I sat down for a chat with George Skouroupathis, our phishing expert at Resonance Security.
Phishing is often the first step taken by hackers in a larger scam.
There are lots of different kinds of phishing attacks, but one of the most prevalent is spear phishing, in which the hacker produces spoof emails that look like they are company official, for example from someone in the HR department, or a client or partner of the company.
The aim is to get company employees to click on malicious links that encourage them to enter confidential information or open email attachments that contain malware as a way past the company's defenses.
Phishing is a cat-and-mouse game in which new techniques are developed by hackers all the time, and the security systems and our security education have to evolve to deal with them.
There are two main aspects to a successful phishing attack: the technical, and the psychological.
The technical The main technical problem phishers face is getting past modern-day spam filters.
Get a domain And so, phishers start by buying an old domain with a decent-looking history - a domain that was previously registered and subsequently allowed to lapse.
Ideally, the domain should be relevant to the content of the phishing email.
Each website on the web is categorized by search engines, with categories such as health, management consultancy, technical services, media, and so on, and the aim is for the malicious website to fall squarely into one of the desirable categories that match the nature of the phishing campaign.
On the day that the phishing email is sent, the phisher will swap out the innocuous site for the malicious one.
Use marketing techniques When the phishing email is sent, phishers will often use tracking pixels to determine if and when the email is opened, which allows them to subsequently fine-tune further phishing email templates.
If the phishing link is clicked on is logged, the conversion rate for a malicious login page is, and other metrics are tracked.
The psychological I previously mentioned that technical marketing techniques are extremely useful for the phisher.
That extends to building a target email list: the phisher will be checking social media, bulletin boards, and even the target company website for email addresses.
If a senior director was recently arrested for insider trading, a phisher might send a link to what looks like a financial ethics survey.
Conclusion Sometimes companies conduct internal phishing campaigns to train their employees in the risks, or if they are feeling particularly harsh, to identify individual weak links in the company.
Not all such training exercises are handled with tact and an appreciation of the embarrassment falling for a phishing scam might cause the unwitting participants.
Hopefully, with the above insights into the minds of the phishers that I've provided, the chances of you being fooled are much lower now.
Let me know in the comments if you feel this has helped, and if you want to run an ethical and compassionate phishing training exercise for your organization.
This Cyber News was published on hackread.com. Publication date: Thu, 30 May 2024 23:13:07 +0000