We’ve all heard about phishing by now. It’s the attack vector of choice for many hackers – in which the weapon used is a simple email. Hackers love phishing because it’s usually easier to trick a single employee into clicking a toxic link in a phishing email than it is to craft a technical exploit for a company system.
If we all know about phishing, why do we take the bait?
Many people associate phishing with common spam and/or obviously phony emails that often end up in our personal inboxes. Such obvious phishing emails might contain blatant spelling mistakes or request financial information for banks we don’t have accounts with.
But the real threat of phishing comes from a higher caliber attack. Many adversaries are actually quite adept at crafting believable messages. They use proper grammar and accurate logos. Their emails seem to be appropriate – in a context that doesn’t readily indicate a phishing attempt.
These advanced phishing techniques, as well as common spam attempts, are why phishing continues to be a leading cause of data breaches.
Phishing and pretexting account for 93% of social breaches in 2018 Verizon study.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), phishing and pretexting account for 93% of social breaches in the study. (Pretexting is influencing a person, in order to affect their behavior or gain information by creating a false sense of security. Pretexting occurs in a variety of ways, including through email.)
Well publicized breaches such as the Democratic National Committee, Target, and Anthem Health Insurance reportedly all began with compromise via phishing email.
Common phishing techniques and how you can spot them.
Schneider Downs calls the two overarching categories of phishing: Phishing for Credentials and Phishing for Compromise. Other documented techniques, such as Spear-Phishing, may utilize either technique depending on the situation.
Phishing for Credentials
As you might have guessed, Phishing for Credentials is about trying to compromise a valid username and password combination for a specific application. The targeted application would likely be a high-value target; it could be a VPN, Office365, Outlook Web App, or a custom portal used to store sensitive information. The email could be a request from an adversary impersonating someone you know and might include a link to a fake login portal. For example, if your company uses Dropbox to share documents, valid Dropbox credentials could prove useful to an attacker. A phish for credentials specifically targeting Dropbox could look like this:
The body of the email looks legitimate, as if it’s a real notification from Dropbox. If you click the link to view the documents, you’re brought here to a (fake) login screen:
Again, this looks very real. It’s almost an exact clone of the real Dropbox login page. Setting up these kinds of fake pages is trivial for attackers. Any usernames and passwords entered on this page are sent back in cleartext to the attacker, who then might redirect you to the real Dropbox login to avoid causing suspicion.
What to Look for:
- Always watch out for the domain name. Something will generally be slightly off in the from address field or in the URL. You would expect this email to be from dropbox.com. In the example, we’ve blurred the domain since we actively use it in our ethical hacking engagements, but, it’s coming from a domain that is not similar to dropbox.com. In a more careful attack, the domain could easily be something as close to the real name as mydrobox.com or dropdox.com.
- Before even clicking the View Documents button in the email, you can hover the mouse over it to see where the hyperlink goes. If it doesn’t go where you expect, don’t click.
- Many of these types of phishes have generic greetings instead of your name. Attackers won’t always take the time to get your personal details or place them in the email. Introductions similar to “Dear Customer” are signs that the email might by a phish.
Also, in the browser screenshot you might have noticed that the site uses HTTPS and that Chrome identified the website as secure using the green lock symbol. Many people are aware that you shouldn’t enter credentials over HTTP, where the browser does not show the secure symbol. That is true, however, it does not mean that any site using encryption is safe to enter your credentials in. Setting up the certificates for encryption takes a few minutes, but it’s a step many adversaries will take in order to help gain your trust.
Phishing for Compromise
Phishing for Compromise is different from Phishing for Credentials in that it likely includes a file. The file could be attached directly to the email or could be downloaded from a link in the email. It could be formatted as a Microsoft Office document, a PDF, an executable, or almost anything except a text document. If the file is run it will attempt to introduce some form of malware to your system. This could be something like ransomware, as we saw with many attacks in 2017, or an outbound connection, known as a reverse shell, giving the attacker remote control of your system.
The example below is a sneaky trick – it’s a phishing email claiming to contain the results of an internal phishing campaign conducted by the recipient’s own company. Who doesn’t want to know if your work neighbor clicked the bad links during training exercises, right?
In a ploy to gain your trust, the email contains some general info about phishing and even some tips on how to avoid getting phished.
Clicking the Review Report link downloads a file hosted on the internet, in this case called Results.xls. The file contains some phony phishing statistics, listed by department, with some pretty formatting to make it look legitimate.
This excel file contains a macro, which in this case, is actually a malicious payload – you’ll see the yellow SECURITY WARNING bar asking if you wish to enable macros. If the Enable Content button is clicked, the macro automatically runs, attempting to run a command on the victim’s computer that allows the sender to remotely access the computer. If successful, the attacker could run shell commands, browse/edit/delete files, and much more.
What to Look for:
- Phishing emails that contain payloads want you to open the file – oftentimes playing off human emotion by using wording to make the situation seem urgent or, in this case, make you curious about what the file contains.
- Older versions of Microsoft Office Documents like .xls and .doc allow macros to be saved in the document. Newer versions of Office documents (.xlsx and .docx) don’t, instead requiring a special extension (.xlsm and .docm) most people aren’t used to seeing. If you don’t normally see older versions of these file types, this should be a red flag.
- Security warnings caused by the presence of macros. Be extremely careful clicking through security warnings! Do so only if you know the sender and the purpose of the macro or program. This is not specific to Office documents. Other file formats might require or even prompt you for administrative privileges.
The two umbrellas that phishing defenses fall under are user training and technical controls. Schneider Downs believes the most effective defense is a healthy combination of both.
User training can be in a variety of formats: seminars, computer trainings or phishing simulations, to name a few. Phishing simulations are legitimate attempts by your company or a third party to phish your employees. This can be done to establish a baseline, track progress, or directly alert users to missteps by redirecting users who click to a training page. The goal of simulations, and all user trainings, is to raise awareness and foster a healthy relationship between your employees and your security personnel.
The end user is often the first line of defense. It’s important that employees know that they should report (and are comfortable doing so) any suspicious emails to security, whether it’s a real phish, a simulation, or a legitimate email.
Technical controls are software put in place that help prevent phishing emails from ever reaching the end user. This can be through inspection of the domain it’s coming from, examination of where links take you, and sandboxing attached files. If something gets flagged, the email isn’t delivered to users, or at least prompts the user to release the email to their inbox.
Technical tools such as Mimecast have capabilities to help with incident response if phishing emails get through. Post-delivery options include abilities such as viewing other recipients of an email (for password resets, etc.) and killing hyperlinks in an email. These options are great – since you can get a bigger picture and take action quickly if just one user reports suspicious activity to you.
If you have any questions, please contact Schneider Downs’ cybersecurity advisory team.