Phishing, simple yet dangerous

Two fishers, Julius and Caesar, went out with their fishing gear on an early Monday morning. They looked for a quiet spot by the water, put up their tent and drank a cup of coffee together. The night before they had discussed together what kind of bait they would use so the carp would bite and they only had to fish them out of the water. They chose corn. Because they were both very experienced fishers, 11 minutes after throwing out their rod, a beautiful carp was on the hook.

Two phishers, Judas and Cain went out with their phishing tools on an early Monday morning. They looked for a place on the couch, opened their laptops and drank a cup of coffee together. The night before, they had discussed what kind of bait they would use so the secretary of Elijah Malachi, the CEO of a company called Sediment Services Corporation LLC, would bite and they only had to fish the information out of her. They chose an email. Because they were both very experienced phishers, 11 minutes after throwing out their rod, a beautiful secretary was on the hook.
(they were guilty of CEO Fraud, we'll come back to the meaning of this later in this article)

We are going to talk about the simplest and most common form of online fraud but also very dangerous cyber attack called 'phishing'. What exactly is that? The definition is: ‘Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.’

This we can also formulate as:

Phishing is the act of ‘fishing’ or 'angling' for information, specifically personal/confidential data, under false pretences and by means of deception. The target is, as it were, tempted to give this information to an entity other than that originally intended and/or assumed. Actually, an attempt is made to mislead the human being c.q. the human brain, also known as 'human hacking' or 'social engineering'. As already mentioned in our previous blog regarding Security and Internet Awareness, the weakest link in security is (almost) always the human! Here the link to that article.

The purpose of phishing is therefore to steal sensitive, personal information and/or install malicious software on the victim's computer or phone. Carrying out a phishing attack is relatively simple and accessible because no (difficult) technique is involved. This is probably the reason that almost 33 percent of all data breaches are caused by phishing, with all the serious consequences this entails.

Origin and use of the term phishing

The term phishing originated in the mid 90's and refers to fishing or angling (for information).
The words 'phishey' and 'phoney' refer respectively to something that is not kosher and something that is false or fraudulent. So, fishing with dark intentions.

Also, the origin of the term phishing could lie with the first hackers from the 70's, so called 'phreaks'.
This is an amalgamation of 'phone' and 'freak'. They hacked into telephone systems in order to, for example, make free (international) calls.

But the initial use of the term phishing is attributed to a notorious hacker and spammer named Khan C. Smith. On January 2, 1996, the term was first publicly found online in a Usenet newsgroup called 'AOHell'. This was a reference to the first (Windows) application, which was actually a toolkit that made hacking AOL accounts easier. AOL stands for America Online and was at the time the largest Internet provider in the United States. A hacker named 'Da Chronic' developed AOHell in 1994, which included a function for stealing the passwords of AOL users. Also the scammers 'angled' for passwords or financial data of unsuspecting users. They sent legitimate looking emails with a link to a spoofed (fake) website or an e-mail attachment containing malicious software (malware) and/or code. The word 'malware' is a combination of 'malicious' and 'software'.

P.S: Khan C. Smith also created the first botnet around the year 2000; 'spammy email botnet'.
The word 'botnet' is an amalgamation of the words 'robot' and 'network'. Cybercriminals use special Trojans (malware) to hack into the security of the computers of multiple users, take control of each computer and include all infected machines in a network of 'bots' that can be remotely controlled by the cybercriminal. A recent example of this is the so-called 'Mozi' botnet.

Types of phishing

First of all, there is an important distinction to be made between bulk phishing, different (types of) targets are attacked on a large scale and spear phishing which is aimed at a specific, individual target.

Bulk phishing is also called 'deceptive phishing' and is the most common form of phishing. A message is sent to the targets of a reliable sender (e.g. a bank or government agency). These messages, as the name suggests, are sent in bulk. This message may contain a request to:

– make a payment;
– check account information;
– the re-entry of login details or passwords;
– the request to change a password;
– log on to a (fake) website;

Spear phishing

As mentioned, spear phishing is a targeted form of phishing on a specific, individual target. The cybercriminal has usually already collected some information about the target before he launches the attack. If you realize how much personal information can be found about you on the internet these days (social media in particular is a valuable resource) then you will understand that it is not as difficult for a malicious party to pretend to be a trusted party. This information can be gathered online through Open Source Intelligence (OSINT), but also from a previous phishing attempt, a hacked account, or any other place where personal information can be retrieved.

The specific target in spear phishing can be a person, organization, company or the (semi)-government. The attack is aimed at those targets (employees) who have access to sensitive information or have the ability to transfer (large) amounts of money.
Also, a so-called state actor can attack an employee working for another government institution, or a government official, to steal state secrets. These attacks are carried out by or with the knowledge of another country and are therefore very dangerous. Seventy-eight percent of cyber-espionage incident is caused bij phishing.

An example of spear phishing is CEO Fraud, also known as 'whaling', the cybercriminals Judas and Cain in our example were guilty of this. In this spear phishing email attack, the attacker poses as a high-ranking person such as the, unsuspecting, CEO or CFO of a company. The purpose is almost always to entice the target (an employee within the same or different company) to transfer (large) amounts of money to an attacker's bank account, or to send sensitive/confidential information (e.g. HR data). In this e-mail, the recipient is made very important; the authority relation is emphasized and confidentiality is requested.

Often a 'pre-attack' is first performed by means of reconnaissance, using OSINT and social engineering techniques. After this the found information is correlated, a profile of the target can be drawn up and a 'tailor made' attack can be crafted. Subsequently, this email is sent with all possible serious consequences.

CEO Fraud is a serious threat to companies and (semi) government agencies, it is important to arm yourself against it.
Hermes Recherche can be of service to you by means of, among other things, carrying out a Digital Footprintcheck.

Clone phishing

In this case, cyber criminals make a copy or a so-called 'clone' of previous, legitimate sent emails with a link attached. This link will be replaced by a new one that contains malicious software/code.

419/ Nigerian scams

This form of phishing has existed the longest and originated in Nigeria. The number 419 refers to the Nigerian Penal Code which deals with fraud, fines and penalties for fraud. In this type of online fraud, the scammer tells you an extensive and pathetic story about, for example, a large amount of money that is in a frozen bank account because of a coup d'état or civil war. Often it concerns a country that is in the news at that moment. Or he will tell you about a large inheritance that is 'difficult to access' because of government restrictions or taxes in his country. The swindler will then offer you a large sum of money to help him transfer his personal fortune out of the country.

He can ask you for your bank account number to help him transfer the money. Later all the money will be stolen from your account. In addition, he may ask you to pay any costs or taxes incurred to help release or transfer the money from the country through his bank. In principle, this can concern very small amounts of money. When the request is granted, the fraudster will say that he has incurred new costs which first have to be paid. Only then will you receive your 'reward'.

Vishing (voice phishing)

Vishing is a form of attack that attempts to seduce you into passing on sensitive, personal information over the phone. This may sound simple, but these attacks can be carried out very professional. For instance, it uses automated voice simulation technology, or the scammer uses personal information about you obtained from previous cyber attacks. In this way he puts you at ease and thus gains your confidence.

Smishing (sms phishing)

Smishing is an attempt to tempt you to pass on sensitive, personal information via a text or text message. By sending an sms that usually contains a link to a fake website that is almost identical to the legitimate website, cyber criminals try to mislead you. Smishing is also used to spread malware and spyware through links or attachments that can steal information and perform other malicious tasks.

Characteristics of a phishing message

– the text in the message claims a certain urgency, warning or threat; a new password must be set immediately, a fine must be paid on the spot and so on;
– you are asked to transfer money for expenses or fees;
– you are asked to provide sensitive information, you should always be cautious, regardless of the sender of the message;
– the text in the message contains spelling and grammar errors; a bonafide company or government agency will never communicate in such a way;
– the URL is not identical to the original or legitimate URL and looks fraudulent;
– unexpected or unusual links/attachments, these may contain malware, ransomware or any other online threat;

Via which devices

– desktop;
– laptop;
– tablet;
– (mobile) phone;

In what way

– email;
– chat message (eg Whatsapp);
– sms-message;
– phonecall;

Also via social media sites such as Facebook, Instagram, Twitter and Linkedin phishing attacks are carried out!

What is the information obtained for

– for selling this, personal information, on the darkweb;
– for stealing an identity (identity theft/fraud);
– for stealing bank or other (social media) accounts;
– for stealing state secrets;

Consequences of a phishing attack

– financial damage/loss, this can run into millions;
– personal and business damage:

* image damage
* safety (personal) that is compromised
* psychological damage

– new cyberattacks;

How to arm yourself against phishing?

– never click on unknown links! (in email, sms or chat messages);
– do not accept calls from unknown or shielded numbers;
– never open emails from unknown senders;
– never enter any personal information, such as name, SSN or bank/credit card details (especially pop-up screens);
– always first verify if a website is secure and check if the URL starts with 'https' instead of 'http' (the 's' stands for 'secure');
– Google the text/content of the email and see if it gives a hit in relation to phishing;
– use a good virus scanner;
– possibly, use a special anti-phishing toolbar;
– listen to your intuition, that gut feeling is always right, trust it!
– hover your mouse (or finger) over the link and check the URL, especially look for (spelling) errors in the domain name;
– if something sounds too good to be true, it often is!
– avoid the use of public wifi and if you do, only connect via a VPN (virtual private network);
– in general, always be alert to suspicious emails and/or sms-chat messages and phone calls;

To conclude, here an example of a very well known and successful phishing attack.

This took place in 2016 and was aimed at the Democratic National Committee and indirectly at Hillary Clinton.
The Gmail account of her campaign manager, John Podesta, was hacked, in an actually very simple way. He received an email from Google stating that his Gmail password had been hacked or misused and he was asked to set a new password immediately. This email contained a link that led to a malicious site where his login credentials and password information was stolen. According to the media, this attack was carried out by a state actor, a so-called APT (Advanced Persistent Threat) Group. In this case it was APT 28, also called Fancy Bear, Sofacy Group, Pawn Storm, Hades, Tsar Team, STRONTIUM (and some more names) from Russia. Via this attack there was access to the mail exchange between John Podesta and Hillary Clinton. These emails were later leaked by 'Wikileaks'.

Some time later reports appeared in the media about a hacker named 'Guccifer 2.0' (abbreviation of Gucci and Lucifer). His real name is Marcel Lazăr Lehel and he originates from Rahad, Romania. He claimed to have committed the hack after he first hacked the AOL account of a confidant of Hilary Clinton; Sidney Blumenthal, in 2013. Through intensive OSINT (reconnaissance) research he was able to guess the security question of Sidney Blumenthal. This gave him access to the account, could stay there for a while, collected information and moved on to Hillary Clinton's server. There are rumours that Guccifer 2.0 works for the GRU (G.U.), the Russian military intelligence service.

There is also another interesting reading. The former technical director of the NSA, William "Bill¨Binney, claims that 'Russia-gate' was manufactured and directed by the CIA. He predicates this on the forensically analyzed data, by him and other independent investigators, released by Guccifer. Based on this they concluded that the information could only have been obtained through a (human) leak within the party.

So far this article about phishing. If you have any questions please feel free to contact us at (0031) 6 39893068 or for a non-binding conversation.

 ©Hermes Recherche 2020