Phishing and Spear Phishing: attack techniques.

Practical cases and how to spot them

What is Phishing?

The term “Phishing” is a neologism that stems from the homophony with the word “fishing”, which literally means “to fish” and in fact this is the main philosophy of this kind of attacks.

In practice, a fake email communication (but this is not the only tool, as we will see later) is used to try to make the victim download a malicious attachment or try to access a fake website similar to the original one, for example a bank website, in order to reveal personal information like the username and password, credit card number, bank details, etc.

How dangerous is phishing?

Phishing is a truly universal technique, used for all sorts of cyber attacks and against all kinds of targets.

In other words: we cannot think of phishing as a simple and basic attack, which hits only unattentive or low-level victims. It can hit everybody, has a high efficacy and this is why it is used so widely, also towards very important targets.

The phishing email of which we will shortly tell about has probably changed the course of history.

The Russiagate case

Source: https://www.globalist.it/world/2018/04/16/russiagate-non-c-e-un-avvocato-in-america-disposto-a-difendere-trump-2022781.html

It is 2016 and the campaign for the presidential elections that pit Hillary Clinton against Donald Trump is coming to a head.

But the Russian hackers decide to “take part” themselves to the electoral campaign….in a not so conventional way!

Putin’s dislike of Hillary Clinton was well known, already since the time when Clinton was the Secretary of State of President Obama. Hence, all the details of the story are by now familiar. Putin set his very good state-sponsored hackers to work in order to influence the result of the elections. The Russian hacker group Fancy Bear (also known as APR28, Sofacy, Strontium), connected to the GRU Russian secret military services, prepared a trap for Clinton.

They could have used sophisticated hacking techniques to carry out their action. But they did not need it: some simple phishing emails, carefully prepared, were enough!

In particular, the attackers studied the victims they wanted to hit (this preparation phase is essential to grant the success of the attack, as we will see) and determined their main target: John Podesta, an important member of the Democratic National Committee (DNC).

John Pdesta was sent an email (precisely a phishing email), which looked like it came from Google and that invited him to change his Google account password (see image).

The email message seemed to be a Google security notification: “Somebody has got your password”, said the email subject, and then: “Hello John, somebody has just used your password to try and access your Google account john.podesta@gmail.com”.

The message also showed the date, IP address and place where the access attempt took place: Ukraine.
And then the trap: “You should change your password immediately”. With an invitation to click on the link below, which was actually shortened using the well-known link-shortening service Bitly, exactly to hide the real link.

And John Pdesta clicked where he should not have: he therefore found himself on the Google page of his profile (see image), but it was a fake, created ad hoc by the Russian hackers. And in that page he typed in his real Google password, giving away on a silver plate the access key to almost 50,000 email addresses of the electoral committee of the democratic party.

These emails have subsequently been published by Wikileaks (to which the Russians gave them), at the height of the electoral campaign Clinton-Trump, revealing to the public embarrassing information that certainly damaged Hillary Clinton, who lost the presidential elections of November 2016.

This phishing email, together with other actions against the democratic party carried out by the Russian hackers, has gone down in history with the name of Russiagate. The facts are by now familiar thanks to the work of the prosecutor Robert Muller, who investigated the issue (the Muller report can be download at this link).

We can therefore claim that the American presidential elections of 2016 were influenced, maybe in a decisive way, by an ordinary Phishing email.

How does Phishing appear?

A phishing attempt can be realised in various ways, but the email is still the preferred one: every day more than 300 billion emails are sent in the world and most of these are spam (especially) and also Phishing.

But emails are not the only way: there exists also “whaling” from the word “whale”, to indicate a phishing attempt whereby the aim is to target a big fish, like a whale, and hence a top, C-level position inside a company. This method is widely used for example in attacks called CEO frauds, that is the Business Email Compromise (BEC) (Read here).

But phishing can also be transmitted via messages on mobile devices, which today are used more and more. In this case, it is called SMISHING: “SMS Phishing”.

Also, VISHING: “vocal Phishing ” exists. The word is a blend of the words Voice and Phishing and indicates a fraud attempt carried out through the phone.

Finally, another form of Phishing is spreading, which is less known and more subtle: the QRishing: “QR Codes + Phishing”. A QRcode can include a link and if we frame it we are redirected, through that link, to a web page that contains malwareThe use of the QRcode is quite recent: it is used because it can get past the antispam defences (that could block a link within an email) and make it difficult for the victim to realise which link s/he is redirected to.

The phishing methods listed here all share one common factor: they exploit the weak point that is easier to attack, the human factor. In practice, they make use of Social Engineering.

Social engineering plays exactly on those human vulnerabilities, which are the most difficult to patch: panic, ignorance, curiosity, desire, authority, etc. And by exploiting these weaknesses they manage to obtain results in a very easy and economic way for the attacker. It is known that 80% of all the cyber attacks are carried out through a phishing attempt. (Read here)

Over the last years, the strategies used to get past antispam filters and antivirus softwares have become more sophisticated, the emails used are more and more carefully prepared and often result to be exactly equal to lecit messages that the user expects to receive.

Today, cybercriminal organisations have become real companies, where the help of psychologists is also used to create messages that are more and more credible and deceptive.

Not only this: cybercriminals are very skilled at understanding market tendencies: in 2020, when Covid-19 appeared, massive Phishing campaigns were immediately created to exploit topics and key words such as Coronavirus and Covid-19. In the month of April 2020 alone, Google blocked 18 million emails every day connected to the Coronavirus.

The level of likelihood of the messages that are sent is so high that it is becoming more and more difficult for the average user to distinguish a phishing email from a legitimate one.

The aim of phishing is in general two-fold:

»  Transmitting malware through email attachments or links, with the aim of accessing the victim’s IT systems and take control of the computer of the victim user, exactly by using malware;
»  stealing the access credentials to then “empty” the victim’s bank account or access an IT system.

The compromising vector of the user can be, depending on the situation:

»  A link on which the unaware or distracted user is attempted to click (like in the case of John Podesta)
»  An attachment that the user does not perceive as suspicious and therefore downloads and executes.

It is advisable to clarify a further aspect where there is still a lot of confusion: phishing is effective only if the attachments are opened or the links are clicked on. Just reading the text of the email does not result in any damages.

Phishing and Spear Phishing

The techniques used to develop this attack can be divided in two families: Phishing and Spear Phishing.
The first, phishing, can be compared to trawling: the hackers send, using automatic systems, thousands of equal emails, knowing that a percentage of these emails will reach the target and will be opened.

It’s an opportunistic and non-targeted attack: the attacker is not interested in hitting a particular target, he just wants some of the fish to fall in the net.
In order to make us swallow the bite, emails that appear normal but are actually fraudulent are used. Emails that are prepared, more or less accurately, to look real, like the ones that a transporter could send us to communicate the sending of a package, or like those that suppliers of phone services or of electricity send us with attached invoices.

How can hackers find email addresses?

They try….or at least this is a very common method, but not the only one.
In fact, the most used technique is that of the Dictionary attack. It is simply based on guessing the addresses. In practice, the attacker tries to create addresses that could actually exist. For the part on the right of @, valid domain names are used while for the part on the left the attackers generate strings based on some logics, mainly the name of the people.

This is why the address name.surname@domain.it is one of those most subject to this type of attack.
Alternatively, they use Address lists. These are lists that are acquired from subjects that collect them with the aim of re-selling them.
Finally, they can get the addresses using a Spambot, which is a particular type of web-crawler capable of collecting email addresses from websites, newsgroups, posts in discussion groups and conversations in chat rooms.
They are based on the same working principle as crawlers (also called web crawlers, spiders or robots), which are softwares that analyse the content of a net or a database so as to automatise it, usually upon the request of a search engine.
Differently from these last ones, they look for all the email addresses available in the web pages.

The second method, spear phishing, is instead a targeted attack (Fishermen use the spear to catch exactly “that” fish).

The victim of the attack is carefully selected and studied.

Today, it is very easy to collect information about a person, through social networks and the web, and also because of the loads of information that we ourselves publish on the web and on social networks, unaware that all this can then be used against us (Read this as well).

Once detailed knowledge of the victims is acquired, the attackers can send emails carefully prepared to catch the attention of the victims and lead them astray.
In this case, the emails are not written using automatic systems, but rather by people who will try to look credible in the eyes of the victim, mentioning true names and details. Sometimes, the sender’s email address may be falsified using a technique known as spoofing.
Therefore, it will look like the email is arriving from a known and trusted person (a colleague, a superior, a family member or a friend) and it will be much more deceitful. And, with all probability, it will not be blocked by the antispam, exactly because it is well-prepared.

Nowadays, spear phishing emails represent the most widespread transmission vehicle, for all sorts of attacks, and especially the most worrisome: notwithstanding the attack’s objective, the intrusion method will most likely be a spear phishing email, as it happened with John Podesta and also in the famous IoT attacks, like BlackEnergy, which we discussed in this article.

Detecting Phishing

We explained that phishing attempts are carried out in either of two ways:

»  A malicious link

»  An attached file
Let’s now see how to recognise these attacks in the two different cases and how to defend ourselves.

Paying attention to the links: Typosquatting

The percentage of emails that count at least a link varies between 10 and 20% (source: LibraEsva).

The malicious links included in emails (or also in a message, like in the case of Smishing) point to Phishing sites, which can be:

»  Legitimate websites that have been compromised,

»  Websites built with the aim of a phishing campaign.

It is worthy to dispel a popular misconception that can expose us to Phishing attacks: it is NOT true that HTTPS (those with the locker) websites are safer!
On the contrary, exactly because they are deemed to be safer, they are being used more and more for these attacks.
The Clusit 2021 Report confirms this: in financial phishing, 91.2% of the Phishing URLs use the HTTPS protocol (see image).

A technique used to deceive us with false links is the Typosquatting or homoglyphic attack: it is a deceptive link that exploits the visual similarity of different characters.

Typo indicates a typing error. Hence, typosquatting consists in registering decoy domains whose name varies in just one or maximum two letters from the one of a well-known website.

The characters, letters and numbers, that look alike are called homoglyphs.
These tricks are actually trivial, but they often manage to deceive those users who are just a little bit more distracted.

Avoiding falling prey to these tricks is actually quite simple: it is enough to digit manually directly the correct and known website instead of following the link offered in emails. If John Podesta had looked for the correct Google link instead of clicking on the one available in the email, maybe Hillary Clinton would not have lost the elections…

In the table hereafter we report some examples of links that have been falsified with typosquatting.

 

In the most complicated cases, when it is difficult to understand whether we are facing a legitimate or fake URL, some services available online come to our rescue. One of the easiest and most trustworthy is VirusTotal, a service that belongs to Google and that performs a free analysis of files and/or URLs to discover viruses and malwares inside.

Through this link it is possible to insert (by copying and pasting) the link that we received and of which we are uncertain.

VirusTotal offers the same service also for file analysis (for example for suspicious attachments) at this link.

So, a little attention and few seconds of patience (which unluckily we often lack…) are all what is needed in order to defend ourselves from these attacks.

The most dangerous attachments

The other weapon used in Phishing attempts are attachments. These are less used compared to the links because they are easier to detect by antispam services. They are nevertheless used in a sneaky way and, as we will see, they often manage to deceive both protection systems (antispam and antivirus softwares) and human defences.

In order to do so, they use file extension types that we use the most and are the most familiar for us.
It may come as a surprise for some to discover that the malicious attachments that are the most frequent are not file .exe or .scr, which all sorts of antispam can block. The most used, as can be seen in the graph below (source: TrendMicro) are Office files (Excel and Word) together with .pdf.

These three families combined make up 75% of the malicious attachments sent.
Therefore, can Excel and Word files be a malware? Obviously not, but they can act as droppers, meaning they can represent the agent that starts the infection chain.

Around 13÷20% of the attachments in word (doc and docx) and Excel (xlsx and xls) formats are malicious droppers, because they are loaded with macros (realised in VBA, Visual Basic Applications).

When we open the file we will be asked to enable the macro: if we do it, it will be activated and it will execute scripts or links to connect to the Command and Control (C&C) services of the attackers, from which it will then download on the infected system a real malware.
This is why it is extremely important to disable the use of macros in Office files. But this measure, which all companies should adopt, is not enough: it is also important to train users so that they know these risks and will not enable any macros on Office files unless they come from an absolutely safe origin.

Also .pdf files can include malicious scripts inside, although they are less powerful to develop a cyber attack.

 

Over the last years, we have observed an ever increasing use of word and excel attachments to spread malware. In order to hide the attack better and make it more efficient, the word/excel file is often encapsulated in a .zip file protected with a

password (see image).

But what should make a suspicious user who is just a little careful is the fact that the password used to open the .zip file is exposed in the email body, in a way as to make it absolutely public and hence useless.

So, why a .zip file protected with a password? Simply in order to make it inaccessible to antispam and antivirus controls. .

If we insert the password and open the zip file, we will find inside a word (or excel) file for which we will be required to “enable the macro”. If the macro of an Office file is not carried out, the malware will not be able to infect the device. Therefore, let’s always pay attention before clicking and giving these authorisations!


In this phase that comes before the attack, the protection systems that FlashStart supplies are extremely useful: if the macro is enabled and becomes active, it will launch, as previously said, a script to download malware from the Command&Contro servers of the attackers.
Here, the FlashStart defences are able to recognise the suspicious link to which the victim device is trying to connect and block it….and therefore block also the malware download.


The author

Giorgio Sbaraglia (https://www.giorgiosbaraglia.it), engineer, is a consultant and trainer on the topics of cyber security and privacy.

He holds training courses about these topics for numerous important Italian companies, including the 24Ore Business School (read here).
He is a member of the Scientific Committee CLUSIT (Italian Association for Cyber Security) and an Innovation Manager certified by RINA
He has DPO (Data Protection Officer) positions in companies and Professional Associations.

He is the author of the following books:

GDPR kit di sopravvivenza” – “GDPR survival kit” (Edited by goWare),
Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” – “Cybersecurity survival kit. The web is a dangerous place. We must defend ourselves!” (Edited by goWare),
iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” – “iPhone. How to use it to its full potential. Let’s discover together all the functions and best apps” (Edited by goWare).

He collaborates with CYBERSECURITY360 a specialised online magazine of the group Digital360 focusing on Cybersecurity.
He writes also for ICT Security Magazine, Agenda Digitale, and the magazine CLASS.


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.  

> For more information click here
> For a free trial click here
> To request a quote click here


Related posts