Easily one of the oldest attack vectors in the history of cybercrime, phishing attacks remain one of the most commonly used techniques for spreading malware, stealing credentials, infiltrating a network, or carrying out a range of nefarious acts on an organization. At the peak of the pandemic last year, phishing attacks went up by 220% against the yearly average. That’s probably something you shouldn’t be taking lightly.

Let this sink in: For every 10 cyber security incidents that are reported, 8 of them are phishing attacks. What’s more, phishing attacks target what’s often the weakest link in an organization’s security infrastructure; namely, its end users. So if you haven’t been paying attention to the messages that arrive at your end users’ inboxes and, more importantly, how your users treat them, it’s time you did.

What is a Phishing Attack?

A phishing attack is a deviously-crafted message that’s meant to trick the recipient into performing the sending threat actor’s desired call-to-action — usually, to download a file or click a link. In most cases, the file ends up to be malware and the link leads to a malicious website.

The malware can be a system-locking ransomware, a credential-stealing keylogger, a network-crippling worm, or just about any havoc-wreaking miscreant. The website, on the other hand, usually contains additional content and a form urging the victim to submit confidential information (e.g. login credentials, personal data, etc).

While phishing attacks can also be carried out via social media/instant messaging channels, it’s still often associated with email. So, throughout this post, we’ll be using email as the main subject.

How are phishing attacks carried out?

Phishing attacks involve several parts. Here’s an overview of what this type of attack entails.

Crafting the email

The success of a phishing attack highly depends on its ability to dupe the recipient into: 1) believing the email is legit and then 2) performing the call-to-action. Therefore, it’s crucial for the attacker to make both the look of the email and the message itself appear totally convincing. So, as you can imagine, a lot of creativity and attention to detail goes into creating a phishing email. This requires top-notch graphics design and copywriting skills.

Sending the phishing email en masse

Once a phishing email has been crafted, the next thing the attacker does is send it. There are a couple of ways of doing this but most of them involve some form of email blast, which is the process of sending a single email to a mailing list. Some cybercrooks use mail servers, while others use botnets. Botnets are a collection of zombified computers ensnared to perform a single (usually nefarious) task — like sending out spam emails.

Obtaining the mailing list

Since the email list should contain valid email addresses of potential victims, these lists are typically sourced from marketplaces in the Dark Web. In most cases, the lists themselves were stolen in previous hacking incidents. When a data breach involves email addresses, there’s always a good chance those addresses end up in these shady marketplaces and then sold to interested buyers such as those who launch phishing attacks.

Phishing kits and Phishing-as-a-Service

Not all criminal-minded individuals have the technical skill or know-how to perform the steps outlined above. That limitation doesn’t prevent them from carrying out phishing attacks, though. There are now phishing kits and Phishing-as-a-Service offerings in the Dark Web. These products and services already have everything that’s needed to launch a phishing attack.

Using HTTPS

Many phishing sites now use HTTPS as a way of winning the trust and confidence of end users, many of whom sweepingly associate HTTPS with ‘safety’. It’s also a way of circumventing the ‘insecure’ labels popular browsers now tag HTTP sites with.

The real danger in a phishing attack

The phishing email itself isn’t what you need to be worried about. Rather, it’s the attachment or the target of the link that comes with that email. If the attachment is a ransomware, your end user’s computer could get encrypted and locked up. And if that computer contains business-critical applications or data, your business could suffer significant downtime.

f the attachment is a keylogger or spyware, login credentials or other confidential information could be compromised. If it’s a worm, your entire network (and sometimes, even other networks connected to your network) could be brought to a halt.

Lastly, if the email contains a link, that link will likely take the victim to a malicious website that collects personal data, payment card data, or other sensitive information. This information can then be used to carry out fraudulent transactions.

The rise of COVID-flavored phishing emails

Earlier, we said phishing attacks spiked at the height of the pandemic. Many of these were not your usual phishing campaigns. Most of these attacks were actually COVID-themed, playing on the overarching sentiment of the general public these days. Here are some examples of the type of messages conveyed in these spam phishing emails:

• COVID-19 cases are surging in [insert recipient’s home city]. Download the latest updates here.
• View real-time COVID-19 statistics on this WHO-endorsed online map and dashboard.
• 3 out of 10 kids are critically at risk with this newly discovered coronavirus strain. See if your child falls into this category by visiting this site.
• [From: name of HR manager] URGENT! HIGHLY CONFIDENTIAL. [names of two (2) of your office mates] have been found to have tested positive for COVID-19. Follow the instructions found in this document ASAP.

Ordinary phishing vs spear phishing

If you noticed, that last example of a typical message in a phishing email we shared in the previous article was more customized than the previous three. The previous three were examples of phishing attacks of the ‘spray and pray’ variety. These are basically general, less-targeted or non-targeted attacks aimed at a very broad range of potential victims.

A highly targeted phishing email, on the other hand, which typically includes information that closely relates to the recipient, is called a spear phishing email. Spear phishing attacks are normally sent to high-value targets who, if caught off guard, may inadvertently leak out valuable information or credentials to valuable assets. For example, a spear phishing attack might be targeted at a senior system administrator, whose credentials could open the gates to the entire network.

For a more detailed discussion on spear phishing attacks and how to address them click that link.

What can you do to protect users?

The sense of urgency invoked by these phishing emails forces many users to follow the instructions on the email without thinking. If you ask us, that’s a recipe for disaster. However, there are ways to counter a phishing attack. We’ll talk about them in our next post, so stay tuned for that.