In this post we will talk about phishing, a type of fraud carried out on the Internet through which an attacker tries to deceive the victim by convincing them to provide personal information, financial data or access codes, pretending to be a trustworthy entity in a digital communication. .
The article is divided into three parts:
- an introductory part, in which we will dedicate ourselves to give a good definition of phishing;
- a list of the channels used, in which we will review the main attack vectors & channels in which phishing is transmitted today;
- a series of tips and best-practices that explain how to defend against a threat that, day after day, is becoming more and more dangerous and insidious, also thanks to modern techniques based on self-learning skills (machine learning) of which modern algorithms who generate "bait" emails are increasingly gifted.
Are we ready? Let's start!
As mentioned in the introductory part of this article, phishing is a type of fraud carried out on the Internet through which an attacker tries to deceive the victim into providing personal information, financial data or access codes, posing as a trustworthy entity in a digital communication. . It is therefore an illegal activity that uses a social engineering technique (the deception operated against the user) as the primary input vector.
In summary, it is a scam that consists in sending deceptive messages with the aim of stealing data or information of any kind from users. In most cases this type of fraud is conveyed through electronic mail messages (e-mails), but it can also take place through instant messaging services such as SMS, Skype, Whatsapp, and even telephone calls (as we will see).
The name phishing, a variant of the English verb fishing ("to fish"), summarizes this type of illegal practice in an extremely effective way through a metaphor that involves multiple interpretations:
- The attacker does not select his users, but "catches" them by sending a large number of e-mails to lists of addresses manned by real users that he has compiled, purchased or has come into possession of;
- Victims, as well as their data, are "caught" by using a bait: a fake e-mail message, but packaged so well that it seems authentic.
- The quantity and quality of data that "fishing" will allow to collect is not easily foreseeable by the attacker: it can only be quantified after analyzing the content of the "network", that is the totality of the responses received or the operations / activities carried out by victims.
The first point of those listed above has recently been questioned by a further technique that has gradually established itself in recent years and which takes the name of Spear Phishing: (literally "fishing with a spear", or rather with a harpoon). It is a targeted Phishing methodology, that is, aimed at acquiring the data of a specific and predetermined objective: a company, an organization, a private individual, etc.
Unlike Phishing, Spear Phishing requires a preliminary investigation of the victim and / or its users: the data collected following this operation are then used to create a particularly plausible "bait" message. These "targeted" techniques have gradually become more effective thanks to the widespread use of social networks, which allow the attacker to carry out an analytical study of the victim (habits, interests, knowledge, network of contacts, etc.) and therefore to package Particularly credible and effective "baits".
Attack Vectors & Channels
Although the term phishing is conventionally used in reference to e-mail messages, e-mails are not the only channel through which this technique is conveyed. It is therefore appropriate to identify the main channels (or vectors) that can be exploited by Phishing techniques nowadays:
- E-Mail: phishing via e-mail is the best known and most common case: through a normal e-mail, in the form of a spam message that seems to come from companies, authoritative sites (e-commerce, online services, telephone operators or banks) or even by public bodies (eg the Italian Post Office, the Revenue Agency, etc.), the attacker tries to get hold of the user's sensitive data. This is the most popular technique today for carrying out a phishing and / or spear phishing attack.
- Instant Messaging: the term instant messaging (abbreviated to IM) is used to identify all software and apps for mobile devices that allow you to send private messages: we are therefore talking about WhatsApp, Skype, Telegram and so on. In most cases, phishing via IM is based on sending fake supermarket discount coupons, scam subscription requests or described as "necessary" to continue using a free or regularly paid service according to legitimate channels. purchase / renewal, and so on.
- Social Networks: phishing via social network is in many ways similar to phishing via instant messaging, as it is also based on discount coupons, offers to subscribe to scam services, invitation to visit or register at flirt sites that they will seek then to acquire our data, and so on; the main difference with respect to the previous methodologies is that this technique exploits a psychologically very important component at the base of the transmission channel used, that is the social network: the so-called trust level, or the level of trust that the average user attributes to the communications he receives from certain channels. A scam message shared by acquaintances, friends or other trusted people can exploit this unconscious mechanism to obtain a higher level of credibility in the eyes of the user.
- SMS: even the SMS service made available by telephone operators is in fact instant messaging, and therefore also belongs to the category of possible transmission channels for an attack based on phishing: in recent years it has even been coined a specific term, smishing, to identify phishing attacks conducted via SMS. Smishing can have characteristics similar to phishing via IM, but it can also take advantage of a series of provider protocols to execute commands (opening links, downloading apps, unlocking certain functions, etc.) directly on the victim's smartphone, usually operable by executing a link contained in the message.
- Phone: in recent years one of the oldest phishing techniques has come back into vogue, used all over the world to carry out various types of scams (especially to elderly people) since before the arrival of the internet and e-mails. This is phishing by telephone, or rather a scam carried out by a telephone operator, which with modern technology can possibly be replaced by a suitably programmed bot, capable of making automatic calls and "talking" with a recorded voice or with a speech synthesizer. This type of technique has characteristics in all respects similar to the previous ones: the attacker identifies himself as an operator authorized by a company and begins to request information, giving a plausible reason. This type of scam also lends itself very well to spear phishing techniques: in some cases, especially when scams of this type are aimed at elderly people or who have difficulty in orienting themselves with the world of technology and / or digital services, the operator can even pretend to be a relative, simulating their voice and / or exploiting the presence of environmental disturbances.
How to prevent such threat
Phishing attacks take place in an increasingly sophisticated and credible way: in other words, the "baits" are packaged in an increasingly plausible way, making it difficult to distinguish the fake from the real: the risk of falling victim to these "baits" is particularly high for those who live or work in a context characterized by a large number of digital services, where the receipt of invoices, payment notices, satisfaction questionnaires or requests for sending documentation is on the agenda.
For this reason it is now essential to develop adequate defense mechanisms, such as those listed below.
The first and most important thing to do is to provide yourself with an antivirus or anti-malware software that is capable to perform (at least) the following tasks:
- Spam and Malware Protection, to immediately understand if an incoming email (e.g. phishing or spam mail) constitutes a threat.
- Forensic Analyses, possibly using artificial intelligence and machine learning algorythms to detect and avert threats, fraud attempts and digital identity theft at an early stage.
- URL Malware Control, to check and secure all Internet addresses including download analysis
If you only need to protect your personal device, these features are nowadays included in any good antivirus present on the market: however, if you're within an organization, you might want to opt for a centralized Data Security Manamement Suite that can offer comprehensive protection for all on-premise and cloud services.
In gross phishing cases, messages may contain misspellings, inaccuracies and / or small misprints: incorrectly declined verbs, incorrectly spelled names and surnames, reversed uppercase or lowercase, incorrect or absent articles, excessive spacing, incorrect punctuation , imprecise or poor quality logos, etc .; errors of this type are particularly frequent in cases where messages are created with the aid of software automatisms: translated with automatic tools, or compiled by putting together information from printouts, etc.
To protect yourself from these cases, it is essential to pay close attention to the form, spelling and structure of any message.
Since almost all phishing attacks are conducted ignoring much of the information concerning the victim, the sender is forced to guess most of the details: he could therefore pass himself off as an operator of a famous bank, Poste Italiane, Agenzia delle Entrate, Telecom Italy, or any other service used by a large number of people, hoping to "guess" a provider with whom the victim actually has a relationship; or he could adopt an opposite psychological technique, pretending to be an employee of a small company (Studio of Avv. Bianchi, Accountant Astori, Pharmacy Pirri, etc.), in the hope of "catching" a victim accustomed to dealing with a large number of interlocutors of that type and / or to take those types of senders for granted. To protect yourself from these attempts it is essential:
- Always check the authenticity of the sender's name and e-mail address. Most phishing attacks are conducted using names and / or e-mails that can be easily identified as suspicious.
- Always check the real existence of a relationship with us and / or our organization. To carry out this check, it may be essential to involve colleagues and collaborators in the analysis, so as to gradually acquire the necessary know-how to become independent.
When there are file attachments with unusual file extensions - that is, unexpected attachments - you must be extremely careful: most of today's phishing techniques involve installing malware on the user's computer, an operation that almost always occurs by executing of attachments that are not what they seem. To protect yourself from these attempts, it is essential to always check the file extension, avoiding opening those with an extension other than those with which we are used to working. In most cases, since the phishing risk is now known to all, a legitimate sending of attachments is always anticipated by previously sent e-mails and / or accompanied by a series of plausible and verifiable information on the name and type of file .
In almost all cases, users who do not perform specialized technical or IT tasks can expect to receive only the following types of files: texts (TXT, PDF), images (JPG, GIF or PNG) or archives (ZIP, RAR, 7Z). A particular case is given by MS Office application files such as Word (DOC, DOCX), Excel (XLS, XLSX) and PowerPoint (PPT, PPTX): these files may contain macros, or scripts programmed to perform automatic operations on the system under certain conditions: these scripts can be configured to be launched when the file is opened, making them similar to executables.
Since this is a feature that is often used to carry out cyber attacks, it is advisable to use the utmost caution: to defend against this possibility, it is advisable to configure your MS Office applications by disabling the automatic execution of macros when opening files, so to have time to identify the threat before it can be "inoculated" into our system.
Hyperlinks carry vulnerability risks similar to file attachments, especially if they are links pointing to unknown sites or files, with an important addition: when you are in the presence of links contained in an e-mail message, it is almost always possible to check the correspondence between the text displayed by the link (the word or phrase to click on, almost always colored blue or with another distinctive color) and the actual address of the link itself: if you are on a desktop PC, this control it can be done by hovering the mouse pointer over the link, without clicking. In almost all cases where the address does not coincide with the colored text, the link in question is fraudulent.
Urgencies and deadlines
An emergency scenario is one of the factors on which every scam leverages the most, and phishing is certainly no exception: a pending payment to be paid immediately, a premium to be withdrawn shortly, the risk of losing an account, and any other emergency situation. artfully created to push the victim into a condition of anxiety such as to "force her hand", preventing her from analyzing the situation with clarity and pushing her out of ordinary safety procedures. When an e-mail aims to hurry, the risk of it being a scam is very high, especially in a company like today's where expiration or renewal communications are made well in advance and repeatedly through multiple channels. The best way to defend against this technique is to react in the opposite way to that requested and desired by the sender: analyze the message with calm and paying great attention, carefully verifying the information contained in order to be able to determine with certainty if it really is a emergency or attempted fraud.
Prizes, winnings, discount coupons and competitions
another widely used psychological technique, in many ways similar to that of urgency, is that based on the opportunity not to be missed. Also in this case it is advisable to analyze the message very carefully: statistically speaking, the risk that a “special offer” received by e-mail is a fraud is extremely high.
The checks listed in this paragraph nowadays constitute a fundamental know-how of any operator who works with e-mail, and must therefore become an automation for any e-mail received, regardless of the content: obviously , become particularly important in the presence of attachments or particularly "sensitive" requests (data, payment information, credentials, links, etc.).
Attention threshold, awareness level and best practices
It is clear that, in order to carry out the checks described in the previous paragraph, it is necessary to maintain a rather high level of attention and concentration: a commitment that can be easily underestimated by an operator who needs to process a large number of e-mails. in an often unnaturally limited period of time.
Underestimating the time needed to take care of the e-mails received is a characteristic of most contemporary companies and organizations, especially in those sectors where the level of computerization has not grown in step with the IT awareness on the part of operators and / or IT risks by management. These are errors of assessment completely similar to those that were made not many decades ago in factories, when the work of workers was organized in the absence of adequate safety protocols and / or ignoring the impact that certain activities or materials could have on the health.
To reduce the impact of such errors before it is too late, it is appropriate to act directly on the organization, in order to sensitize management to the need to review the times, methods and procedures underlying such activities: a review that cannot regardless of a risk analysis conducted with the constant involvement of professionals in the sector and conducted with the aid of observation tools, techniques for collecting feedback and studying the best practices identified and suggested by the experts.
Specifically, it is essential to recognize the importance of the role played by those who deal with the reception of communications from outside - which, as we have seen, cannot ignore a certain level of verification and control - and to provide adequate timing to allow carrying out this activity.
What to do when we fall for a Phishing?
In case you have the doubt or certainty that you have fallen victim to a phishing, it is very important to remain calm and immediately take the appropriate countermeasures:
- If access credentials have been communicated (username, password, etc.), it is necessary to change the password urgently, taking care to notify those in charge in the event that it is a corporate or shared account.
- If a "suspicious" or fraudulent file has been opened (false or fictitious documents, files that do not open or have strange contents or errors, etc.) it is imperative to carry out an immediate and thorough scan with antivirus / antimalware systems on the device involved, possibly isolating it from the network so as to avoid the spread of any contagion by ransomware or worms.
- If payment data have been entered (credit cards, PayPal, etc.), it is necessary to contact your bank and block the credit card (or other payment instrument) whose data have been entered.
It is important to keep in mind that phishing is not a simple deceptive email: it is a real crime, and should be considered as such. Although not yet provided for by the criminal law, phishing is now judged as computer fraud and digital identity theft.
That's it for now: in the next post(s) we will devote ourselves to the study of other types of attacks, with a specific focus on malware (trojans, viruses, rootkits, ransomware, etc.) and on hacking techniques aimed at neutralizing or taking control computer systems and / or their data (DDoS, MitM, SQL injection, XSS, etc).