Closed – Gone Phishing

Article Summary

Phishing is where an attacker sends a fraudulent message designed to reveal sensitive information or to perform malevolent actions. Spear Phishing is a directed email attack against specific persons. Whaling is a Phishing attack aimed at senior executive personnel.

One style of phishing attack is to send an email with links that go to somewhere other than those links are purported to be accessing. There are several methods of identifying this type of attack by verifying the actual link location.

Attachments are another way of getting the end user to perform an action that will allow the attacker access to the user’s information and/or computer. Opening an attachment may run a program in the background unbeknownst to the user.  This program may perform actions that open a connection between the user’s computer and the attacker’s computer without the user’s knowledge.

The best defense against these types of attacks is user knowledge and training.  There are many companies that specialize in this type of training and testing of user knowledge.

I’m sure that any of the readers of this site have heard of phishing (pronounced fishing). It may seem obvious, but somewhere between 80 and 90 percent of all malware attacks start with a malicious email.  The only way to prevent the success of this type of attack is training in what to look for in an email.

What is Phishing?

According to Wikipedia “Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.” Where “normal” phishing is directed at whatever email address the malicious actor has, Spear Phishing is directed at specific individuals within an organization and a Whaling attack is targeted at senior executives.

A phishing email can take many forms. It could be an email from someone or some company you don’t know or do business with. It could be an email faking that it is from someone you know or someone you do business.  It could be an email purported to be from your IT department. In general, if you receive an email you do not expect, you should be suspicious of that email.

 The following is part of an email I received recently:

When I first received this email I deleted it without even reading it because it came from “Adobe for Students” and I’m not a student. But let’s say I was and I was interested in this deal. There is a link button I could click, but how would I know it is a valid link? If you hover your mouse over the link, it will tell you what the link will do.

In this case, the link would take you to a secure website (https:) at t-info.mail.adobe.com (highlighted).  This looks like it is a legitimate link since the product is an Adobe product and the link points to an Adobe website.  If this link was something like https://offer.abobe.com (adobe is misspelled) or something other than adobe.com, I would be very suspicious.

The following is an example of an email that is received by many people:

Looking at this email, why would someone at Cypgrp get an email from someone at purdue.edu saying that the Cypgrp person’s email password is going to expire? Even though I have blanked out the full from address, the blanked out portion was random characters and when I hovered over the Keep Password link, it was going to www.emailing.nespresso.com.  

Many emails have attachments that have the potential of being harmful. Documents that are attached in nearly any Microsoft Office format can execute hidden programs without you even knowing it was done. Attachments in PDF or ZIP format are just as dangerous. An attached supposed voice mail may also run malware while you listen to the message. The initial programs that are hidden in these attachments are typically very small and only setup communication with the malicious actor’s computer on the Internet.  Once that communication is started the remote computer starts downloading software in the background that keeps the communication open and performs the various malicious actions.

How can I protect myself from Phishing?

Spam filters help detect email received from known Internet addresses. They may also detect the text and format of an email attack that is known to be malware, but any newly formatted email from a new IP address will probably not be detected.

Anti-Malware programs may detect some of the problem attachments as malware, but that is not always the case.  Bad actors can make minor changes to malware programs so it is not detected using the information known about malware that had been discovered.

The best protection against Phishing is knowledge and training. It is important to keep reminding ourselves of the danger and some possible methods of attack. There are many companies that would provide training and testing of that training for a relatively minor cost. Your network consultant may have a service that will do this for you on a periodic basis.