Phishing: The Great Guide to Protection 
Hundreds of millions of people around the world experience phishing every year. With the help of it, the largest companies in the world are hacked, and over the past year there has been a sharp increase in such cases. In this article, I will talk about phishing and what methods are used by cybercriminals to trick even the most careful users, and how to effectively defend against it.
To give the most relevant and comprehensive information, including the one that isn’t in open sources, I contacted my friend, a hacker, who has been on the “dark side” for more than 10 years and knows cybercrime from the inside. He calls himself Irbis.
I asked my contact to share information on the latest fraudulent techniques used in phishing, show the real facts, tell about techniques and malware used, and give recommendations on how to protect yourself and your companies from phishing attacks.
Irbis also talked about new technology for intercepting cookies through a proxy, which allows you to penetrate users' personal accounts without a username and password.
Based on his words and using my experience in the field of security and research of VPN services (Virtual Private Network Services), I will provide comprehensive information on the phishing situation in 2021.
The most dangerous phishing techniques in 2021
Cases with millions in losses.
This article is also:
- a practical guide for computer users,
- a practical guide for companies on how to improve their protection against phishing attacks, including recommendations for training your staff.
? Table of Contents:
- What is phishing and why it is the strongest weapon in the hands of a hacker.
- 3 strong phishing technologies.
- Examples of phishing.
- How can I protect myself from phishing?
- Technical means of protection.
- Phishing pictures.
The article covers technologies that should be used for vulnerabilities in security systems. Any use of these techniques for hacking or unauthorized access is illegal. All information is provided only to inform you about the most serious threats to improve security and protection.
Previously, phishing was called fraudulent emails sent in order to obtain personal and secret data, such as logins, passwords, bank card details, and others. Today this concept has expanded significantly. Now, any fraudulent content that a user receives from scammers is called phishing.
Phishing is used not only to steal information but also to launch malicious attachments containing exploits and malware, which has recently led to enormous losses and the loss of important data.
⚠️ 80% of successful attacks start with phishing (and some think that all 95%)
- Social network
- Phone calls (vishing)
- SMS messages (smishing)
Email phishing has been and remains the most widespread. This is due to three reasons:
- It is easier for fraudsters to remain anonymous.
- You can do bulk mailings.
- Mail is more often used in commercial companies and government organizations, where there is more information of interest to cybercriminals.
In recent years, this type of phishing has been combined with phone calls.
The main types of phishing
Phishing emails. Sending emails with attached malware or with a link to malicious pages on the Internet. In such letters, either the sender is substituted or made indistinguishable from the address of a person or organization that the recipient of the letter trusts:
Phishing websites are also widespread. There are affiliate programs that provide ready-made phishing pages (landing pages) for distribution. This method is most often aimed at casual users or works in conjunction with other technologies. For example, a phishing email is sent to the victim's email with a button to go to a phishing page that steals personal information.
Messengers, social networks, and SMS are most often used to send links to phishing pages, apps, or directly to download a malicious APK installation file that contains a Trojan or a downloader that downloads and installs several Trojans.
Phone phishing is a popular type of scam in recent years, in which a victim is misled on behalf of a bank, government agency, or other trusted source. Read more about this type of scam in the chapter “Vishing”.
The danger of phishing
At first glance, it may seem that everything is arranged banally simply - ordinary spam comes with fraudulent text and a link. It is quite easy - don’t click on unknown links.
And so it was 10-15 years ago.
Take a look at an example.
What if you receive a letter from your bank that is formatted 1: 1 like a real letter from this address? The letter will contain a notice about the possible hacking of your bank account and the need to change your password. This is likely to grab your attention, and the fear of a breach will impede your logical thinking. The link that will be in the letter in the form of a button to go to the bank's website won’t arouse suspicion. And even after you go to the site, you, most likely, won’t suspect anything, since it will be an exact copy of your bank's site. You will see a password reset window, where you need to enter the old and new passwords. After that, you will successfully go to the real site of the bank and calmly close it. And the hackers will receive your password.
The question arises - how could the letter come from the bank’s real email?
Using email spoofing. Completely legal technology for spoofing the sender's address. There are many free and paid sites on the Internet that position themselves as raffle sites. Or this address just looks like a real one, but it contains extra characters. In more complex cases, according to Irbis, private technologies are used, which hackers sell for $ 300 or more.
And what about the bank's website page? How is the address of the real site forged?
It's even easier. In 2009-2010, ICANN (Internet Corporation for Assigned Names and Numbers) introduced a new standard that allows the use of national alphabets in domain names. Many letters that look the same are actually different codes and are handled differently. This is used by cybercriminals to spoof the domains of banks, social networks, and any other websites. But there are other approaches as well.
Today there are four methods used to create phishing domains:
- Using Unicode Characters (Described above). Examples are iberiabank.com and iberiabank.com. These are two different domains. In the second case, one of the A is replaced by the Cyrillic A.
- Replacement of individual characters or their duplication. For example, citizenbank.com instead of citizensbank.com.
- Domain zone replacement. For example, replacing .com with .co, and so on.
- Creation of the subdomains chain. For example paypal.com.security.panel.ws. it uses an "add-on" over the unremarkable domain panel.ws. This method is especially effective on mobile devices where the length of the URL field is limited.
The given example is just one of hundreds or even thousands of possible variants of “plausible” phishing.
Medha Mehta, a security researcher and technical writer from SectigoStore, shared one of her recent phishing emails with me.
I received this interesting phishing email last week that I would like to share here. As you can see in the screenshot, how flawlessly hackers have used PayPal’s logo and writing style! In the “from” field, they have written two email addresses. One is “service @ pⱥypⱥl.com.” To less vigilant eyes, it does look like “@paypal.com.” It is called the homograph domain, which is the part of cybersquatting attacks. Next is the sender’s original email address, which is coming from Gmail. I like to remind readers that an authentic PayPal email comes only from the email address having “@paypal.com” in it. If it is coming from generic email services like Gmail, Yahoo, AOL, etc., it is a sure sign of a phishing email.
The Internet in 2021 already has a variety of anti-phishing tools. So, Google Chrome can warn the user about a dangerous page, many mail services analyze incoming mail for email spoofing, the widespread introduction of https addresses allows you to see the certificate of the site being opened, and much more.
But the weak point of this system was and remains the users themselves.
Inattentive or scared people don’t pay attention to site addresses, and most often they don’t check the plausibility of information through a call to the sender. But even careful people can easily fall for the bait of intruders if, along with the letter, they receive a mobile call from their bank number, where the dummy operator will confirm the information in the letter.
Thus, the main danger of phishing is the human factor. High human vulnerability to social engineering and the use of technical means.
Next, I will use real examples to show how cybercriminals get passwords from social media accounts and talk about a new, still uncommon, but very dangerous technology for intercepting cookies through a proxy.
Only 61% of Americans surveyed by ProofPoint answered correctly what phishing is. Even fewer - 30% and 25% correctly answered what is smishing and vishing.
At the same time, more than 80% of Email users on work computers:
There is a clearly insufficient level of awareness of the most widespread attack on the computers of companies and individual users in use today.
And this is against the background of the fact that the number of phishing attacks in the world is growing. Last year, there was one fraudulent email out of 4200 sent:
At the same time, the main goals of cybercriminals remain very serious.The threat of ransomware infection is growing. This type of attacks is especially dangerous, since, ultimately, it leads to 50% of the paralysis of the company's work without the possibility of data recovery, and only in 25% of cases, those who paid the ransom, recover the company's performance, while incurring colossal losses.
Another important indicator is of concern. According to ProofPoint, about 30% of the recipients of phishing emails tended to interact with them.
These facts indicate a lack of understanding of the threats posed by phishing.
Read on and you won’t only learn all the actual techniques used by cyber fraudsters, but also learn how to protect yourself or your company from being scammed by phishing.
Professional cyber fraudsters combine the best social engineering techniques with technical means. Today, the most advanced and strong ones are Email Spoofing, SIP, and the latest technology Phishing Proxy (Phishing by Proxy).
Spoofing the sender's email addresses is called Email spoofing. The From, Reply-to, and Sender entries are forged in the body of the email. This is possible thanks to the specification of the SMTP protocol, which has been used to transmit email since 1982.
Modern mail servers use additional authentication methods, so more often messages with a fake sender are blocked before reaching the addressee. But cybercriminals know how to forge certificates if necessary. Due to their laboriousness, such mailings are used pointwise when attacking, for example, a certain company with the aim of further infecting its ransomware.
To increase their effectiveness, scammers began to frequently call their victims. At the same time, they use the opportunity in SIP (Session Initiation Protocol) to change the caller's number.
This technology is based on VoIP - calls over the Internet to a mobile phone.
For the person receiving the call, it doesn’t contain any notification that this isn’t an ordinary GSM connection, but IP telephony. Therefore, it is impossible to determine who the caller is and where he is.
The only way to check is to make a callback. In this case, a connection will occur with the real owner of the number, and you can ask if they called from this number.
The situation is complicated by the fact that professional fraudsters make every effort to ensure that the victim performs the necessary actions before hanging up or using the fact that autoresponder bots are being introduced everywhere, from which it is almost impossible to quickly get an answer to a non-standard question.
This technology is also actively used in VoIP spam.
The most technologically advanced way to help cyber fraudsters steal account login information is to use specially configured proxy servers that intercept authentication data, as well as browser cookies that contain temporary login data bypassing two-factor authentication.
In fact, using such a proxy allows you to combine fishing with hacking using a man-in-the-middle attack.
Previously, it was believed that if you use an https connection is safe, since the data is securely encrypted by the TLS protocol, and ordinary phishing sites cannot bypass two-factor authentication. It was believed that even if the cookies were intercepted, it was impossible to use them since the IP address did not match.
But today this is no longer the case. In the next chapter, I'll show you an example of capturing the authentication data of a real Linkedin account using the EvilGinx2 tool, which is publicly available on GitHub.
Always carefully check the URL of the page on which you enter your login information for your accounts. This is the only thing that can help against professional cyber fraudsters using web fishing.
- Usual hacking of a social network account
- Hacking an account protected by two-factor authentication
- Stealing money from a bank account
- Attack on a company for the purpose of crypto-encryption
- The real story of the victim of vishing
- World practice
Here are 6 examples that clearly illustrate the capabilities of cybercriminals and highlight our vulnerability to this type of threat on the Internet.
Let's look at an example of stealing FB credentials using email spoofing.
The hacker sends a letter to the victim's email address on behalf of his acquaintance, boss, company, or other senders that the recipient trusts (it is recognized in advance by activity on social networks or otherwise). In this case, the sender's address is faked using special scripts running on the scammers' server.
The email contains a link or button with a link to a page with incredibly tempting offers. It could be an online store with incredible discounts, a free course, anything that interests the victim.
On this page, you will need to log in using the social network.
The victim clicks on the “Sign in with Twitter” button and enters his login information.
At the same time, they are saved in the hacker's database.
In the previous example, cybercriminals only get access to the username and password. We know someone else can only use them if two-factor authentication isn’t enabled.
Otherwise, fraudsters will need to confirm their entry via a smartphone.
I will show with a real example that today there are technologies to bypass this limitation using the example of the EvilGinx2 framework.
The software is installed on the server to which the phishing domain is linked. It doesn’t require the creation of fake content that mimics the target site. Instead, EvilGinx2 acts as a proxy, fetching content directly from that site and serving it to the user.
But it is different from a regular proxy. It uses man-in-the-middle functionality, in which the proxy acts as an intermediate HTTPS server between the site and the client. Unlike the first version that appeared in 2017, EvilGinx2 is also a DNS server, which allows access to the cookie data transmitted to the final site.
The screenshot shows the settings that allow you to activate or deactivate the interception of authentication data of all popular Internet portals, a well-known cryptocurrency exchange, and mail services:
- Twitter (desktop & mobile)
As you can see, only LinkedIn is currently activated for the test.
What happens if you go to the domain associated with this proxy?
The above example uses the hackingatitsfinest.com domain created specifically for demonstration:
So, there is an installed EvilGinx2 framework and a domain bound to it.
When we open it in a web browser, we see the content of the Linkedin.com login page:
It is no different from the real linkedin.com login page. But its address is different now - hackingatitsfinest.com:
At the physical level, the site doesn’t open in the user's browser, but on the cybercriminals' server. It is the IP address that linkedin.com "sees". All cookies, with which you can re-enter the target site, also go to the proxy server. The same goes for two-factor authentication data if enabled.
In fact, the victim only controls the hands of cybercriminals by typing a password and entering a confirmation code.
This is what the log of a phishing proxy looks like after authentication on linkedin.com:
An example is taken from YouTube channel System Exploited.
After that, the hackers get unlimited access to the stolen accounts.
The main danger of this method is that it allows you to bypass most of the security measures - login confirmation via SMS and multifactor authentication.
To protect yourself from such phishing attacks, you need to avoid opening any links and buttons obtained from the Internet, and in the most critical cases, use hardware keys.
The third case will be about phishing, which led to theft of money from a credit card.
The victim's personal email received a letter from his bank. The letter, drawn up exactly as the bank usually does, indicated the surname and first name and said that the password had to be reset. Suspicious activity was allegedly observed in the user's account.
The user was prompted to click on a button to go to the bank's website.
At the same time, a call came to the mobile phone from the bank's short number. The operator greeted and introduced herself. In the background, the characteristic sounds of a call center were heard. Nothing aroused suspicion.
A voice on the phone confirmed that the password needs to be reset.
The victim clicked on the button and was taken to a site that looks identical to the real site of the bank. The URL looked correct at first glance. In the middle of the screen was a password reset window. It was necessary to enter the old password and enter the new one twice.
After that, it was redirected to the bank's original website.
The “client” did not suspect anything, and the cyber fraudsters gained access to the management of his account and stole a large amount of money.
This example illustrates how criminals can combine different forms of phishing.
Business email compromising (BEC) phishing causes the most damage to businesses around the world. Cybercriminals extract the maximum benefit by infecting the computers of companies and government organizations with ransomware and then demanding a ransom.
Such cases happened, for example, at the University of California San Francisco, which was forced to pay $ 1,800,000, and Garmin, which paid more than $ 2,300,000 to unlock their data.
In both cases, the infection occurred through computers compromised via email phishing. The ransomware, using social engineering skills, gained confidence among employees and made them launch emails attachments. These attachments contained exploits (malicious code that bypassed OS protection) that first installed a downloader program on their computers without anyone noticing, and then malware to monitor and spread over the network. After that, they encrypted the data on key servers.
Since 2020, ransomware has also emerged where attackers call their victims and intimidate them. Some of these threats are being implemented. As a rule, this is the publication of secret stolen data on specially created sites in the event of non-compliance with the requirements.
In some countries, vishing (read more about vishing further in the article) has gained such momentum that it is difficult to meet a person who regularly doesn’t receive calls, allegedly on behalf of an employee of his bank, about the need to make a payment.
Russia is a prime example. The country's inadequate legislation against Internet fraudsters and corruption has created an incredibly extensive collegiate structure in prisons.
Inmates get access to mobile phones and, through organized VoIP networks, ring up bank clients. The databases of subscriber numbers are sold by bank employees themselves since there is no severe punishment for such actions in Russia.
Here is a translation of the story of one of the victims of vishing.
All my life I thought that I was so smart, I think critically that this won’t happen to me ...
A girl called me from a "Moscow" number. Introduced herself as an employee of those support centers, and asked: "Can I talk to Andrew?" Then she said that there was a suspicious entrance in my personal account from an IP address from the city of Omsk (I live in Krasnoyarsk), as well as an attempt to transfer funds to the name of some unknown man.
I say no, and in general, since when has Sberbank been calling from Moscow numbers? To which they answered me, they say, I understand your distrust, so go to the Sberbank website in the "Contact Center" section, I will call you back from one of the phone numbers indicated on it:
She called me back from this phone. Yes, now I see that it is for serving corporate clients, but then I did not even notice.
Then she asked to confirm the information, namely, she dictated my card number and my date of birth. I replied that everything is correct. Then she transferred me to a security officer. A young man began to talk to me. He talked for about 10 minutes, trying to clarify where I could have disclosed personal data. I was also kindly offered to be sent a copy of the contract to my email account since I lost my contract.
All the time that I was reading it, the young man was on the phone and asked if I understood everything. At the same time, both the girl and the guy had the sound of a working call center in the background. The essence of what was written there can be summarized as follows: if an unauthorized entry into your personal account occurs, you need to go through the procedure of "reinsurance" of funds, for this, they must be transferred to the following account numbers and there are 5 sets of numbers.
Then I am told to transfer all cash accounts to my debit card, which he dictated to me, and proceed to the ATM.
I was kindly advised that in my personal account there is a button for transferring funds from account to account. And even from a credit card to a debit card.
After I transferred all the money to my debit account, I was asked where I was? After giving the address, they told me where there is an ATM nearby that meets the requirements. It ended up being in a neighboring building.
I went to the building, and this assistant, who was cheerful all this time on the phone, told me that I needed to withdraw cash from the card and transfer it to accounts with insurance. And this insurance is concluded with Body2. Just in case, I dialed 900 - the main number of my bank.
The Sberbank bot answered me. This conversation, I will never forget: “Hello, Andrey! We have recorded the operation. Do you want to confirm it? "," No "," How can I help you? ", "Connect me with the operator?", “I understand that you want to contact the operator, but can I still help? Name the question which you want to contact the operator about? ", “I need to contact support!" and at this point, the connection is cut off and the "Sberbank security service" calls me again.
Then he again “leads” me to the ATM, where I, like the last idiot, transfer 45,000 rubles (~ $ 600) to the first “account - number in Body2”. This happened twice. Then, on a call, I transferred another 15,000 rubles ($ 200).
It seemed to me all very strange and suspicious, and I lost hope of calling the bank and get a hold of a human operator.
Then I run to Sberbank. I explain the situation. They tell me that they are 100% scammers. I give the workers my receipts (5 pieces of 15,000 rubles each, because while I was running I lost 2 receipts) and they are trying to cancel the operations. At first, they gave hope that the operations did not go through, they were "being processed." But in the end, they could not do anything. They received a fraud report from me, and I went to the police.
The presented example clearly describes how meticulously and professionally scammers carry out their schemes. Imitation of the sound of a call center, knowledge of the peculiarities of the bank, obtaining data on the location of the victim and ATMs near him. Also, everything was complicated by the fact that a bot is working on the main phone number of the bank's support service.
The fraud would not have worked if Andrei had been able to contact the real support service the first time or gone to the bank. Therefore, it is extremely important not to rush, despite the words of the operator, but to find a way to contact the bank.
Such schemes are relevant for all countries.
In 2021, phishing is present in all countries of the world with an Internet connection. Only its technology and purpose are different.
For example, in recent years, attacks on companies have been gaining momentum in many countries in order to paralyze their activities using ransomware (malicious encryption programs). Spear phishing is most often used to introduce them into corporate networks.
Identity theft news comes from all over the world.
So, in January 2021, the famous Indian journalist Nidhi Razdan said on Twitter that she was deceived by scammers and gave them her personal information, including access to social media accounts. In a letter sent on behalf of Harvard University, there was an invitation to work as an assistant professor of journalism. The journalist entered into correspondence and realized too late that they were scammers. Harvard University had nothing to do with these letters.
I have been the victim of a very serious phishing attack. I’m putting this statement out to set the record straight about what I’ve been through. I won’t be addressing this issue any further on social media. pic.twitter.com/bttnnlLjuh
— Nidhi Razdan (@Nidhi) January 15, 2021
Billions of dollars a year is the price we pay for our carelessness and gullibility. This is how much the damage inflicted by cybercriminals who carry out attacks via phishing emails, pages, messages on social networks, SMS, and calls is estimated.
I am publishing a series of recommendations based on my own experience and information from Irbis.
The steps taken will largely depend on whether you are an individual or are involved in company security. Therefore, I have divided the information into two guides. The first is more suitable for individual users. The second will be useful for company owners and employees who access the corporate network.
- Never (NEVER) go from emails to sites, especially if they are related to finance or social media. It doesn't matter if it's a link or a button. If you need to go to your bank or your Twitter, then do it in the browser directly through the URL bar or the Favorites button in the browser. The only reason to click on the link might be if you received the confirmation email you were expecting.
- Stay alert or get nervous if there is something urgent in the letter. Always remember that if it was really urgent, you would be contacted in a different way. Thus, hackers can force you to do something rash.
- Never go from emails to sites that you don’t know or that are known as proxy domains. For example, Bitly, Cutt, Shorturl, and others. Even if they came from your friends or well-known companies.
- Never log in using the buttons of social networks and Google on the pages that you got from the mail, SMS, or messages in messengers.
- Whenever possible, check the page URL after navigating to it from emails, or messages. Most often, fake addresses differ by one letter or domain zone (characters after the period in the site name). If the site domain contains more than one subdomain, then pay attention to the last 2 words. For example, paypal.com.billing.bankus.info isn’t affiliated with paypal.com. This is just an “add-on” of the bankus.info domain.
- If your web browser warns about security problems with a site, then 99% it is phishing or scam (fraud). In rare cases, administrators forget to renew a domain certificate. But in this case, it is still better not to visit it.
- If you received a message in the messenger from a friend with a request to go to a certain site where you need to log in, then contact him in another way and specify whether he sent you this message.
- Similarly, if you are asked to transfer some amount of money or cryptocurrency.
- If you get a call from a bank or other organization for something urgent and you need to make a payment, hang up and call this organization yourself. You can always refer to a bad connection. The same goes for a “confirmation” phone call after receiving an email. Remember that cyber fraudsters can fake not only the phone number but even the sounds of the call center in the background. At the same time, they can know a lot about you, preparing for a call up to several months.
Let's analyze in which cases cybercriminals use phishing to attack businesses.
Most often, cyber fraudsters come into contact with the target in advance. They gain their trust in various ways - they can introduce themselves as an employee from another department and carry on correspondence on behalf of a real person, they can introduce themselves as civil servants. Anyone. There is no single scheme by which a professional phishing attack can be calculated.
Therefore, in order to minimize the threat, it is extremely important to train personnel to be always on the alert and to be as suspicious of everything new as possible. Moreover, not one-time, but constantly. It should be remembered that today the most “successful” attacks are carried out after a long development.
Thus, personnel training is the main focus of anti-phishing protection.
Unfortunately, there is a lot of complexity here. The larger the company and the more employees it employs, the greater its vulnerability.
Let me give you an example.
In December 2020, one of the largest companies in the IT industry, GoDaddy, conducted a blind test.
They sent out emails to their employees offering a $ 650 bonus. The essence of the text was that in connection with the impossibility of holding a corporate party in connection with the coronavirus, the employees are entitled to financial assistance.
A form for entering personal data was attached to the letter.
500 (!) Employees did not pass this test. And this is after passing safety courses.
It is obvious that the human factor is the weakest point in companies.
It is imperative to regularly train staff.
I will list the recommendations by which you, without involving third-party companies, can significantly increase the security of the company.
- Avoid formulaic language and lengthy lectures that have little practical advice.
- Divide employees into segments according to their occupation and train each segment separately. Understand the specifics of their work and together try to create a kind of checklist for each group, in which all working points are clearly spelled out. This is necessary for the employee to better understand what kind of correspondence is “clean”. The bottom line is that at the slightest difference from what is written in the checklist, the employee contacts the sender in a way other than email and double-checks. If this wasn’t possible, I would contact the authorities. When new “white” patterns appear, they need to be added to the checklist.
- Identify those workers who you think are most susceptible to suggestion and give them one-on-one sessions.
- During training, conduct a dialogue with employees.
- If you see that training doesn’t help someone, that the person cannot react flexibly to the situation and obviously won’t cope, make an individual stop list for him in addition to the checklist. It is also advisable to analyze the role of such an employee in the company.
What issues should you pay attention to in training?
Unfortunately, there is no magic formula for all occasions. Again, flexibility and suspicion are important in everything that is at least a little different from ordinary routine letters, calls or messages.
Therefore, teach employees not to be afraid to double-check. Many executive team members may be over-zealous in new tasks, or over-autonomous when they receive what they think is important information via email or phone calls. Encourage employees to double-check any new information.
- Maximum suspicion.
- Any links, buttons, and attached files are dangerous.
- All messages regarding the transfer of funds or other financial transactions must be confirmed by a phone call or through corporate messengers. Moreover, the voice must be familiar to the employee.
- Open attachments to letters from regulatory authorities only after a callback.
- Never resolve work issues through personal emails or messengers of employees (as well as employees among themselves). An exception is audio or video communication.
- Hackers can defraud information from workers looking for work. For example, a real case:
There is a type of attack called SQL Injection. This is a database attack. As a rule, in such cases, the hacker only needs to know the structure of the database. Without this, an attack cannot be carried out. To address this issue, the hackers posted an advertisement for the hiring of a database specialist. Very good conditions were offered, but it was necessary to pass the test - to provide an example of their developments. The employee provided his case, giving out the structure of the company's database.
Warn about responsibility for the release of any technical information or the use of specific data on the company's work. Even in a "stripped down" form.
- Hackers can pre-gain trust or hack other people's emails. Therefore, all letters with a link, button, or an attached document are considered suspicious, regardless of who sent it.
- Avoid the use of duplicate passwords. Different programs, services, emails, etc. should have different passwords. Moreover, their length must be 8 or more characters. Mandatory upper and lower case letters, numbers. It is also advisable to add symbols shown on the keys above the numbers or punctuation marks.
- Never enter usernames and passwords, as well as not authorize using social networks on pages opened from email or messages in a personal messenger.
- Don’t send passwords in cleartext.
- Always discuss all urgent matters by voice. This will disarm cyber fraudsters using psychological pressure.
- Inform about the scale of the threat and the danger of ransomware getting into the company's network. This can lead to the loss of an employee's job or even the collapse of the entire company.
Here are some of the tools that organizations use according to ProofPoint:
- Change passwords regularly. This prevents a delayed threat from leaving the company.
- Conduct tests like GoDaddy. This provides three advantages at once:
- Conduct tests like GoDaddy. This provides three advantages at once:
- Team training.
- Employees themselves will tighten their knowledge so as not to be outsiders who failed the test.
- Any unfamiliar letter will be considered as a test and therefore ignored or treated with additional suspicion.
Tip: Users often use passwords that they consider to be very strong, but at the same time such passwords are in the databases for brute-forcing (password guessing). Trust your passwords on trusted services. I trust Kaspersky. It has its own independent free password checking service. The service is remarkable in that it shows the approximate minimum time required to crack a password with brute-forcing.
⚠️ Anti-phishing software is only effective as a supplement to staff alertness and awareness.
Sender Policy Framework (SPF) helps prevent sender spoofing. It adds custom headers, an authentication method and sets up its policy. Used since 2006, last revised 2014.
DomainKeys Identified Mail (DKIM) protects email content with an identification key. Used since 2007, last revised 2014.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) isn’t a standalone security feature but is required for SPF and DKIM communication. Used since 2015 to improve protection efficiency.
Today, the best companies offering these technologies are Barracuda Networks, Cisco, Proofpoint, Valimail, Agari, The Email Laundry, and Mimecast.
These techniques are used for corporate mail if the company uses its own domain. I also want to note the great complexity of the implementation of these technologies. In practice, many obstacles arise, and setting up these systems can take months and require large budgets.
Brand Indicators for Message Identification (BIMI) anti-phishing technology is also under development. It is based on a special secure display of the sender's logo, which makes it much more difficult to counterfeit.
Email Security Services
In practice, you should start by implementing mail analysis services. There are several dozen such systems on the market today. Among the strongest are Office 365 Advanced Threat Protection (ATP), Avanan, Barracuda Sentinel, PhishProtection, and others.
I recommend ATP. Firstly, this is one of the most budget solutions (prices start at $ 2), and secondly, Microsoft has definitely more initial data for analyzing letters. Many Email security services have developed Big Data-based mining systems. The ATP is considered to have more information flow and, therefore, better performance in analyzing email content. The disadvantage of ATP is that it only works with its own mail service.
Regardless of whether the company uses its mail or uses third-party postal services, there are systems that control the transitions to external links received by mail, SMS, and MMS.
Companies that provide such systems: Cisco, Bluecoat, ZScaler, and Websense.
You should also pay attention to the protection technologies of workstations, laptops, and individual computers of the company. There are Endpoint Detection and Response (EDR), Specialized Threat Analysis and Protection (STAP), and Breach Detection System (BDS) technologies designed to block known and potentially dangerous threats that may arise after visiting phishing sites.
In the simplest case, you can look towards VPN apps and add-ons for Google Chrome and Firefox web browsers that have the function of blocking phishing sites.
Cyber fraudsters use various tricks to forge the sender of a letter. In the simplest case, this is a substitution of information about the sender without spoofing SPF and DKIM. Advanced Email services such as Google G Suite, ProtonMail, Tutanota, and some others effectively protect against such an attack.
Let me emphasize that they don’t provide guaranteed protection against professional hackers who can forge protective authentication, but their antispam systems can help reduce the number of phishing emails.
Haven't any phone scammers called you yet? Then you're in luck. In 2020, in the US, over 30% of all calls made were fraudulent.
Vishing is a form of phishing in which the attack is carried out using voice. Hackers use a feature of the human psyche, in which we trust more what we hear than what we read.
Vishing can be both inbound and outbound. So, these aren’t only cold calls from cybercriminals, but also the use of other phishing methods in order to trick the victim into making a call (pop-up windows with scary alerts, classic email phishing, voice messages, etc.).
Vishing can be either spear vishing, directed at a specific person or company, or mass ("shotgun" attack), similar to spam. In the first case, as a rule, hackers collect information about the victim in advance. In the second case, it is an automated dial-up, where the operator can be replaced by a pre-compiled template record. But more often they are still real people who know little about you and they need to bluff to make you nervous and follow their instructions.
Let's take a closer look at the most dangerous variant of vishing - spear vishing.
Typical Spear Vishing Attack Structure:
As a rule, before starting work, hackers already know what information or actions they need from the victim. With a monetization plan in mind, they get to work:
- Gathering information about the goal. Hackers collect all available information on the victim. If this is a private person, then social networks are studied, accounts and publications are searched for by photography, and so on. If this is a company, then open sources are studied with any available information, then a search is carried out on the compromised databases on the darknet.
- Collecting information about friends / acquaintances / colleagues / competitors. At the same time, a search is carried out for information about people or companies, on whose behalf or regarding which a dialogue can be conducted.
- Structuring the collected information. The information is combined, analyzed and a detailed “portrait” of the target is made.
- Working out an attack plan. Hackers compose conversation models, working out possible options for the victim's behavior, updating contact information, and choosing the best time to call. For example, if this is a fraud to recive money transfer through the terminal, then the moment is selected when the targeted person has the least probability to consult someone.
If this is an employee of the company, then the attack is most often carried out during working hours. For example, if vishing is used as confirmation of a sent phishing email with a malicious attachment, then the beginning or the middle of the working day is selected so that the installed malware can navigate the company's local network, imitating the actions of an employee at the workplace.
- Making a call. The call is made using VoIP technology. This uses a VPN, Tor, or proxy to mask the reallocation. The hacker's number is forged with a previously prepared one (for example, the short number of the victim's bank), the IMEI and IMSI are hidden.
In some cases, the victim may not realize for a long time that he or she was deceived. For example, stolen databases often contain the last 4 digits of SNN. Either they were taken from Big Data on the darknet or were previously introduced some time ago on a phishing site controlled by hackers. It remains to make a targeted vishing call with a request to confirm something, giving only the first 5 digits of the SNN. This may not raise suspicion. And with all 9 digits, a cybercriminal can issue credit cards, loans, and more.
The above example of vishing clearly demonstrates its danger.
How to prevent vishing?
Today there is no effective technical way to track and block phishing calls. Especially if they are carried out by professionals quickly.
Therefore, the only effective way to protect against vishing is the attentiveness and awareness of all people using mobile phones.
The most effective way to prevent theft of personal information or money is to call back the organization or person on whose behalf the call came. By the way, if the number is fake, then you won’t call the intruders. The call will go to the “clean” recipient.
It's okay if you are careful. Bank employees and other organizations are most often aware of cases of fraud and will treat your call with understanding, and you will protect your property or the financial stability of your company.
A simpler type of phishing that is actively used in 2021 is the so-called Smishing - phishing via SMS.
Its essence is easiest to describe with an example.
BleepingComputer reported that there is a new smishing attack on PayPal users. Its essence is that a text SMS message containing a link comes to the phone. It states that the account is locked and the user needs to verify their identity to unlock it.
When you click on the link, a phishing page opens, very similar to the authorization page of the paypal.com website:
After “entering” the site, a form for entering all personal data appears:
Hackers take advantage of the fact that PayPal often blocks user accounts at the slightest suspicion of suspicious activity.
If you've read the previous chapters of this article, then the content of this smishing message may even seem naive. A weak point is immediately visible here - the domain that opens after clicking on the link is weakly similar to paypal.com. We see pyplvryzs.com. This is enough for an armed user to recognize phishing.
You may be wondering - why didn't they make the name of the site more similar to the original?
The answer is simple. Such domains are blocked very quickly in bulk mailings. Dozens and sometimes hundreds of such domains are needed. Therefore, it is almost impossible to buy plausible enough names.
This is the weakest point of mass smishing attacks.
But, if professionals want to conduct a targeted attack, then it can be very difficult to recognize the deception.
With the development of an intelligent system for filtering mail messages, cyber fraudsters have come up with a simple and effective method to bypass such systems.
Text in the form of pictures published remotely.
The technique isn’t new. It is based on the well-known method of integrating a phishing image into an email attachment. Now, for camouflage, such pictures are placed remotely and additional barriers are used to protect them.
In order for security systems to pass such letters, hackers place images on hosts hidden behind a chain of redirects. Moreover, this chain may contain compromised trust sites. This gives a false positive signal to the control systems.
Geo filtering technologies are also used. That is, for example, United Kingdom users are shown a phishing picture, and everyone else is shown a stub picture.
Thus, phishing with pictures today has become the reincarnation of an old technology that can deceive intelligent monitoring systems.
On the other hand, such phishing emails are less likely to mislead users.
I recommend ignoring emails containing images with text. Even if it looks like a promotional brochure. Fraudsters most often use phishing images for mass attacks on consumers. Such mailings can contain very attractive conditions for the purchase of goods, services, or offer gifts. Real trading companies that send out their products don’t use such integrations or use only a fraction of the text.
The somewhat diminishing problem of phishing proliferation returned to our lives again with the outbreak of the pandemic and the transition of many people to remote work.
Cyber fraudsters are adopting new technologies to steal personal data (Phishing by Proxy) and using new variants of old technologies such as text-in-picture. All over the world, the activity of cold-call centers is intensifying, working separately or in combination with conventional phishing.
To counter this, IT security companies are working with law enforcement to develop anti-phishing systems. But there are many problems on their way. These are both technical difficulties and imperfection of laws that make it difficult to respond quickly to threats.
For example, the success of phishing attacks using remotely published images is often geo-linked. Hackers deliberately choose jurisdictions in which phishing domains are registered in countries with which it is difficult to quickly apply to block and investigate crimes.
Therefore, I want to emphasize once again that the safety and security of personal data of individual users, private companies, and government organizations primarily depends on the awareness and preparedness of the people themselves.
Use the information and guidelines in this article for yourself, your loved ones, or your company and you will be largely protected from the most effective penetration threats of 2021.
If you have any experience with phishing or any questions about phishing, then leave comments below the article.