQ
There are many Security Awareness Training offerings on the market today. Some will help your organization “check a compliance box.” Some will help your organization change the mindset or your team members in terms of their security readiness. Both of these solutions undoubtedly provide value.
However, it is important to think about your organization’s risk tolerance and determine the type of attacker you want to be able to fend off (i.e. Phisher Newbie, Ordinary Phisher, and/or Exceptional Phisher).
Additionally, one needs to keep in mind the possibility your organization needs both types of training. You may need to start out with compliance-oriented training and follow-up with training that will have more impact in changing the behavior of your team. Obviously, cost will always be a factor, but Security Awareness Training is very important and you should employ solutions immediately if you have not done so already.
Lastly, organizations of all sizes need to employ Security Awareness Training. Smaller organizations are under attack largely through phishers that are using automated tools. The larger the organization, the more likely it is that the organization will need to employ multiple types of security awareness training to effectively protect information assets.
Phishing Attack Simulatations
There are many tools available in the marketplace that will enable security teams to perform simulated attacks. While this might not be the first step an organization takes to help thwart phishing attacks, it is one that should be considered soon as these types of tools are relatively affordable and can help to reduce the likelihood of a successful phishing attack against your organization.
While simulated attacks are valuable, one has to be careful to make sure the attacks do not become routine. It is important to make sure you keep the attacks varied in nature to keep your team members “on their security toes”.
Engage Third Party Firms
Third party firms will work with you to customize phishing attacks. These attacks are especially valuable for larger firms that have information assets that might attract the attention of large-scale competitors and/or foreign governments. The customize attacks will typically utilize a variety of tools and can be carried out in a “low and slow” manner so as to be as covert in nature as possible in order to truly determine your team’s ability to thwart a sophisticated attack. Check out Digital Defense's Penetration Testing Services for more information.
In closing, we hope this information is useful to you. We will be releasing additional information shortly on different security topics. Please stay tuned and always remember to do what you can to REDUCE THE ATTACK SURFACE of your organization.
¹ - According to Wikipedia, “the dark web is the World Wide Web content that exists on darknets, overlay networks that use the Internet but require specific software, configurations, or authorization to access.” For the purpose of this discussion, the dark web enables phishers to obtain or purchase content (e.g. email contact lists) for launching phishing attacks and the special software enables phishers to launch attacks on an anonymous basis.
Where Should You Start With Penetration Testing?
Get answers to your pen testing questions with the Penetration Testing: What You Need To Know Now Guide and learn how it can help improve your cybersecurity strength.