In our previous article, we explained the general idea behind phishing. We also stated that there are different types of phishing attacks which we all need to know about in order to identify and protect ourselves from them.
Over the years, some of these computer phishing attacks have become more sophisticated, making it more difficult to recognize them; It is true that many phishing attempts that reach us by email are quite crude and obvious, but others are much more subtle and if we do not pay special attention to some details, we can fall victim to them.
In the following sections, we will explain some of the most used phishing techniques.
While traditional phishing uses a “lay down and wait” approach, meaning that mass emails are sent to as many people as possible, spear phishing is a much more selective attack where the hacker knows what specific person or organization they are after. They investigate the target to make the attack more personalized and increase the chance that the target will fall into their trap.
The use of social engineering techniques here is key, especially since the hacker will try to know all the information he can about his target, so that the content of the email is as convincing as possible.
Email / Spam
It is the most common technique to carry out computer phishing attacks; the same email is sent to millions of users with a request to fill in their personal data. These details will be used by phishers for their illegal activities. Most messages have an urgent note that requires the user to enter their credentials to update account information, change details, or verify accounts. Sometimes they may be asked to fill out a form to access a new service via a link provided in the email.
Web-based delivery is one of the most sophisticated phishing techniques. Also known as a “man in the middle,” the hacker stands between the original website and the phishing system. The phisher tracks details during a transaction between the legitimate website and the user. As the user continues to pass information, the phishers collect it without the user knowing.
Link manipulation or URL phishing is a technique by which the phisher sends a link to a malicious website. When the user clicks on the misleading link, they open the phisher’s website instead of the website mentioned in the link. Usually, the appearance of the fraudulent website is identical to the real one that the user expects, so that they do not suspect anything and thus fall into the manipulation of the link.
Keyloggers refer to malware used to identify input from the keyboard. The information is sent to hackers who will use it to crack passwords and obtain other types of information. To prevent keyloggers from accessing personal information, secure websites offer options for using mouse clicks to make input via a virtual keyboard.
A Trojan horse or Trojans is a type of malware designed to trick the user with an action that appears legitimate (for example, downloading free software), but actually allows unauthorized access to the user’s account to collect credentials from his local machine. The acquired information is passed on to the cybercriminals.
The malvertising or malicious advertising is one that contains active scripts designed to download malware or force unwanted content on your computer. Exploits in Adobe PDF and Flash are the most common methods used in malicious ads.
In session hijacking, the phisher exploits the web session control mechanism to steal user information. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information and gain access to the web server illegally.
Content injection is the technique in which the phisher changes a part of the content on the page of a trusted website. This is done to trick the user into going to a page outside of the legitimate website where the user is asked to enter personal information.
Phishing through search engines
Some phishing scams involve search engines where the user is directed to product sites that may offer low-cost products or services. When the user tries to buy the product by entering the credit card details, the phishing site collects it. There are many fake bank websites that offer credit cards or loans to users at a low rate, but they are actually phishing sites.
Vishing (Phone Phishing)
Vishing, also known as Phone Phishing or Voice Phishing, is a technique in which the phisher makes a phone call impersonating a company or entity. The techniques used are similar to those that we can find in phishing (communicating a problem with a service, the payment method or that style). The goal is for the victim to provide personal bank account information.
Although in the past it was common for vishing attacks to be carried out through private numbers or numbers with many more digits than usual, over time they have changed and now telephone numbers are used that in principle do not make us suspect that it is a scam call.
Smishing (SMS phishing)
Phishing carried out via Short Message Service (SMS) is called Smishing. A smishing text, for example, attempts to entice a victim to reveal personal information via a link that leads to a phishing website.
Phishing scams that involve malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start working. Sometimes malware can also be attached to downloadable files.
Malware refers to any type of virus, so if we click on these types of links, we will be opening the door to different types of viruses with different types of objectives.
Date Hijacking or Ransomware denies access to a device or files until a ransom has been paid. It can be applied to the entire device, preventing its use, or limiting access to certain files.
Although individuals are also often victims of this type of phishing attack, it is more common for companies or public bodies to be the favourite target of these cyberattacks, since the damage that a specific computer or file lock can cause is high.
The way to do this, as in most of these attacks, is to get the victim to click on a link that will download the malware onto the computer; it can be a link in an email, a malicious ad, or an attachment.
419 / Nigerian scams
The Nigerian scam is one of the oldest email scams. They got this name because Nigeria was, in the beginning, the country of origin of this scam and 419 because it is the article of the Nigerian penal code on fraud.
This form of phishing consists, generally, although there are variants, in convincing the victim to provide their bank account number or advance an amount of money, in exchange for which, they will be rewarded with a larger amount in the future. The basic idea is that an alleged Nigerian official needs to take money out of the country, but for this he needs the help of the victim, who must advance certain amounts of money to carry out the payment of alleged bribes, taxes, etc. In return, the alleged official will share with the victim that money that he wants to take out of the country.
Whaling is a much more targeted and precise type of phishing attack that targets senior managers in a company, such as CEOs and other high-level positions. In this case, more sophisticated and refined techniques are used so that victims, who are better trained to recognize phishing, fall into the trap.
The objective, as always in this type of attack, is to get the victim to access a link on a fake website, to get access credentials, or to download attachments that install malware on their computer and on the company network.
In cloning phishing, the phisher copies or clones a legitimate email from a company or organization that has been sent previously and that contained either a link or an attachment. The phisher manipulates these links or attachments to lead to malicious content and resends the emails. Since the email is exactly the same as the last ones received, the victim usually falls into the trap and clicks on the link or downloads the file, allowing the computer to be infected.
How to identify a phishing attack?
Now that you know the most common phishing attacks, let’s see how you can identify them to avoid being victims of them.
All phishing attacks are based on identity theft, either through email, through a fake website or, as we have seen, even through phone calls. So the way to identify them is to pay attention to detail.
It is true that some phishers falsify emails or websites to the smallest detail, but there is always something that they cannot completely falsify and that is the address the email comes from or the URL of the website. This is where we must look closely.
Normally, the emails that come from companies, organizations or banks, include your domain name, for example, email@example.com . When it comes to a phishing attempt, the address will look like this: firstname.lastname@example.org or similar. That is, the domain name will not appear after the @, but will be some strange mail platform or domain.
So check the sender’s address and if you find it suspicious, do not click on the links it may contain or download attachments.
As for web pages, the first thing you have to look at is if the address begins with “ https: // ”, that “s” is the key and tells us that we are on a secure website, just like the padlock that appears to the left of the steering bar.
It is true that there are legitimate pages that do not have the lock, so in this case, you must make sure that you are in the correct place, especially if you have entered it via a link, instead of having entered the address manually. And if you are not sure, do not carry out any action there and close the web.
When phishing attempts are less sophisticated, it is easier to recognize them, because the wording of the text has grammatical errors, since translators are often used to compose them. So pay attention to the language of the text as well.
And if what you receive is a phone call, it is most likely that the criminal is trying to impersonate a technical service. Normally, on the other end of the line you will have foreign people, so that is already a clue to hang up the call. But in case they are speacking English or Arabic, remember that the technical services will only contact you if you request it. And if they tell you that they are banks or telephone companies that supply energy or water, remember that they call to sell you services, not to ask for your information at the first exchange rate.
Now that we know what Phishing is and the types of Phishing Attacks, in our next article we will explain how to avoid being a victim of such attacks.