Advanced Phishing Attacks

By Kartikay Bansal, PGDRM Jan’21-22

Kartikay Bansal, who recently finished the Global Risk Management Institute’s (GRMI) post-graduate diploma in risk management (PGDRM) course, Conducted a research study on “Advanced phishing attacks.” Before pursuing a career in risk management in India, Kartikay completed his Btech (CSE) from Jecrc University, He worked as a security and test engineer before pursuing a risk management course and is currently placed in EY Business consulting Risk. According to Shubham PGDRM is one of India’s best job-oriented courses. 

Read the full research study below:

What is Phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution or person to induce individuals into providing sensitive data or details such as personal information, banking, and credit card details and passwords.

Hackers commonly try phishing attacks as it is harder to spot than you think. They use email, social media, phone calls or these scams hide behind voices you know and trust, like your co-workers, friends, or your bank to steal personal information.

How does Phishing works?

Phishing works with anyone who uses the internet or phones. Phishing scams try to:

• Infect device with malware
• Steal private credentials to get money or identity
• Obtain control of online accounts

Types of Phishing

1. Email Phishing

The most common phishing scenario takes the shape of malicious emails sent to individuals mimicking an authentic organization. Also known as spam phishing, this kind of attack lets the cybercriminal get access to a large number of customers registered on a site.

2. Clone Phishing

In a clone phishing scenario, the attacker takes advantage of actual email messages that an individual may have received. By creating a virtual replica or a clone, the phisher replaces any links or attachments with malicious ones.

3. Domain Spoofing

The second kind of email phishing comes in the form of domain spoofing, where the perpetrator spoofs a notable organization’s domain name. This technique makes it appear as if you are receiving an email from a legitimate company. Example: They do so using character substitution like ‘r’ and ‘n’ together for ‘rn’ instead of ‘m.’

4. Whaling

This is a type of spear-phishing where the target is the highest authority in the organization, the CEO. The fraudster tricks the executive with bogus emails to get access to their login credentials.

5. Evil Twin

The hacker in this scenario replicates the WI-FI hotspot with a fake. When users connect, they are then able to eavesdrop on their network traffic. The attacker steals account names and passwords. Vulnerable WI-FI access points include those at coffee shops, airports, shopping malls, hospitals, and other public hotspot locations.

6. SMS Phishing (Smishing)

Cybercriminals lure victims through text messaging to:

• Visit rogue websites
• Download malicious apps
• Contact tech support

7. Voice Phishing (Vishing)

Rather than hide behind a virtual screen, the attacker convinces the victim to disclose personal information while speaking to them through the phone.

8. Pharming

With pharming, the perpetrator doesn’t attack individuals. Rather the attack is directed at the DNS (Domain Name System), where the fraudster causes DNS cache poisoning. This changes the IP address associated with a website name, so even when individuals input the correct site name, the scammer can still redirect users to the malicious website.

9. Watering Hole Phishing

This is described as the phishing scenario where one employee falling prey to an attack compromises other members of the organization. On opening the malicious website, link, or attachment, your computer is automatically loaded with malware that spreads to other systems within the company.

Some Phishing scams

1. Facebook and Google

Facebook and Google were tricked out of $100 million in 2013-2015 due to an extended phishing campaign. The phisher sent a series of fake invoices to the company that impersonated Quanta, as attackers knew both companies used Quanta, a Taiwan-based company, as a vendor. Eventually, the scam was discovered, and, as a result of the legal proceedings, Facebook and Google were able to recover $49.7 million of the $100 million stolen from them.

2. Sony Pictures hack causes leak of over 30,000 documents

This is one of the most famous examples of how phishing attacks can catch more than just money. A group attacked Sony after they refused to withdraw a film mocking North Korean leader Kim Jong Un. This targeted attack used more than just fake emails. Hackers actually gained access to Sony’s building by tricking employees. They impersonated IT, staff then used their credentials to plant malware on Sony’s systems. This led to the leaks of tens of thousands of employees’ personal information, film scripts, and highly confidential personal emails.

How can Phishing affect a business?

1. Reputational damage

2. Loss of customers

3. Loss of company value

4. Regulatory fines

5. Business disruption

How can you keep yourself safe from Phishing?

1. Keep Updating About Phishing Technique: Keep an eye on phishing scams, as new phishing scams are being developed all the time.

2. Think Before You Click!: Clicking on random emails or instant messages isn’t a smart move!

3. Install an Anti-Phishing Toolbar: Installing an anti-phishing toolbar can help you do a quick check on the sites that you visit and compare them with the phishing sites.

4. Verify a Site’s Security: Before submitting any information, make sure the site’s URL begins with “HTTPS” and not “ HTTP”.

5. Check Your Online Accounts Regularly: Check out your online accounts regularly and make a habit of changing the passwords regularly too.

6. Keep Your Browser Up to Date: Security patches are released for popular browsers in response to the security loopholes that phishers inevitably discover and exploit.

7. Use Firewalls: There are two types of firewall, a desktop firewall and a network firewall, try using both of them as they act as buffers between you, your computer, and outside intruders.

8. Beware of Pop-Ups: Many popular browsers allow you to block pop-ups; if in case you allow it, don’t click on the “cancel” button; such buttons often lead to phishing sites.

9. Never Give Out Personal Information: You should never share personal or financial information over the Internet.10.Use Antivirus Software: Anti-spyware and firewall settings should be used to prevent phishing attacks.

References

• https://www.mygreatlearning.com/blog/top-phishing-scams-and-how-to-protect-against-them/
• https://www.cybsafe.com/community/blog/how-can-phishing-affect-a-business/
• https://www.wallarm.com/what/types-of-phishing-attacks-and-business-impact
• https://expertinsights.com/insights/the-3-most-damaging-phishing-attacks-on-businesses/10

Get the full research study here: Advanced Phishing Attacks

Disclaimer

This report has been produced by students of Global Risk Management Institute for their own research, classroom discussions and general information purposes only. While care has been taken in gathering the data and preparing the report, the student’s or GRMI does not make any representations or warranties as to its accuracy or completeness and expressly excludes to the maximum extent permitted by law all those that might otherwise be implied. References to the information collected have been given where necessary.

GRMI or its students accepts no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.

More research studies by PGDRM students:

Research Study on Mamaearth