make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

The Anatomy of a Phish

10/11/2017  |  By: Derek Rush, Manager

Share

Social Logo Social Logo Social Logo Social Logo

Phishing attacks are cybercrimes conducted through email, telephone, or text messages, typically performed by a cyber-criminal posing as an institution or a trusted person to trick individuals into offering personal information, banking or credit card details, and other types of sensitive data. Cyber-criminals use this sensitive data to access bank accounts and steal identities.

LBMC Information Security’s Derek Rush recently gave a presentation discussing the anatomy of a phishing attack and what IT can do to help prevent, detect, and respond to phishing campaigns. Here’s a brief overview of what you’ll find in the presentation:

Types of Phishing

Phish can appear in different forms from generic to highly targeted. It’s important to understand the differences in order to properly respond to a phishing attack. Here are the four main types of phishing attacks and a brief description of each attack’s goals.

  • Phishing—Generic attempts via email to acquire sensitive information by tricking users.
  • Vishing—Cold calls to an entity, attempting to trick the recipient of the phone call into performing some action.
  • Spear phishing—Targeted phishing attempts aimed at specific individuals or groups within an organization, where the attempts are personalized to increase credibility.
  • Whaling—Highly targeted attempts, using email as the communication medium to gather sensitive information from high-value individuals within an organization.

The Anatomy of a Phish

Taking into consideration a high-level overview, it’s good to focus on how a threat actor may achieve the initial foothold on a corporation’s systems before pivoting mercilessly to harvest sensitive data. When considering this initial foothold, the following approach outlines some steps that can demonstrate how the process works. The presentation (download in the right column of this page) highlights specific details involved with each step.

  • Research the Company— Initial research is done on the fake company to understand organizational structure, business drivers, vendors, employee’s social media content, and other information repositories.
  • Obtain a List of Emails—When the company information is known, along with some good phishing approaches, it’s time to harvest publicly available emails, in addition to “mangling” (see below) known employee names.
  • Decide Where the Email Should Originate—With the knowledge of the company, internal personnel, and a list of emails, the next step involves figuring out where the email should originate. This could involve purchasing a domain name similar to the fake company’s or another business the company is associated.
    • How to Mangle a Domain— Mangling a domain is a common technique for phishermen to use when they want their message to appear as if it’s from someone at a given company. Mangling a domain can be performed with multiple tools and consists of taking a list of known ways to mistype a domain, while still having it resemble the original domain.
  • Strategize What You Want Phishing Targets to Do—A common approach is to clone a familiar website that resembles the fake company’s login portal users would authenticate to, or develop a document with malware that someone inside the company would likely open.

Why Site Cloning?

Site cloning is a popular tactic used by phishermen where a login portal is cloned, hosted on a threat actor’s server, and modified slightly, so that whatever a user types in for the username and password is sent back to the attacker. Alternatively, the threat actor could include an exploit on the cloned site that they believe would be effective. Email portals, remote access portals, social media login portals, and anything else a user may login to are good choices.

Why Documents with Malware?

Malware within electronic office documents is another popular tactic used by phishermen, where a purportedly legitimate document contains malicious code that will either trigger when the user opens the document or when the user opens the document to enable macros. Macros and recent exploits for Microsoft, Java, Adobe, and other common third party products are used to conduct successful phishing campaigns.

How IT Can Help

The role of an organization’s IT department involves education, technology, and policies in limiting the damage of phishing attempts, if successful. In addition, IT should work to prevent phishing attempts from the start. Here are some of the methods and tactics an IT department should have in place.

  • Multi-Factor Authentication—All remotely accessible services that are facing the Internet should be secured with multi-factor authentication.
  • Employee Awareness—All employees should be regularly educated to raise their awareness of phishing attacks and what they look like.
  • Assessment of Training Effectiveness—Employees’ level of awareness can be assessed by conducting regular phishing campaigns internally or through a third party.
  • Keeping Systems Patched— In the event of a successful phishing campaign, having systems patched is critical to preventing the initial foothold of a threat actor.
  • Spam Detection—While not a cure-all, an email gateway with spam detection capabilities will have an impact on the amount of spam and phishing attempts that reach each end user.
  • Limit Access/Least Privilege—Users need access to do their jobs, but many companies suffer from access creep or allotting more permissions than needed for an employee to do their job effectively.
  • Visual Indicators for Employees—Additional visual cues should be in place to assist employees in identifying phishing attempts.

LBMC Information Security’s team of experts stand ready to help organizations armor up with a wide range of security services, including the execution of phishing attacks. Contact us today to learn more about our phishing services that are intended to assess the effectiveness of internal corporate security training and the effectiveness of security controls in place if a threat actor were to gain access.