Phishing, Spear Phishing, Whaling and more: The attacks are becoming more sophisticated

The days when it was easy to spot fake login pages and e-mails are long gone. "Phishing" attacks are becoming more and more sophisticated. Some even target one person only. In this article we explain how they work and what we can do to prevent them.

With phishing, criminals “fish” for valuable data such as passwords or credit card information. This can be the first gateway for a major attack.

For example, the victims are sent an e-mail that appears to come from a well-known organization such as their mobile operator. A link then takes them to a website, because certain information allegedly needs to be urgently confirmed. In reality, however, the site is operated by criminals who use this technique to gradually collect their virtual loot.

Another of their objectives may be to smuggle in malware that extracts the desired information. This malware can disguise itself as a harmless e-mail attachment or else a download from cloud storage.

How phishing attacks trick their victims

In the early days, such e-mails and websites were still quite easy to recognize – at least to the trained eye. In the meantime, however, they have become more and more sophisticated and even come with details that inspire confidence, such as the padlock in the address bar.

Some methods are difficult to identify even for experts. JavaScript can be used, for example, to simulate a different URL in the browser bar. Or else a vulnerability on the original site can be exploited: In this case, the victims actually end up on a legitimate site, which, however, forwards their input to the attacker.

What’s more, the problem is no longer limited to just e-mail and websites. Attacks can also be attempted via text messages or phone calls using a fake caller ID («Call ID spoofing»). With the right tools, voices can even be deceptively imitated in a remarkably realistic way.

In general, phishing attacks tend to use several psychological tricks:

• Awaken trust through known senders (people, organizations). The sender address of an e-mail can be easily forged. This also applies when modern security measures are used, as was demonstrated at the “Black Hat” security conference. Sometimes details and information from other sources are also interspersed: These come, for example, from social networks or other hacks and data leaks.
• Apply pressure in regards to supposedly serious consequences in the absence of a swift response. If an e-mail is apparently sent from a person’s superior, stress levels will quickly override common sense.
• Arouse curiosity by promising sensitive information in an attachment.
• Take advantage of helpfulness when a customer or colleague supposedly needs support.

«Spear Phishing»: personalized attacks

Last but not least, phishing has become more specialized. In spear phishing, the attack is targeted toward a specific company or even an individual. "Whaling" is used when a high-ranking manager is taken into sight. And as experiments suggest, such profiles can even be more susceptible to such attacks. At the same time, these attacks are difficult to detect because they are often prepared in detail over the long term.

Meanwhile, there are also services to implement spear phishing on a large scale. To do so, information is collected automatically or semi-automatically on the web in order to personalize the messages for each respective person.

The consequences of successful attacks can be very different, as these three examples show:

• Phone calls from alleged Twitter colleagues in July 2020 led employees to provide access data for internal tools. Several high-ranking profiles were subsequently taken over and used for a Bitcoin scam.
• The hacker group “Evilnum” exploits the strict rules for checking new customers in the KYC process to infiltrate fintechs malware. The submitted documents contain only parts of the malware so as not to be detected by security tools. If the malware is successfully installed, it can, among other things, access login data.
• In 2016, employees of Leoni AG in Nuremberg were persuaded to divert funds to another account using forged documents and identities as well as “electronic communication channels”. The damage: 40 million euros.

Countermeasures

One of the most important protective measures against such attacks is to create awareness. As studies have shown, such maneuverings are significantly less successful if the other person is aware of the tricks.

But knowledge should not only be imparted, rather everyone in the organization should be trained to recognize such attack patterns, e. g. through a simulation.

Clear processes are also important: Who is allowed to give what information to whom and when? Because obviously you would want to help a customer or colleague in need. But it is important to make sure that the person making the request is actually authorized to do so. It may be that a second person is needed for certain actions. Or confirmation via another channel needs to be obtained.

And of course the organization must have solid basic security. This includes, for example, two-factor authentication: in addition to a password, you also need access to your smartphone to log in. Small things can also help, such as clearly marking external e-mails as such.