Phishing attacks have been a way for malicious actors to compromise organizations at alarming rates over the years. In fact, a recent survey found that 83% of respondents experienced a phishing attack in 2018, and that a successful attack costs a mid-size enterprise organization $1.6 million. Unfortunately, most industry experts agree that phishing will also be one of the top attack vectors for 2019, so it’s important to have a phishing prevention plan in place.

Why phishing attacks are one of the top cybersecurity crimes

  • These attacks have solid success rates in the cybercrime industry
  • They can be performed with minimal hardware or technological knowledge
  • They are very low cost and provide an easy return on investment (ROI)

This blog is the first in a three part series about phishing attacks. It provides an overview on phishing, while parts two and three will provide more technical details on phishing prevention. Before getting into the nitty-gritty of phishing attacks and phishing prevention, let’s take a step back and look at just what phishing is.

One phish, two phish – the types of phishing attacks

Phishing attacks can be split into two different categories, email phishing and voice/phone phishing (also known as “vishing”) – vishing is a relatively old form of phishing that comes from the phone phreak era, where a malicious actor would use the phone network to attack organizations, while email phishing is (you guessed it) using email protocols and the internet to attack organizations. We will be focusing on email phishing in this post, as it is the more modern form of phishing attack that is preferred by cyber criminals.

Email phishing is when a malicious actor sends a fraudulent email in an attempt to entice a user to perform some behavior. In cases LMG has investigated, email phishing attacks frequently attempt to steal a user’s credentials by setting up a fraudulent site in addition to the email for a user to navigate to and login – the site then has a script running to capture those credentials. A malicious actor can then use a user’s credentials to further attack an organization, such as, deploying ransomware. Email phishing attacks could also be used to facilitate other attacks, or to spread malware via malicious file attachments.

In a phishing campaign, malicious actors have multiple options as to who they can target. The choice of targets can be split up into three types of phishing attacks:

  • Generic Phishing – A malicious actor throws a wide net to try and target as many users as they can – as they target more and more users the likelihood that a target will fall for the attack increases. A single victim could be enough to consider a phishing campaign a success. With that in mind, generic phishing campaigns are almost always successful. Although the most successful, it may not lead to the privilege a malicious actor is looking for since most users in an organization (should) have limited privileges.
  • Whaling – A malicious actor targets one specific user in an organization (usually a target who is suspected to have increased privileges or access to sensitive data) and tries to tailor their attack to that one target. This form of phishing generally has a lower success rate, as it is much more limited than a generic phishing attack, but could lead to the compromise of a high-level user if successful.
  • Spear Phishing – A malicious actor targets a subset or group of higher-level users (IT administrators or executive management). This attack combines the advantages of a generic phishing attack (more targets increases success rate) and whaling (compromise of a high-level user).

Why are phishing attacks so successful?

Phishing attacks continue to be successful because they exploit the way users are trained to trust emails, especially when they appear to be coming from inside the organization. This, coupled with the fact that people (in general) are predisposed to being helpful and responsive through email, makes phishing a highly popular attack vector. Phishers use many techniques to exploit this trust even further. One very common technique is the use of doppelgänger domains (website names), which look almost identical to the domains that targets are used to seeing. Unless users are critically analyzing the domain names on emails they receive, they are unlikely to catch the subtle differences in domain names. In addition, malicious actors frequently make use of hyphenated domains and subdomains, such as outlook.lmg-security.com, in an effort to hide and legitimize their doppelgänger domain.

Trust can also be impacted by the way emails are displayed to users. Malicious actors can set whatever display name they want as the sender, which can aid in adding authenticity to phishing attack emails. Many mail applications, such as Outlook, can include an employee’s picture when emails are received from a known sender’s address. As sender addresses can be forged, this can be exploited to lend credibility to the phishing email.

Forged emails and websites are extremely easy to clone and make indistinguishable from their legitimate counterparts. For example, a malicious actor could clone a legitimate password reset email that a user has been conditioned to believe is real. A link in this email could actually lead to a malicious clone of the legitimate login page used for password resets. Familiarity can create trust, which allows malicious actors to instill more legitimacy in their attacks.

Users are trained to trust sites that have a valid SSL certificate (as demonstrated by https:// in the URL or a green lock icon) associated with them. Malicious actors can generate valid (and free) SSL certificates for their phishing sites, which immediately creates legitimacy. According to data from PhishLabs, 49% of all phishing sites in the third quarter of 2018 used valid SSL certificates.

Malicious actors have the luxury of being able to perform copious amounts of research (reconnaissance) on their targets before launching an attack. This reconnaissance can be leveraged to add legitimacy and is often paired with other factors, such as dates, locations, known services, etc. For example, if it is tax season, a malicious actor could perform a phishing campaign related to an employee’s W-2 form. If an organization is known to use a certain service, like Slack for internal communication, a malicious actor could craft a phishing campaign that impersonates or references that service.

The anatomy of a successful phishing attack

Here at LMG, we have also seen an uptick in organizations being compromised by phishing attack campaigns originating from legitimate email accounts within the organization. If a user’s account is compromised (through whatever means) a malicious actor may be able to start sending phishing emails posing as the compromised user, which is very difficult to distinguish as a phishing email since they are originating from a legitimate internal account.

Here is an example of a phishing email and a web page that shows some of the techniques mentioned in this blog:

This email has a doppelgänger domain of lmg-security.com, but lmgsecurity.com is our real domain. It has the sender address that looks like it came from a user within LMG Security named “Fish Eye”. It’s marked as high importance, which is stated in the email and has the “High Importance” exclamation point before opening the email. The phishing URL is also hidden within a hyperlink on the word “here”.

After clicking on the phishing link, the user is brought to a page that looks exactly like LMG’s legitimate homepage. As shown in the URL, the site is using the same doppelgänger domain as the phishing email. The site is also using a valid SSL certificate demonstrated by the use of the green lock icon.

As you can imagine, a sophisticated malicious actor can use variations of these techniques to exploit the permissive nature and trust of email, which could result in the compromise of credentials, or to spread malware, such as ransomware.

Thank you for reading part one of our three part series on phishing. In subsequent blog posts we will explore how to best protect against phishing attacks through both technical controls and one of the most important factors, general cybersecurity awareness training for your entire team.