Since the start of September 2019 we’ve seen some major attacks, including a Facebook data leak which exposed more than 400 million telephone numbers and an Android software vulnerability which revealed devices were susceptible to SMS-based attacks that could change device settings remotely. While these attacks and leaks trigger entire news cycles, they do not generate the highest revenue return for cybercriminals. That prize goes to phishing. It’s one of the oldest attack methods, first seen in the wild around 1995 and only gaining strength.
Phishing schemes are easier to pull off, repeatable and, due to the ability to scale campaigns, only require a miniscule return to generate significant revenues. Some campaigns achieve this by stealing and reselling personal data, others by tricking people into making unnecessary scam-purchases.
As SPAM filters have become more effective at catching a high percentage of attempts, and users are better educated to spot those that do slip through the net and end up at an inbox, phishing has had to get smarter. Most people also know that before clicking on a link it’s good practice to hover the mouse cursor for a moment to see the full URL displayed. A rudimentary phishing attempt will try to redirect to a totally unsuitable or badly named website, and, for most users, the next action will be to hit “delete” and move on.
However, new, smarter phishing campaigns are popping up as cybercriminals leverage emerging technologies and tools like spoofing, automation, machine learning and social engineering. Be on the lookout for the latest tactics:
• Using SSL certificates: Until recently, one of the simplest ways to spot a phishing site was that it would be prefixed http:// rather than https://, and so best practice was to check for the padlock. Whilst this is still good advice, there have been recent spoof sites where cybercriminals have used basic SSL security certificates to make a site look more valid and harder to spot.
• URL Unicode renaming: Increasingly, cybercriminals are incorporating international characters into URLs and hoping that since the site-name is trusted and familiar, it won’t get spotted by the intended phish target. For example, the email will be from their bank and provides a handy link to “www.mybanksite.com.” It may look valid, however, upon closer inspection, the “e” in “banksite” would be an international character, causing a redirect to a realistic looking but entirely fake site called “www.mybanksité.com.”
• Spoofing site names with html attributes: This is easier to spot when you are aware of it, and I’ve seen more emails using this method than the URL renaming. A totally fake site is created that has a similar name to the real site. To use the previous example, “www.mybanksite.com” is faked to “www.mybanksitefake.com.” For most users, this is an easy one to spot. So phishers now use obfuscation to hide the site and hope that users will not spot “fake” at the end. In this scenario, they insert a malformed hyperlink into the phishing email:
• <a href=”http://www.mybanksite‌fake‌(.)com>Mybanksite(.)com</a>
• When the email recipient hovers of the link it looks correct, however the 8204 code is actually a font-modifier and will be ignored by the browser causing a redirect to ‘http://www.mybanksitefake(.)com’. Most users will simply not spot this.
• Artificial intelligence and machine learning: Cybercriminals use AI/ML to scale and reduce the time needed to execute attacks. This includes writing malware faster, scanning networks faster and launching scatter gun attacks. The key difference is that if an IT team is using these technologies, they’re going to be tested time and again. Cybercriminals don’t need to do testing because if they’re unsuccessful, they just keep trying without any negative consequences to their network or recourses.
• Social engineering: Cybercriminals are also using ML/AI to integrate social information into their attacks. They can use information available on the internet and execute more targeted attacks on specific groups of people. The result is attacks that are more personalized and more likely to entice a victim to engage, whether exploiting political preferences, targeting a specific demographic or leveraging a popular event. This means, attacks are getting more personalized and more likely to get interaction at the other end.
These attacks are getting more intelligent and evolving to new vectors including malvertising on websites or spoofed text messages. Even basic phishing is getting better with well-written emails using decent grammar that redirect to effective but fake sites for data harvesting. As phishing campaigns get more intelligent and adapt to try and outsmart even the savviest of tech-users, there are a number of steps everyone can take to be safe. To start, we can all breathe easier knowing that businesses and internet service providers are all working hard to ensure that SPAM and phishing campaigns never reach inboxes. The latest Advanced Threat Prevention technology is capable of detecting and rejecting content in emails that could contain bad attachments, malformed URLs or redirects to malicious websites. All this means that the majority of SPAM emails are being turned away at the door.
As an individual, be a skeptic and expect the unexpected. The best way to avoid getting phished by an impersonation of a trusted source is to become skeptical of everything you receive. Banks will never refer to you as ‘Dear Customer’ and an unexpected password reset should never include a ‘click here’ link. If you receive an email with an attachment to ‘aid a reset’ or with ‘delivery details’ for something you don’t remember purchasing, hit delete. Become a human-firewall and activate your in-built skeptic mode. The phrase “better safe than sorry,” has never rang more true.