Phishing attacks are now a day’s more prevalent throughout the World. Know what phishing is: types of phishing: tactics of phishing and how to protect yourself from phishing.
Introduction:
Cybercrime is streaming in India amid the Covid 19 Crisis. Cyber Criminals are using their most favored way of hacking i.e. Phishing. Hackers based in China attempted over 40,000 cyber attacks on India's Information Technology infrastructure and banking sector in between 18th June to 22nd Jun, a top police official in Maharashtra said. According to the government advisory, the Chinese Cybercrime perpetrators have gotten hold of over 2 million email addresses. The Government of India has issued an advisory through the national cyber crime portal, warning users of large scale phishing attacks planned by Chinese state-backed hackers. In this critical situation we all must be aware of what phishing is: types of phishing: tactics of phishing and how to protect yourself from phishing.
What is Phishing?
"Phish" is pronounced just like it's spelled, which is to say like the word "fish" the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information.
In phishing, cybercriminals target a single or multiple targets by email, telephone or SMS from apparently legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Also the attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims.
Other than email and website phishing, there’s also 'vishing' (voice phishing), 'smishing' (SMS Phishing) and several other phishing techniques cybercriminals are constantly coming up with.
The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts.
Types of Phishing:
1. Email Phishing:
Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.
2. Spear Phishing:
Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in depth version of phishing that requires special knowledge about an organization, including its power structure. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. Many times, government-sponsored hackers and hacktivists are behind these attacks.
3. Whaling Phishing:
Whaling, or whale phishing, is a kind of phishing attack where hackers target executives and high profile end users, using social-engineering tactics to trick them into initiating financial transactions or divulging sensitive information. By targeting these “big fish”, whale phishing attacks take advantage of employees who have access to highly valuable or competitive information.
It basically targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the organization typically have complete access to sensitive data.
That preparing a whale phishing campaign research their victims in detail to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful.
A typical whaling attack targets an employee with the ability to authorize payments, with the phishing message appearing to be a command from an executive to authorize a large payment to a vendor when, in fact, the payment would be made to the attackers.
4. Pharming:
Pharming is a type of phishing that depends on DNS cache poisoning to redirect users from a legitimate site to a fraudulent one, and tricking users into using their login credentials to attempt to log in to the fraudulent site.
5. Clone Phishing:
Clone phishing attacks use previously delivered, but legitimate emails that contain either a link or an attachment. Attackers make a copy -- or clone -- of the legitimate email, replacing one or more links or attached files with malicious links or malware attachments. Because the message appears to be a duplicate of the original, legitimate email, victims can often be tricked into clicking the malicious link or opening the malicious attachment.
6. Voice Phishing:
Voice phishing also known as vishing, is a form of phishing that occurs over voice communications media, including voice over IP (VoIP) or POTS (plain old telephone service). A typical vishing scam uses speech synthesis software to leave voicemails purporting to notify the victim of suspicious activity in a bank or credit account, and solicits the victim to respond to a malicious phone number to verify his identity -- thus compromising the victim's account credentials.
How Phishers Hook the fish in Cyber World?
Step1:Phishers may use social engineering and other public sources of information, including social networks like LinkedIn, Facebook and Twitter, to gather background information about the victim's personal and work history, his interests, and his activities. Pre-phishing attack reconnaissance can uncover names, job titles and email addresses of potential victims, as well as information about their colleagues and the names of key employees in their organizations. This information can then be used to craft a believable email.
Step2:Typically, a victim receives a message that appears to have been sent by a known contact or organization. The attack is carried out either through a malicious file attachment that contains phishing software, or through links connecting to malicious websites. In either case, the objective is to install malware on the user's device or direct the victim to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
Note:Successful phishing messages, usually represented as being from a well-known company, are difficult to distinguish from authentic messages: a phishing email can include corporate logos and other identifying graphics and data collected from the company being misrepresented. Malicious links within phishing messages are usually also designed to make it appear as though they go to the authorized organization.
Common Tactics of Phishing Emails:
1. Suspicious Email:
Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails.
2. Sense of Urgency:
A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately.
Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
3. Hyperlinks:
A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully.
4. Attachments:
If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransom ware or other viruses. The only file type that is always safe to click on is a .txt file.
5. Unusual Sender:
Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!
Sample Phishing Example:
The following illustrates a common phishing scam attempt:
A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This result in a reflected XSS attack, giving the perpetrator privileged access to the university network.
How to avoid phishing attack?
1. Keep Informed About Phishing Techniques:
New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.
2. Think Before You Click! :
It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them.
A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with ---“Dear Customer” --- so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
3. Install an Anti-Phishing Toolbar:
Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will --alert --you about it. This is just one more layer of protection against phishing scams, and it is completely free.
4. Verify a Site’s Security:
It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website.
5. Never Download Files From Suspicious Email or Website:
Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.
6. Check Your Online Accounts Regularly:
If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
7. Keep Your Browser Up to Date:
Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
8. Use Firewalls:
High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
9. Be Wary of Pop-Ups:
Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
10. Never Give Out Personal Information:
As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call.
Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.
Special Note: The India Government Advisory warns users against a specific email address, ‘ncov2019@gov.in’, which is reportedly being used by the Chinese attackers to send phishing emails to offer “free Covid-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad.”
Conclusion:
Now a day’s wars between countries are not limited only to the instrumental war. In this cyber world, a new kind of war is taking place i.e. "CyberWarfare/Cyberwar." However,in this data century, Information /Data are the real wealth of a country. If hackers from enemy country will hack the data from our country then within a fraction of time all our wealth will be transferred to them. Similarly if all our country’s sensitive information such as defence and weapon information will be hacked then the opponent country will easily get control over us. That's why in the Cyber age, the country which has robust "Cyber Security" with proper "Cyber Awareness", among its entire citizen can protect itself from the "Cyber Warfare." So in the present situation India needs to be proactive in "Cyber security" and must spread "Cyber Awareness" among its netizens otherwise we might fall prey in the hand of Chinese hackers.
Please share it, so that maximum people can be aware.
Very Well structured and vital information all need to know