Common Phishing Techniques: Can You Unmask Them?
What is phishing vs. smishing vs. vishing? How do they relate to pharming, OTP and sextortion? These days phishing manifests in so many different forms, even cybersecurity nerds might not recognize them all.
The following blog post defines common phishing techniques while providing real world examples of them in the wild. Which begs the question: How can we possibly stay on top of all this danger?
The most effective step is mandating security awareness testing (SAT) for all employees. SAT employs phishing scenarios found in the real world like those below, to mimic real-life phishing attacks.
Some employees only learn by “doing” – and many will do the wrong thing during phishing simulations. That’s a whole lot of learning going on.
Overview of the Most Common Phishing Techniques
Smishing is a type of phishing attack conducted via SMS or text message. It’s very simple but profitable for the cybercriminals.
Imagine receiving an SMS from an unknown girl inviting you for a date with a link to the photos in her profile in a social network. Of course, to see the profile you must first sign in on the phishing page the link connects to. Login credentials: compromised.
Another popular SMS lure is “problem with banking account or credit card”. In this case, the link goes to a bank phishing page.
While SMS attacks take various forms, the overall goal remains consistent: lure users into clicking the link and inputting their login credentials. But there are some additional attack options when it comes to Smishing:
- Premium SMS: with a reply to the message, a victim may subscribe to a paid service
- App installation: depending on the OS version & type, the user can be tricked into downloading apps that take control over his/her phone
Real life example
In January of 2022, Oversea-Chinese Banking Corporation (OCBC) in Singapore reported that 790 customers lost $13.7 million in a phishing scam in December 2021.
The bank said an investigation had “confirmed that victims who fell prey provided their online banking log-in credentials and one-time PINs to phishing websites, thereby enabling scammers to take over their bank accounts and make fraudulent transactions.”
OTP (One-Time-Password) is a part of two-factor authentication that many people use to secure their accounts. Besides the login and password, you need an OTP that is usually sent you via SMS. The process looks super secure, but now cybercriminals have invented the methods to bypass this protection with phishing tricks.
Imagine receiving an email with a linked to your account with two-factor authentication and clicking on it. Then the real website login page opens, you get the OTP and successfully log in. Nothing bad has happened, right? Don’t jump to conclusions. Yes, the website you’ve logged into is not a phishing website. But after clicking the link, all your traffic goes to the malicious attacker’s server that extracts your cookie, passing it to the attacker. Now easily impersonating you, the attacker logs in to your account.
Real life example:
According to Deepstrat’s June 2022 “Tackling Retail Financial Cyber Crime in India” report, OTP theft is one of India’s most prevalent and successful phishing attacks.
Phishing arrives at many inboxes in the guise of an attached file. Very often it’s a .pdf containing nothing but the malicious link. If you click on it, you’ll redirect to a phishing webpage that will try to lure out your credentials.
Nowadays many people are aware that a .pdf can have a poisonous contents inside. But what about other files, for example, voice records .eml? Can they be dangerous?
Imagine getting a message like “New voicemail received” with the attached file. Curiosity wins out and you click on the file. Then a Microsoft Login page downloads and prompts you to enter the credentials. Many people find it logical—as Microsoft cares about their security.
Bad news for them: their login credentials fall right into the cybercriminals hands. Sometimes it could be an HTML file disguised as a web-form from your bank to fill in immediately. In reality, it contains a script to open a phishing page with web-form in your browser. In all successful attacks the impact is the same: threat actors obtain your login credentials.
Real life example:
According to HP Wolf Security, a fake invoice that was actually a Word document embedded inside of a PDF was making the rounds in early summer 2022.
According to the analysis of the attack, victims received an email with the attachment “REMMITANCE INVOICE [dot] pdf.” Upon opening the file, they are asked to open an embedded Word document.
After clearing that hurdle, they are prompted with details making it seem like the file is safe. The name of the Word document – “has been verified. However PDF, Jpeg, xlsx, .docx” – is designed to add another false level of assurance that the file is safe. After a series of steps, the attack eventually installs Snake Keylogger malware.
What if you opened your inbox to find an email from someone you know on a topic you’re interested in with a .pdf in the attachment? Because it’s from someone you know, you might be temped to click on it, right? After clicking, you’re then taken to a Google login page where it asks you to enter your credentials. It looks legitimate, but the URL looks a bit off: “data:text/html,https://accounts.google.com”.
But in reality, nothing is as it seems. The page is phishing, the .pdf is an image with an embedded link and the name of the sender and the topic were picked up from a hacked machine of one of your contacts. How? The malicious algorithm digs into the contacts of already hacked machines automatically creating and sending new phishing emails with correspondent names and topics. That’s how the automated spear-phishing with machine learning works.
And that’s not the only instance of ML and AI using by phishers. It also lets them extract plenty of information about the users from the Internet, especially social networks. Once upon a time, threat actors had to painstakingly gather information on would-be victims from their social media accounts. Now an algorithm automatically gathers the information and create a spear-phishing email. As you can imagine, the number of potential victims is growing exponentially.
Real life example
Using the Phishtank database, a group of cybersecurity biz based in Florida, USA, have built DeepPhish, which is machine-learning software that, allegedly, generates phishing URLs that beat defense mechanisms.
Deeplocker is another set of a new breed of highly targeted and evasive attack tools powered by AI. precedent.
Ever used a QR code? Most mobile users have scanned a quick response code “QR Code” at one point or another. The chances of such a person being a security expert are much lower. In early 2022 the FBI issued a warning about QR codes, telling the public that cybercriminals were creating malicious QR codes they were affixing to menus, signs and other places the public has come to trust when scanning.
The simple truth is literally anyone can create his or her own QR code in seconds – and of course this includes cybercriminals. Like the codes above, the aim here is to take you to a lookalike website of a trusted domain (fake Wells Fargo site, fake Amazon site, etc.) Upon arrival, victims input their credentials. In reality, you’re giving away your login credentials. QR Code attacks are even harder to detect because the URL address is often shortened before the website is downloaded.
Another cunning attack using a QR code steals credentials from instant messengers like WhatsApp. The attackers use a malicious application running a server between the user and WhatsApp web interface. The application opens a real WhatsApp page prompting the victim to log in via QR code. If you do that, the app intercepts your login data on its server and extract them in a text file. And voila – the attacker now can log in into your account, read your messages and impersonate you in correspondence.
Real life example:
During the 2022 Super Bowl, a bouncing QR code appeared that bounced around the screen for 60 seconds. 20 million users scanned the code and were taken to Coinbase, a cryptocurrency wallet where they could get free $15 in cryptocurrency and “enter to win $3 million.” While the ad accomplished its goal, it inspired additional malicious QR codes
As types of phishing go, vishing might be the oldest. Deceiving users to extract private data via phone dates back in the 1990s. The point is a simple one: scammers call you from “your bank” and try to elicit your account and card data with cunning questions. Vishing these days is next level and according to the Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs, Vishing isn’t going anywhere. Between Q1 2021 and Q2 2022, vishing grew by 550%.
To repeat, vishing grew by 550% in the last year alone. It even replaced business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. In addition to human scammers, bots and robots have jumped into the fray. This allows mining of potential vishing victims to happen 24/7 for pennies. Because of the advances in AI and machine learning, today’s bots can very credibly impersonate humans.
A Real life example
In 2019 the CEO of a large energy company in the U.K. was contacted by someone sounding exactly like his boss and asking him to wire $243,000 to a “Hungarian supplier.” Of course the person was not his boss but he didn’t learn this until it was too late.
Launching phishing attacks does not require expertise. There are many tools for phishing even non-techies can easily run. On the Dark Web, scammers can buy stuff called “multi-brand phishing kit” – software allowing them to create a very plausible clone of famous online retailers. For a scammer, it is enough to simply deploy the malicious website to get it to the top of search engines.
It’s actually a combination with another kind of phishing – Search Engine phishing. To entice victims, the crooks announce a “big sale” with crazy prices for the most popular goods like smartphones and laptops. (They steal pictures and descriptions from real online shops). To buy them users input their credit card numbers and other personal data. By now we know how the sad story ends.
Real life example
In March 2022 the Atlas VPN Team issued data detailing the various types of phishing attacks available to users on the dark web. The most expensive offering was a “Ransomware with Sourcecode” kit going for $50. If that’s too costly, would-be hackers could opt for the “Avengers Whaling Phishing Kit” or the “Must-have DDOS Attack” kits going for $7 and $10, respectively.
One day you find a letter in your inbox beginning with the stomach-churning phrase, “Your password is…” and containing one of your real passwords. Then the attacker claims he hacked your PC, recording a compromising video of you viewing an adult website. Your computer is now under his total control, he claims. If you don’t immediately cough up a ransom, he will send “the video” to all of your address book contacts.
In reality, he’s bluffing of course. No one hacked your machine. But how did the crook learn your password? It’s not an enigma. He took it from a stolen database on the Dark Web. The simple fix here: change the stolen password and move on with your life. Of course, that’s just for the “sextortion bluff” email. There are other types requiring more complex solutions.
Real life example
As it turns out, U.S. military personnel have been falling for this scam for years. In 2019, the Army’s Criminal Investigation Division (CID) had received just 56 reports of sextortion. By the same point in 2020, that had skyrocketed to 147 cases – a 163% increase. reaching a peak during the pandemic. The CID said that victims collectively lost an estimated $428,000 to sextortion between 2019 and 2022.
These phishing attacks take spoofing to an entirely new level. IDN stands for Internationalized Domain Name — domain names written in languages other than English. Correspondently, this attack is based on the fact that some letters in non-English alphabets look similar. For example, Cyrillic “n” and “r” looks similar to Latin “h” and “p”. Such letters are called homographs. In other words, changing some letters in a URL to the similar looking letter from another language allows cybercriminals to easily spoof a website. For example, if an attacker changes English “p” for Russian homograph “p” in apple.com, he can create a web-domain that looks absolutely the same.
Even scarier, oftentimes the attacker can even legitimately obtain an SSL certificate for this site. That means that you’ll see hptts://www.apple.com in your browser’s bar looking exactly the same as the real URL of Apple website. If you think it’s the same website, you’re at much higher risk of “credential theft” giving away your login credentials to criminals.
Fortunately, these attacks are uncommon and getting even rarer.
Real life example
Certain exploit kits used the IDN spoofing techniques to distribute the malware. One famous example is the “RIG exploit kit.”
Phishing exploits many security flaws in web applications. One of them is using a legitimate website with Open Redirect vulnerability. In this case, an attacker adds an external link to the website URL, redirecting it to a phishing webpage. Most users will notice only the first, legitimate part of the URL – and have a false sense the site is secure.
Real life example
Pharming is similar to phishing in that it seeks user login data, ultimately resulting in credential theft. However, it is more advanced than phishing. Instead of using email, it uses websites. Instead of one-offs it targets groups of people. It can also poison DNS cache, redirecting users to a hacker-controlled website to steal information.
This attack redirects legitimate traffic to a phishing webpage right inside your PC. For example, you type in a browser “google.com” but instead arrive at a phishing website. How is this possible? By changing the “hosts” file on your computer with malware that somehow infected your workstation. In this file, the malware set wrong correspondence between IP addresses and a domain name thus redirecting the traffic.
In our example, the malware has changed the real IP address of google.com to the IP address of the attacker’s website. Of course, cybercriminals can do it to any domain name, including your bank or social media website. Unsuspecting users then redirect to a phishing webpage. Should they enter their login credentials, they will become an official victim of pharming phishing.
Real life example
Though not recent, in 2007 over 50 financial institutions that targeted online customers in the U.S., Europe and Asia-Pacific were shut down due to a large scale Pharming attacks, but not before it was able to infect at least 1,000 PCs per day over a three day period. The targeted companies were Barclays Bank, the Bank of Scotland, PayPal, eBay, Discover Card and American Express.
Business Email Compromise, or BEC attacks are phishing emails without a payload like a malicious URL or attachment. Instead, they use impersonation and knowledge of the company structure or common transactions to convince employees to wire money or data, or to change bank account information for pending payments.
For example, threat actors might impersonate a CEO and ask other workers in the company to complete a task like paying an invoice or sending him/her (the “CEO”) current W2 forms for all employees. The evil genius thing about BEC attacks are they exploit employees’ innate desire to please the boss.
According to the FBI’s 2021 IC3 report, BEC attacks were the biggest contributor to cybercrime losses, with victims losing $2.4 billion from 19,954 complaints.
Real life example
There are countless examples of BEC scams in recent years. One of the more famous stories was Toyota losing $37 million in a single transaction when a bamboozled employee thought they were fulfilling a simple money transfer requested by a “business partner.”
At a smaller company such a request would likely trigger all kinds of alarm bells, but for Toyota it didn’t seem out of the ordinary. Three years later there is no indication Toyota ever recovered the funds.
Like Smishing, these attack vectors (for instance malicious links, impersonation etc.), arrive via the new breed of social media collaboration apps such as WhatsApp, LinkedIn, Slack, Skype, Teams, Facebook Messenger. While companies have done a good job training employees to be suspicious of email, they’ve been less successful with these tools.
Real life example
In 2022 security experts unveiled details of a massive new Facebook phishing attack affecting hundreds of millions of people. According to security firm Pixm, the campaign dates back to at least September 2021, although it grew dramatically in April and May 2022 resulting in the credential theft of over one million accounts.
As you can see, nowadays phishing comes in various guises and even a computer nerd is not able to recognize them all. So how can we fight back this danger? The most effective method to achieve security is training employees in the conditions nearest to reality. We need to train users beyond simple phishing simulations with only an email and a link.
Employee awareness is the best way to fend off these common phishing techniques. For more information on ThriveDX’s Security Awareness Training, please visit here.
Protect Your Organization from Phishing
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.