Phishing attempts remain at a constant increase year after year.
According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing; Proofpoint’s 2019 State of the Phish Report shows that in 2018, 83% of data security professionals reported attacks – a 7% increase from the previous year.
One route through which phishing risks may reach your organisation is via malicious websites disguised as legitimate ones. There are several types of such malicious sites. Some of these include:
1. Pharming or DNS cache poisoning
Pharming attacks involve redirecting a website’s traffic to another malicious site that impersonates it, by exploiting security vulnerabilities in the legit system then matching the domain names. In simpler English: hackers, after identifying security vulnerabilities on a bank’s website, can install malicious scripts so when you enter the URL, you are redirected to another link which is used to steal your information.
2. Typosquatting or URL hijacking
These are spoofed website URLs that look authentic and genuine but are different from the original websites they impersonate. They depend on users’ typing errors of website URLs. For example, they might:
- Deliberately misspell the URL copied from authentic websites;
- Use similar letters on the keyboard, (e.g. ‘n’ instead of ‘m’);
- Swap two letters; or
- Add another letter or alphabet.
3. Clickjacking/User Interface redressing or iframe overlay
Cybercriminals are also using multiple transparent layers to embed malicious clickable content over legitimate buttons. For instance, an online buyer may be tricked into thinking they are clicking on a button to make a purchase, whereas they would be triggering a link to download malware.
4. Tabnabbing & reverse tabnabbing
In these kinds of attacks, unattended browser tabs are rewritten and linked to malicious websites. Unsuspecting users often click on the tab thinking it is a legitimate link on their browser.
5. Targeted phishing attacks
Most emails containing phishing links are sent to thousands of people at random. The hackers rely on the sheer number of mails to be successful. The more emails sent, the higher the chance of someone falling victim to clicking their malicious links. In some cases, hackers may intentionally target individuals or organisations.
Types of such targeted phishing attacks include:
i) Clone phishing: In this type of attack, a copy of a legitimate email already delivered is used by hackers, often with the subject starting with something like “RE: MY RESUME”. These kinds of emails are sent from spoof addresses resembling that of the original sender. Such emails usually have different attachments or links that have been modified. Most people would open such emails as they recognize a familiarity in the subject line and the contents of their emails.
ii) Whaling (CEO fraud): This kind of spear phishing is targeted at high-profile individuals. They could be board members or financial managers. It’s a much tougher process, but the rewards are greater. CEOs and highly placed executives have more critical data than junior staff. In addition, access to a senior employee can pave the way for carrying out business email compromise (BEC) attacks.
iii) BEC (business email compromise): These phishing emails are supposedly for “urgent” requests sent to junior workers from the top-level people, such as CEO or CFO. Attackers use social engineering tactics to convince junior staff members into sending money or disclosing business information.
Keeping oneself informed on latest phishing techniques, and training the workforce on these risks is the first, biggest step to anticipating and bracing your organization for any impending digital impact. To summarize, in the words of Sun Tzu: If you know the enemy and know yourself, you need not fear the result of a hundred battles.
