‘Phishing’ is a common word in the world of Internet Security. An attacker sends a victim an email or communication pretending to be a bank, or some other popular organization that the user potentially has a relationship with. The user clicks on a link, which opens up the attacker’s fake page (posing as the bank) and the user enters his/her username and password to authenticate, after which the attacker has the user’s credentials (and access to his account) to compromise the user’s account. This is a traditional phishing model, where attackers send millions of emails to users all over the world pretending to be from a bank, financial institution, government department, etc. and unassuming users have been cheated out of their money or their personal data, etc. The model here is one of volume and economies of scale. The attacker targets end-users and the more number of users the attacker hooks, the better it is. This model is also aimed at regular internet users using publicly available email like Gmail, Yahoo, etc.
Subsequently, attackers started to target corporations and enterprises with ‘Spear phishing’. This is a phishing attack that is aimed at a specific organization or an enterprise. The attacker looking to penetrate into a particular organization sends an email/communication to employees of the organization posing as an official email relating to the organization/from the organization and then stealing their credentials to access their accounts and subsequently use that information to compromise the enterprise.
Today, however, Spear phishing has evolved. It has become far more focused and deadly. For example, Savitha is an employee working on XYZ Bank. She receives an email from the Company’s Human Resources Department (fake) asking her to fill out a survey on the Employee Welfare practices. The mail looks genuine and has logos and wording very similar to the bank. Savitha clicks on the email and she is taken to a site with forms and a questionnaire. She fills it out, clicks submit and continues with her work. Little does she know, that as soon she clicked on the email and was taken to the site, the attacker had linked the page with a browser exploitation application and her browser was now compromised. The attacker’s browser exploit application had installed a keylogger that logs all of Savitha’s keystrokes, recording all her passwords to multiple applications including the company’s banking application, their email systems, etc. Additionally, the attacker’s application also exploits certain common vulnerabilities on her Windows system, providing complete access to the attacker on her machine, which the attacker can use to launch more specific attacks against the organization.
Modern Phishing attacks focus more on capturing the user’s browser and subsequently using that as a pivot to attack the machine and the enterprise. These attacks are made even more effective because organizations usually pay little attention to browser security. Browsers aren’t usually patched with the latest security updates, aren’t hardened to prevent attacks.
One of the ways that I have found effective is to conduct a Social Engineering Test or a Phishing tests against employees in the organization and share the results of that test in a Security Awareness Training Program. People are usually glued to the edge of their seat when they discover that they could be victims to such attacks. It is a far cry from the bland Security Awareness Training Program that organizations conduct for their employees.
Phishing attacks like many other attacks are evolving to become more dangerous and powerful. Only a proactive organization can prevent and curtail the effects of this kind of an attack against their people and infrastructure.