What is a phishing attack?

• April 7, 2023June 8, 2023

Phishing is when attackers send malicious emails designed to trick people into falling for a scam. Generally, the goal is to prevent users from disclosing financial information, system credentials, or other sensitive data.

Phishing is an example of social engineering: it is a collection of techniques that scammers use to manipulate human psychology. At a basic level, phishing emails use social engineering to encourage users to act without thinking deeply.

IRONSCALES’in yakın tarihli araştırmasına göre, dünya çapındaki kuruluşların %81’i Mart 2020’den bu yana e-posta phishing saldırılarında artış yaşadı ve APWG tarafından yakın zamanda yapılan bir araştırma, 2022’nin üçüncü çeyreğinde rekor sayıda phishing saldırısı gözlemledi.

What are Phishing Techniques/Types?

1. Email Phishing

Email is the most popular phishing tool. Scammers register fake domains that impersonate real organizations and send thousands of requests to their targets.

Fake domains often involve character substitutions, such as using “r” and “n” side by side to make “rn” instead of “m.”

Some of the extensions can be chosen according to the style of the organization or company, while others can be chosen only upon request. Commercial organizations should choose extensions that will align with their business area. We can list the most used domain extensions as follows:

• “.gov”- Used by government units.
• “.aero” -Aerospace industry uses it.
• “.post” -Post offices use it.
• “mil” -Military websites use it.
• “.museum” -Museums use it.
• “.name” - These are extensions used by sites established around a person.
• “.tv” -Used in video projects and online television series.
• “.io” -Technology related companies use it.
• “.me” - Participates in projects involving personal brands.
• “.expert” is used by people and institutions who are experts in certain fields.
• “.org” is mostly used by non-governmental organizations.
• “.com” has many uses. But internet companies use it more.
• “.net” is used in many projects, from personal projects to internet companies.
• “.edu” is a domain name mostly used by educational institutions.
• “.biz” is used in company names.
• “.co” is a domain name used by companies.

They may also use the name of an actual organization in the local part of an email address, with the sender's name appearing in the inbox (for example, [email protected]).

There are multiple ways to detect phishing emails, but users should always check their email addresses when prompted to download an attachment or click a link.

2. Spear Phishing

Spear Phishing works like common phishing attacks, using communications from a seemingly trustworthy source to trick victims. However, a spear phishing attack targets a specific individual or group of individuals rather than sending general messages to many users in the hope that someone will be tricked. Popular targets include HR staff and IT managers, as they have higher levels of access within the wider organization.

When the goal is particularly ambitious, it is called whaling. While standard spear phishing targets IT or management team members, whaling targets high-value individuals such as the general manager (i.e., CEO, CFO, or other senior management figure). Attackers can often impersonate other senior executives or representatives of other companies to persuade the target to disclose sensitive and high-value information.

Successful whaling attacks (a specific type of phishing attack, targeting high-profile employees, such as a chief financial officer or chief executive officer, trick the targeted employee into revealing sensitive information) require attackers to do more than usual to lure the target. Once successful, attackers can use the target's authority to spear phishing workers and other high-value targets without raising suspicion.

3. Vishing and Smishing

Mobile phones are replacing email in smishing (SMS phishing) and vishing (voice phishing). With smashing, attackers send text messages with similar deceptive content into a phishing email. Vishing involves phone calls in which the scammer speaks directly to the target.

In a popular vishing scam, the scammer poses as a fraud investigator representing a bank or credit card company. The scammer notifies victims of an account breach and asks them to verify their identity by providing their credit card information. Alternatively, the attacker may ask the victim to transfer money to a private account.

4. Clone Phishing

Although clone phishing attacks are not as sophisticated as spear phishing or whaling, they are still very effective. This attack method includes all major types of phishing. The difference is that instead of impersonating a person or organization to make a fraudulent request, the attacker copies legitimate emails previously sent by trusted organizations.

The attacker then alters the link, replacing the real link in the original email with a new link that redirects victims to a fake website that mimics a legitimate site. Users enter the attacker's hands by entering their credentials.

5. Pharming

Pharming is a highly technical form of phishing that makes it difficult to detect. It involves a hacker hijacking the DNS (Domain Name Server), which converts URLs from plain language to IP addresses. When users enter the URL of the target website, DNS redirects them to another IP address of a malicious website, usually appearing legitimate.

6. HTTPS Phishing

Hypertext Transfer Protocol Secure (HTTPS) uses encryption to increase security, and most users consider clicking HTTPS links to be safe. Most organizations today use HTTPS instead of standard HTTP to help ensure the legitimacy of connections. However, attackers can leverage HTTPS to make their connections appear legitimate and increase the success of their phishing campaigns.

7. Pop-up Phishing

Many users install pop-up blockers, but pop-up phishing is still dangerous. Malicious actors can insert malicious code into small notifications (pop-ups) that people see when they visit a website.

An example of a relatively new pop-up phishing technique is using the “notification” feature of the victim's web browser. When the user tries to visit a website, the browser displays a message stating that the website wants to display notifications. Clicking “Allow” triggers a pop-up to install malware.

8. Evil Twin Phishing

Evil Twin attacks often use spoofed WiFi hotspots that appear legitimate but can capture sensitive data in transit. Malicious actors can eavesdrop or conduct man-in-the-middle (MitM) attacks when someone uses a spoofed access point. Attackers can steal data sent over the connection, such as confidential information and login credentials.

What is the Purpose of Phishing Attacks?

The general goal of a phishing attack is to obtain sensitive data, such as logins and passwords, usually from its victims in order to gain access to the targeted network or company.

One of the main purposes of doing this is to get a foothold on the device/network to collect and find the information they want. This is mainly for financial gain, so credit card information or personal information might be something for them to sell on the Darkweb. Sometimes they may try to directly manipulate users into giving up their banking information, or they may go the malware route.

Phishing attacks are one of the simpler social engineering tricks that hackers use because they require less work. There is no need for complex hacking and, like many other social engineering tactics, it relies on the manipulation of human nature to gain access without the user being aware. This means your computer/device/network can have the strongest cybersecurity software, from antivirus and anti-malware to end-to-end security, and still fall victim to a phishing attack. This is because they target the weakest link in the chain; users.

How to Perform a Phishing Attack?

Phishing attacks rely on social networking techniques typically applied to email or other electronic communication methods. Some methods include direct messages and SMS text messages sent via social networks. Phishers may use publicly available sources of information to gather background information about the victim's personal and business history, interests, and activities. Usually through social networks such as LinkedIn, Facebook and Twitter. These sources are normally used to uncover information such as names, job titles, and email addresses of potential victims. This information can then be used to create a convincing email.

Typically, a victim receives a message that appears to be sent by a known person or organization. The attack is then carried out via a malicious file attachment or via links to malicious websites. In both cases, the goal is to install malware on the user's device or redirect the victim to a fake website. Fake websites are set up to trick victims into revealing personal and financial information such as passwords, account IDs, or credit card information.

While many phishing emails are poorly written and obviously fake, cybercriminal groups are increasingly using the same techniques that professional marketers use to determine the most effective message types.

This Phishing email uses an unexpected trick to infect computers with keylogger malware

Cybercriminals are targeting a leading US financial services provider with malicious emails containing tools to install information-gathering keylogging software on infected systems.

Keylogging allows black hat hackers (malicious hackers who damage systems, steal information from the system, and gain unauthorized access to the system.) to see everything typed using the keyboard of an infected machine; this information is something that can be exploited to steal personal information and login credentials.

As with many phishing threats, the email contains an attachment in the form of a Microsoft Word document designed to deliver a link. However, unlike most phishing emails containing malicious attachments that use macros to evade detection, this one uses an embedded object in the form of a Visual Basic Script that acts as a downloader for the malware.

In this example, the emails sent in this cyberattack contain a Microsoft World attachment named “info.doc” containing an image that prompts the user to install Microsoft Silverlight to view the purported content of the document.

However, upon closer inspection of the image, the researchers note that the image does not display itself as a link, but as a Visual Basic Script file containing code for the keylogging malware that will run when clicked.

Once installed on an infected system, the malware logs keystrokes and sends the information to two hard-coded Gmail addresses.

Although researchers have not been able to pinpoint the keylogger used in this attack, it is written in the Aultolt scripting language and uses tools such as Lazagne password recovery to help collect credentials.

Researchers note that although the malware is simple compared to other exploits, the way the keylogger is delivered to end users is a switch to the tried-and-tested method of tricking them into activating macros.

How can we protect ourselves from phishing attacks?

How to Identify Phishing?

You may receive an unexpected email or text message that appears to be from a company you know or trust, such as a bank, credit card, or utility company. Or maybe it's from an online payment website or app. The message may be from a scammer.

Here's a real-world example of a phishing email:

Imagine seeing this in your inbox. At first glance, this email looks real but it is not. Scammers who send emails like this hope you won't notice that they're fake.

Although it may appear to be from a company you know and even use the company's logo in the header, here are signs that this email is a scam:

• The email contains a general greeting.
• The email says your account is on hold due to a billing issue.
• The email invites you to click on a link to update your payment details.

While real companies may contact you via email, legitimate companies will not email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give their information to scammers, including identity theft. And they can damage the reputation of the companies they defraud.

4 Ways to Protect Yourself from Phishing

1. Protect your computer using security software. Set the software to automatically update to deal with new security threats.
2. Protect your mobile phone by setting the software to update automatically. These updates can provide you with critical protection against security threats.
3. Protect your accounts using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log into your account. This is called multi-factor authentication. The extra credentials you need to sign in to your account fall into three categories:

• Something you know, such as a password, PIN, or answer to a security question.
• Something you have, such as a text, email, or a one-time verification password from an authentication app; or a security key
• Scanning of your fingerprint, retina or face

Multi-factor authentication makes it harder for fraudsters to log into your accounts if they have your username and password.

4. Protect your data by backing it up. Back up data on your computer to an external hard drive or the cloud. Also back up the data on your phone.

A Few Ways to Prevent Your Organization from Becoming a Victim of Phishing

• • Educate users to spot a phishing email: A sense of urgency and requests for personal data, including passwords, scrambled links, and attachments are all warning signs. Users must be able to identify these warning signs to protect against phishing.

• DNS Security: DNSSEC (Domain Name System Security Extensions) technology checks whether the location to which the DNS request is made actually has an existing IP address. It ensures data integrity by digitally signing DNS data. The function of DNSSEC technology can be increased by using it with other control layers such as site verification and SSL encryption. DNSSEC (Domain Name System Security Extensions) technology checks whether the place where the DNS request is made actually has an existing IP address. It ensures data integrity by digitally signing DNS data. Site authentication can be used in conjunction with other control layers such as SSL encryption to increase the functionality of DNSSEC technology. Products that perform DNS-based analysis and domain classification that you can use as a solution; DNSSense, Cisco Umbrella, infoblox.

• Avoid clicking on links: Instead of clicking a link and authenticating directly to a web page from an embedded link, type the official domain into a browser and authenticate directly from the manually typed site.
• Use email security against phishing: AI scans incoming messages, detects suspicious messages, and quarantines phishing messages before they reach the recipient's inbox.
• Change passwords regularly: Users should be forced to change their passwords every 30-45 days to reduce an attacker's window of opportunity. Leaving passwords active for too long gives an attacker indefinite access to a compromised account.

• • Keep software and firmware up to date: Software and firmware developers release updates to fix bugs and security issues. Always install these updates to ensure that known vulnerabilities no longer exist in your infrastructure.
  • Install firewalls: Firewalls control incoming and outgoing traffic. Malware installed from phishing silently eavesdrops and sends private data to an attacker, but a firewall blocks malicious outgoing requests and logs them for further inspection.
  • Avoid clicking on pop-ups: Attackers change the position of the X button in the pop-up window to trick users into opening a malicious site or downloading malware. Pop-up blockers stop many pop-ups, but false negatives are still possible.
  • Be careful when giving credit card information: Never provide credit card information to an unfamiliar website unless you know that the site is completely reliable. Any site that promises gifts or refunds should be used with caution.

• Penetration Testing: Routine security testing through “ethical hacking” helps your organization quickly identify social engineering threats early in their lifecycle. Phishing-prone assets, such as email and web applications, should be tested frequently to minimize the impact of these threats. 

Infinitum It Pentest(Penetration Test) Service: Pentest, which is translated into our language as penetration testing, is also known as penetration testing. The pentest service received by all institutions and organizations that care about their customers' data is provided by professionals who are experts in their field. The main purpose of pentesting is to detect security vulnerabilities. Also penetration testing; It can also be used to test an organization's security policy, its adherence to compliance requirements, the security awareness of its employees, and the organization's ability to detect and respond to security incidents. Typically, information about vulnerabilities identified through penetration testing is aggregated and grouped and presented to the relevant organization's IT and network system administrators to enable them to make strategic decisions and prioritize remediation efforts.

Examples of Phishing Attacks in Turkey

They defraud by imitating sites

Fraudsters who create a fake complaint about a person using the logo and design of the Şirketvar platform attempt to steal personal data by using the name of Mısırvar.

Scam with Million Dollar Message

Scammers who send the message "You have a balance of 2,196,659 USD in your account" provide a username and password to access the money. Those who fall into the trap and enter the username and password into the address give the fraudsters access to their phones.

Instagram Scams

Fraudsters who share fake receipts on Instagram and say "I invested and won, you win too" are deceiving people with promises of profit. People who see the receipts shared in large amounts in the story and post section fall into the network of fraudsters in the hope of multiplying their money by 3 or 5 times.

Scammers who manage to steal citizens' Instagram accounts by sending an infected link collect thousands of lira and disappear.

Most Known Examples of Phishing Attacks in the World

#1: Belgian Crelan bank CEO scam

Type of phishing scam: Reconciliation with business email, Whaling

Affected parties: crelan

Casualties: $75.8 million

What happened: In 2016, Belgian Crelan Bank fell victim to a $75.8 million business email compromise (BEC) scheme.

BEC happens when attackers pose as senior executives to get what they want (Imagine receiving an email from your boss asking you to sign a document).

In Crelan's case, the attackers obtained the CEO's stamp and signature and had the $75.8 million transfer approved by the finance department.

#2: Power outage in Ukraine

Type of phishing scam: Spear Phishing

Affected parties: Ukrainian citizens

Effect: Approximately 225,000 citizens lost access to electricity

What happened: On December 23, 2015, approximately 225,000 Ukrainian citizens experienced power outages in their homes due to an unplanned mass power outage. Power outage via Microsoft Office documents malware bearing caused by spear-phishing emails.

Interruption it took about an hour , so it's not that big of a deal, right? Well, the electricity had to be restored manually, and the automatic management mode had to be turned off for a while because the power grid's firmware was full of BlackEnergy (grid-sabotaging) malware.

What makes the situation worse is cyber security of researchers was to discover later that the outage was just a test run. After investigation, the malware was found to be easily adaptable and not specific to Ukraine.

#3: Amazon Locky ransomware attack

Types of phishing scams: Spam Phishing

Affected parties: Amazon customers

Effect: 250 to 500$ per victim (number of victims not disclosed)

What happened: In 2017, Amazon customers were the target of a massive Phishing attack. Depending on which expert you ask, the May 17 attack sent anywhere from 30 million to 100 million fake emails.

Disguised as genuine Amazon shipping updates, they served as a way to install ransomware on users' computers. To date, it remains one of the largest phishing attacks on a large scale.

It was also a noticeably sophisticated attack. Hackers manipulated the header to make the email appear genuine. The email came from [email protected] and the subject was “Your Amazon.com order has shipped (#code).” However, the email had no body, just a Microsoft Word file.

A curious person who downloads the file will be asked to enable macros in order to open the file. This allows Locky ransomware to be downloaded and installed on the device. Once this is done, the user would have to pay between 250-500 $ to unlock their device. Amazon never disclosed how many users were affected by this attack.