The Bulletin’s guide to Phishing

,

Andy Cormack this week looks at ‘Phishing’.  This criminal practice is a particularly nasty form of hacking, and costs people and businesses millions of pounds per year.

Here, Andy shows you what to look out for, how to tackle a phishing attack, and steps that you can take to  prevent being caught out by phishers in the first place.

SECURITY Tag Cloud

What is Phishing?

Phishing, at its most basic definition, is a form of social engineering designed to obtain sensitive or private details from someone through the use of email or other such electronic messaging services. It’s a blanket term covering a wide range of attacks, but the core of it stems purely from social engineering attacks via digital messages disguised as those sent from legitimate entities.

The term appears to be a portmanteau of the terms “fishing” and “phreaking”, which in itself is a portmanteau of “phone” and “freaking”. There are many fishing related terms, many of which you will read about below, that line up with the manner in which attacks are orchestrated and thus, phishing is a descriptively appropriate word.

Though the term extends beyond just email, the Oxford dictionary’s definition is this:

“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”

Outside of the basic definition, there are many subcategories of phishing that are of a more specific nature, often times named after fishing terms. Some of these are the types of attacks with an alarmingly high success rate, due to the fact that they either do a better job of disguising the potential red flags and other warning signs of a fraudulent message.

Sometimes they are specifically and expertly targeted;  by disclosing details that they would assume only the real person or company would have access to, that they lend enough credibility to the message to be perceived as real even with certain warning signs that it is, in fact, fake.

Common Types

Two such highly dangerous and easily mistaken types of Phishing are “Spear Phishing” and “Whaling” which, as touched upon briefly above, hones in on a specific target or group of targets for a more intimate attack filled with details the attacker gathers on its victims. There is also the “Watering Hole” type attack that is rising in popularity.

More specifically, spear phishing is the practice of gaining personal information about the target in order to increase the chances of success, and accounts for a significant majority of the successful attacks taking place regularly.

A report published in 2012 by Symantec sheds a lot of light on the situation.

“The more traditional technique is to send a “spear-phishing” email, containing an attachment, to the target. That attachment is a document containing an exploit which, when opened, then drops a Trojan onto the target computer. This works if the exploit is embeddable in a document. If not, then an alternative approach is to host the exploit on a Web server and then email the target with a link to that Web server. The link used is quite unique, it is not hosted on a common Web site, so it will only be encountered by the chosen target. When the target clicks on the link, the exploit is triggered and a back door is installed.”

The other most concerning trend of recent years is the increase in “Watering Hole” attacks, this report details the attack further:

“The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience in which the attackers are interested.”

“For example, people who visit the Amnesty International Hong Kong website are most likely visiting because they are interested in human rights issues in Hong Kong. Having identified this website, the attackers hack into it using a variety of means.”

“For example, the site may be vulnerable to a SQL injection, or perhaps the attackers compromise the machine of an individual with publishing rights to the website. The attackers then inject an exploit onto public pages of the website that are hopefully visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer. The attacker then has complete control over the victim’s computer.”

“Three of the most recent zero-day exploits were used in watering hole attacks, an indication that this approach is gaining momentum.”

As you can see, the significance of this attack is that you could have been compromised, even if you’d done everything right and been very careful because the site that you trust is no longer safe.

This has far reaching consequences as a compromised website that publicly acknowledges the comprimisation of its security casts a shadow of doubt on consumers using that particular website again in the future, potentially harming long term business, as well as having lost private customer data in the process.

So what can you do to protect yourself?

We’re going to focus on some broad topics and also some more specific ones related to spear phishing, as it’s the most common form of attack and it’s easy to get caught out by it.

Generally speaking, the most common source for being phished is your email address. Since a spear phishing attack is typically initiated after acquiring personal details about the target through various means, even emails that appear to be from an individual or company you may know could potentially still be a trap.

Spear phishing attacks have a tendency to err on the side of familiarity with the target and so emails, unless they are designed to be from a company, usually start with a more informal “Hi [name]”, instead of something like “Dear Sir/Madam” as this has a greater potential to engage the target. Emails of this nature may refer to a ‘mutual friend’, for example, in order to ask for certain private details or information such as card / bank numbers and passwords. Since the email is coming from an address that the target is probably familiar with, the chances of them slipping up and handing over the information more readily are far higher.

A common way for attackers to choose their targets is through social media and your general online presence. Leave enough of it out there publicly and it could be just the information those attackers need in order to trick you into thinking they’re someone you know.

The best defense against this, in order to lower your chances of being a target in the first place, is to filter down the public information you leave up for anyone to read. An example of this would be setting things like your contact information on your Facebook profile to at best friends only, so the attacker would have to find their way into your friends list before gaining further pertinent information. Also any posts that you make should either leave off more personal details from posts accessible publicly, or again, narrow those down to just friends as well.

The next important point to consider is that of your passwords. Do you use one password for lots of sites? Or perhaps at least a few passwords that are similar? Is it short, easy to remember, and perhaps contains yours or someone else’s birthday or name?

If so, change them now. The average password is typically some combination of the above along with a few other unsafe choices such as pets names or sentences.

If your passwords are similar in structure to the types listed above, it’s time to change them. Short and/or personal passwords are relatively easy to guess by attackers, especially if they have some information on you already. The recommendations for strong passwords vary between sources and change seemingly every year, if not more. The best advice we can give you is to pick long ones with little or no repetition – the longer they are, the harder they typically are to guess, and each character increases the time it takes to break a password using raw computing power exponentially.

A popular programmer-centric webcomic titled XKCD published a relatively interesting angle for this password problem that perhaps may be of use to you as well.

(Courtesy of xkcd.com)

Their system increases password size, while keeping the contents memorable as well as impersonal and therefore harder to guess based on any personal information the attacker may have obtained.  By no means am I saying it’s a perfect solution, but it’s a great starting point for strengthening your security.

Quite possibly the most important point of all, however, is that of keeping your operating system and its software up to date. When you get notifications from Windows, Mac OS, Ubuntu, or whichever operating system you’re using, stating you need to apply an update, it’s in your best interest to do it as soon as possible.  The majority of these updates are usually related to patching security issues that have been found. This goes doubly so for your antivirus and firewall software, as those are the gatekeepers preventing access to your computer.

Last, but most certainly not least, we arrive at good old common sense. Be smart about your interactions: if a “friend” emails you asking for a password or bank details, take a moment to question the authenticity of the message. Even after you’ve carefully considered the possibility that they may in fact require this information for some reason, still don’t blindly give it away via an email that may potentially be insecure. Call that friend and ask if they really did send that message to you.

This obviously extends to banks and other companies as well.  These companies won’t message you asking for account numbers, passwords, or other such personal data. If you’re unsure whether the email is real or not, the best thing to do, again, is to call them up and ask them directly from a number you know belongs to that company or, in the case of banks more specifically, they probably have a fraud prevention hotline and/or an email address to send suspicious emails to in order to verify their authenticity.

I hope this has been an informative and enlightening read, and one that perhaps has caused you to strengthen your online privacy. Stay safe out there.

The Bulletin’s guide to Cyber Security

Starjammer Bulletin – Contents

Subscribe to the Starjammer Bulletin

AimHighInt5