Real Big Phish

Tales from the Past

Since the invention of trade, unscrupulous people are always thinking up nifty ways to convince people to part with what they already have.  Going back to insurance fraud in 300 B.C., these individuals come up with schemes that are designed to convince people to buy into something that never pans out.  A more modern example of this were the Nigerian Prince letters of the 1990s, and more recently everyone sees attempts to steal credentials or other information using a modern email technique termed phishing.

Modern phishing is simply sending out lots of misleading email messages (sometimes millions upon millions) in the hopes that a few people fall for the deception.  Those victims are pounced on quickly by the individuals running the scams and taken for as much as they can as quickly as they can.  This is normally due to how quickly people catch on that something is going on that doesn’t mesh with what they expected to happen.

Sharpening Their Skills

Over the past several years, phishing scams have evolved into a very targeted activity.  These new attempts, termed spear phishing due to their specific content and targets, were not designed for the bulk millions upon millions of messages.  Instead, these are aimed at specific groups of people known to follow a specific site, organization, or activity.  Using specifics such as your real name and a company you work for or maybe a site you visit regularly, the attacker creates a sense of recognition in you that this must be a person you trust due to them knowing this about you.

For example, a spear phishing attack for us could be an email sent that states something along the lines of “Dear <Employee Name>.  Support has requested everyone to sign up for our new self-service password reset portal.  Please go here to set up your security questions…”  It would look specifically as if it was something sent from an official team or person that you are familiar with, but it would actually be coming from someone external, and most likely attempting to collect your information for further attacks against you.

The Big Boys in the Ocean

As the scams continued, information about the new techniques started reducing their effectiveness and the scammers responded.  If a targeted attack against a lower-level employee at a company is successful, it may only result in a minimal reward for the attacker.  The employee may not be authorized to access sensitive data or provide money or other information the attacker may want.  However, there are employees who have a ton of power and access generally, and are very difficult to keep hidden.  These are the executives of a company.

In attacks known as whaling, the high level executives within a company are targeted specifically to attempt to gain access to major amounts of data or funds.  These attacks are carefully planned, well crafted, and designed to be as deceptively honest looking as possible.  They speak to the specific role of the target within the company, put company-wide urgency on it, and may even include things like legal jargon and concerns.  An example would be something that looks like an FBI subpoena email sent to the CEO, and the subpoena is only viewable from the website linked to in the whaling email.

Who’s the Captain?

Most phishing attacks fall under one of the categories below.  In the last year or so, a new method has been growing in popularity and has proven to be devastatingly effective across all organizations, even ones where security awareness part of the culture and common-place.  This new attack is similar to whaling in that it contains very explicitly designed messages that fit to the role of a singular recipient within an organization.  However, instead of aiming at the top levels, who have started recognizing these attacks for what they are, they are aimed at the employees just below them.

For example, a message may go out to an account payables clerk that discusses a new vendor that’s been approved and needs a payment of $XYZ sent over.  In general, this would be ignored as it most likely is not the way the company normally requests and approves payments to vendors.  However, the email message came from what looks to be the CFO’s email address, and he states that he’s onsite with the vendor and needs to get this processed immediately to get the services contracted for moving.  This urgency and the way it was crafted to look like it was from someone who is authorized to escalate a request like this makes people often not second guess.  Money is sent, scammers are happy, and the CFO who was on vacation comes back wondering where a bunch of money went.

Keeping Afloat in Dangerous Waters

As with most other methods of scams, almost all types of phishing attacks can be thwarted through simple awareness.  The basic rule that can be followed for most attacks is this:  If you didn’t know someone would be requesting information or money, don’t send anything.  If you’re back’s asking you to verify your account information, or your support team needs your login information, verify with them through known channels.  Never call a number or click on a link in a message requesting information or money.  Instead, go to your known bank’s website, get their support number, and call that to determine if they actually are looking for you to do something.  Similarly, call your support team’s extension, not any number provided in the email for the support team.  Often times, an included phone number or website link will redirect you to the scammers, who will, of course, confirm that the request was valid.

Look for inconsistencies as well.  For example, everyone sees PayPal emails requesting you to re-verify your account.  If you HOVER OVER (not click on) the links in the email, you may see that the site it’s linking to goes to www.paypal.somethingelse.com or similar.  These are designed to make you think that they’re legitimate, but aren’t actually.  The page at the link may even look EXACTLY like the legitimate page, including links to the correct support sites, home pages, and others.  The only difference is that the login information goes to the scammer and you get an error page once submitted.

Finally, to minimize these attacks, keep actual information about you online as minimal as possible.  On Facebook, for example, only make posts visible to your friends.  Don’t post anything personal on Twitter as that’s more of an open forum with minimal privacy.  Also, on something like LinkedIn, ensure that your contact information is limited to only connections.  This will reduce the likelihood of being targeted smaller, as there is less information available to craft these very specific and effective attacks.

More Information

For more information on Phishing, please feel free to visit the following sites for suggestions on preventing or preparing for an attack, as well as other standard internet security practices that help keep your daily activities online safe.