Email Phishing

With phishing, an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information such as his or her username and password. Example 4-1 shows an example of a phishing email.

Example 4-1 – Phishing Email Example

Spear Phishing

Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific groups of individuals or companies. The attacker studies a victim and the victim’s organization in order to be able to make emails look legitimate and perhaps make them appear to come from trusted users within the company. Example 4-2 shows an example of a spear phishing email.

In the email shown in Example 4-2, the threat actor has become aware that Chris and Omar are collaborating on a book. The threat actor impersonates Chris and sends an email asking Omar to review a document (a chapter of the book). The attachment actually contains malware that is installed on Omar’s system.

Example 4-2 – Spear Phishing Email Example

Whaling

Whaling, which is similar to phishing and spear phishing, is an attack targeted at high-profile business executives and key individuals in a company. Like threat actors conducting spear phishing attacks, threat actors conducting whaling attacks also create emails and web pages to serve malware or collect sensitive information; however, the whaling attackers’ emails and pages have a more official or serious look and feel. Whaling emails are designed to look like critical business emails or emails from someone who has legitimate authority, either within or outside the company. In whaling attacks, web pages are designed to specifically address high-profile victims. In a regular phishing attack, the email might be a faked warning from a bank or service provider. In a whaling attack, the email or web page would be created with a more serious executive-level form. The content is created to target an upper manager such as the CEO or an individual who might have credentials for valuable accounts within the organization.

The main goal in whaling attacks is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

Vishing

Vishing (which is short for voice phishing) is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company.

The goal of vishing is typically to steal credit card numbers, Social Security numbers, and other information that can be used in identity theft schemes. Attackers may impersonate and spoof caller ID to hide themselves when performing vishing attacks.

Short Message Service (SMS) Phishing

Because phishing has been an effective tactic for threat actors, they have found ways other than using email to fool their victims into following malicious links or activating malware from emails. Phishing campaigns often use text messages to send malware or malicious links to mobile devices.

One example of Short Message Service (SMS) phishing is the bitcoin-related SMS scams that have surfaced in recent years. Numerous victims have received messages instructing them to click on links to confirm their accounts and claim bitcoin. When a user clicks such a link, he or she may be fooled into entering sensitive information on that attacker’s site.

You can help mitigate SMS phishing attacks by not clicking on links from any unknown message senders. Sometimes attackers spoof the identity of legitimate entities (such as your bank, your Internet provider, social media platforms, Amazon, or eBay). You should not click on any links sent via text messages if you did not expect such a message to be sent to you. For example, if you receive a random message about a problem with an Amazon order, do not click on that link. Instead, go directly to Amazon’s website, log in, and verify on the Amazon website whether there is a problem. Similarly, if you receive a message saying that there is a problem with a credit card transaction or a bill, call the bank directly instead of clicking on a link. If you receive a message telling you that you have won something, it’s probably an SMS phishing attempt, and you should not click the link.

Universal Serial Bus (USB) Drop Key

Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This type of attack involves just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations. Oftentimes, users think that the devices are lost and insert them into their systems to figure out whom to return the devices to; before they know it, they are downloading and installing malware. Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

Research by Elie Bursztein, of Google’s anti-abuse research team, shows that the majority of users will plug USB drives into their system without hesitation. As part of his research, he dropped close to 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. The results showed that 98% of the USB drives were picked up, and for 45% of the drives, someone not only plugged in the drive but clicked on files.

Another social engineering technique involves dropping a key ring containing a USB stick that may also include pictures of kids or pets and an actual key or two. These types of personal touches may prompt a victim to try to identify the owner in order to return the key chain. This type of social engineering attack is very effective and also can be catastrophic.

Watering Hole Attacks

A watering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. (This redirection is also known as a pivot attack.) The user is then redirected to a site with some sort of exploit code. The purpose is to infect computers in the organization’s network, thereby allowing the attacker to gain a foothold in the network for espionage or other reasons.

Watering hole attacks are often designed to profile users of specific organizations. Organizations should therefore develop policies to prevent these attacks. Such a policy might, for example, require updating anti-malware applications regularly and using secure virtual browsers that have little connectivity to the rest of the system and the rest of the network. To avoid having a website compromised as part of such an attack, an administrator should use proper programming methods and scan the organization’s website for malware regularly. User education is paramount to help prevent these types of attacks.