Categories
Magento

PHISHING: SOCIAL ENGINEERING

Security: Phishing attacks.

Site secured, a random generated login password, firewall in place and even a Web Application Firewall installed, security all taken care of. All except one other factor phishing.

Phishing

The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

https://en.oxforddictionaries.com/definition/phishing

Social Engineering

(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

https://en.oxforddictionaries.com/definition/social_engineering

We have all heard about phishing scams, be it fake emails from Banks to the Nigerian Prince in need of your help. From the early days the type and complexity of phishing scams have developed from the scattergun phishing emails sent out in bulk and generally of poor construction.

Other forms of phishing are:

Spear phishing

The most common type of phishing involves attackers gathering personal information on the individual group or company and using that as a means to engender trust increasing the chances of fraudulently acquiring data.

Clone phishing

Clone phishing as the name suggests is where a previously delivered email is cloned, then resent with either a malicious attachment or fake URL. In addition the email address will also resemble the original one used.

Whaling

This term is given specifically to attempts targeting those within more senior business roles for example the Chief Executive Officer (CEO), General Manager’s etc. These are written to replicate the types of emails such positions would expect to receive. In both layout and language they would appear to be from a legitimate authority for example a customer complaint or a letter from Her Majesties Customs and Revenue.  A widely reported whaling scam occurred in 2008 where an email purporting to be from the United States District Court in San Diego was sent out to over 2000 high placed employers and employees.  These fake subpoenas included the recipients name, telephone numbers and business address all in an attempt to make the email look legitimate.

phishing subpoena

All Phishing emails rely on the recipient clicking on something, either a url link, an image or an attachment. There are various methods used to trick the recipient. The most common is likely when a URL link is made to look genuine often by a simple spelling mistake or with the use of subdomains for example Dxwebs.com or Dx3webs.example.com. They can even simply type out what would be a genuine url but embed a different address. This https://dx3webs.com/ looks like it would take you to Dx3webs home page but in fact the embedded link takes you to Dx3webs blog page. Malicious links can also be embedded in genuine logos or other images associated with the company used fraudulently in an effort to convey trust in the content of the email. The phishing links or malicious files are not always masquerading as your bank while blatantly asking for user name and passwords. They can simply be a fake link to Google or Facebook or even a fake news story designed to annoy or upset people enough for them to click on the link. You may inadvertently click an attachment opening a malicious virus on your machine allowing data to be scraped or keyloggers used to steal passwords and user names. You may click on a url taking you to a familiar screen with known branding, Google/Facebook/Microsoft, where it may ask for confirmation of login details or more likely say that your login is compromised and to enter new details. These details could be what the phishing scheme is after, or it could simply be the beginning as they gather information and target something more specific such as bank account details.

Although the Oxford Dictionary definition of phishing specifically refers to the use of emails, phishing for information is nothing new. Any office worker would more than likely have had a phone call with someone trying to sell printer toner. These companies will often phone once to find the name of the person who deals with supplies, and then phone again giving the name of the staff member and asking how many you wish to order. Social engineering is nothing new but the reliance on email, logins and passwords have moved the goal posts.  There are ways in which to cut down on the number of phishing attacks from phishing blocking extensions email filters.  The absolute best way to avoid been deceived is to always be wary of any mail that asks for information or requests you to follow links.