As part of our series on identity theft on the Internet, today’s post is about phishing: Cybercriminals attempt to obtain information such as IDs and passwords. To do this, they use various methods that we are introducing to you today and the various channels on which phishing is carried out. Last but not least, we will also show you how to protect yourself against phishing, i.e., how to set up efficient phishing protection to protect your private information.
What is phishing?
With phishing, cybercriminals try to “fish” for data – hence the term: The word “phishing” is derived from “fishing” and “password harvesting.” Intercepted data should then be used for criminal acts, mainly to the detriment of the victim whose data was “fished.” The criminals often target online banking credentials. However, identifiers and passwords for email accounts, social networks, and online shops are also the focus of phishing.
With fraudulent access data, criminals can commit identity theft, for example. This enables the phisher to damage the victim’s reputation, inflict financial damage, or order goods under the victim’s name. However, fraudulent data can also drive hacking attacks on companies or create fraudulent websites on behalf of a company.
Phishing is versatile: the methods
There are numerous methods that criminal phishers use to trap their victims. Knowing you is the first step in setting up adequate phishing protection, as it will not make you an easy victim.
Deceptive phishing is the most common phishing method: attackers try to gain access to sensitive information. They can do this, for example, by falsifying emails or websites that have a professional look and therefore do not arouse suspicion. The attacker pretends in his email that the email or website came from a trustworthy organization. An example should clarify: You receive an email from your house bank – the layout is correct, and it also contains the logo of your house bank. When you click the link in the email, you land on the site of your house bank, and you can enter your details. In the email, you can read that it is inevitable that you enter and confirm your bank details due to technical malfunctions.
Unfortunately, this is not your house bank, but criminals have written to you – at the email address of your house bank. The data you entered on the website ended up directly with the cybercriminals and can, therefore, now be used for criminal purposes.
Admittedly, cheap emails with poorly forged logos and spelling to run away have sensitized people to this type of phishing attack. However, the criminals also know this: They are professionalizing themselves so that your emails are no longer as amateurish as they were a few years ago. And unfortunately, practice shows: the more professional the email or target page is, the greater the risk for the potential victim.
The prerequisite for this strategy is the unscrupulous pretense of an emergency, which the user can end by clicking a link or entering information. This is intended to initiate a user action. To succeed, the phishers try to create a feeling of urgency and necessity in the victim.
Spear phishing is a particularly treacherous method that the makers of Emotet used. All information on spear phishing can be found in our article “Spear Phishing with Emotet.”
To stay in angler’s jargon: cybercriminals hunt a “big fish” when whaling. In particular, the phishers focus on managing directors. The actual attack is divided into two phases: As already described with deceptive phishing, the first phase is about baiting the “big fish.” If this is successful, the second part follows – the CEO fraud or CEO fraud. The term “Business E-mail Compromise” (BEC) is also used here.
In this second step, the hacker gained access to the managing director’s email account. He assumes the identity of the managing director and can thus request information or make transactions via the hijacked email account. In this way, for example, the fraudsters manage to make transfers to institutions of their choice. Since executives usually have a lot of access and authorization rights, whaling is particularly lucrative for criminals.
In pharming, for example, cybercriminals gain access to the Domain Name System (DNS). The DNS system relies on DNS servers to translate website names into IP addresses. The criminal pharmer attacks the DNS server while pharming. Here he changes the IP address that is assigned to a particular website. The criminal now uses the affected domain to redirect visitors to the actual website to a fake version. Even if visitors enter the correct website name, this redirection occurs due to the redirection set up in the background of the affected page. Therefore, the website visitor does not necessarily have to notice this redirect. However, from the moment the visitor is redirected, there is a risk of unwanted disclosure of data.
With clone phishing, the criminals create an almost identical fake based on an actual email, but file attachments are replaced with malicious malware – the attacker creates an email clone. With an email address similar to that of the actual sender, he sends his cloned version of the real email to the same recipient.
The danger of these phishing campaigns is to be assessed as very high since the criminals proceed individually. As a rule, victims of such campaigns assume that the second email contains additional or updated information – an update of the first and actual email. So it happens that the attachment – replaced by malware in the second email – is opened faster and not very carefully.
Link manipulation is also referred to as URL spoofing. This method is intended to give the website visitor a false identity fraudulently or conceal the website’s actual address. The fraudulent URL is visible in the browser with link spoofing, while the manipulation with frame spoofing is not directly recognizable. URL spoofing is used in phishing to fool the user into thinking he is on a particular website. In truth, however, it was redirected to another website – presumably a fake by the criminals.
URL spoofing is made possible by security loopholes in web browsers or web applications. In the case of web applications that forward data submitted by users to browsers, the misuse of trustworthy sites can be hazardous for phishing. Therefore: Click on the lock symbol that appears in the address bar of your browser. Extended Validation Certificates (EV Certificates) allow you to see the website owner’s identity and thus convince yourself of the authenticity of a website. The tricky fact is that this method also works with HTTPS-secured websites without violating the SSL certificate.
Attackers can exploit these insecure web applications for their machinations: Scripts can be sent indirectly to the victim’s browser to execute malicious code on the client side. This attack method can be used to steal cookies, keylogging, or even phishing: fake login forms ask for user names and passwords and then take them over.
Phishing isn’t just an email problem
As you can see from our selection of the phishing methods described, phishing is not a pure email problem. The attack channels are just as diverse as the attack methods. We present the most common channels below:
- Email phishing: Email phishing is still the most common method – email is used as bait here.
- Website phishing: Website phishing involves making copies of trusted websites. See URL spoofing above. Pop-up windows are also a popular source of phishing.
- Vishing: This word creation comes from “Voice Phishing” and means the audio version of website phishing. Many of the automatic calls are attempts to obtain information about vishing. So attackers try to convince their victims over the phone to give information.
- Smishing: This term means phishing via SMS. You can find more information about this dissemination channel in our article “The risk of smishing: This is how phishing via SMS works.”
- Social media phishing: With phishing on social networks, attackers can hack accounts and use this identity theft to send malicious links to the friends of these accounts. Another method would be to create fake profiles for phishing purposes.
Phishing protection: How to protect yourself against phishing
The most effective protection against phishing is knowing about phishing. Would you like to test your knowledge? You can do just that in our phishing quiz. You can also protect yourself against phishing attacks by following these tips:
- Stay up to date: Find out about IT security in general and phishing in particular. We will keep you up to date in our blog but also in the newsletter.
- Beware of spelling: While there is still a message that fraudulent emails suggest lousy spelling and grammar, meaning the fraud, this has unfortunately changed. Phishers and other cybercriminals are becoming more professional, so poor grammar and spelling are no longer the ultimate identifiers for fraudulent messages. Of course, various errors can hide in fraudulent statements. But do not assume that a letter written in perfect German could not have come from a fraudster.
- Healthy skepticism: Always show a healthy level of skepticism regarding emails, calls, and messages via other channels. Do not click links too innocently, and use your doubt even before downloading attachments.
- Check suspicious messages: As we showed above, it is easy for an attacker to make letters appear from someone you know. You should, therefore, always check the origin and sender of messages (you will find further information in the source text of the email). If in doubt, call the supposed sender and determine whether the news came from this sender. Also, remember that reputable organizations like your house bank would never contact you to ask for personal information. Review links and attachments in messages carefully before opening them.
- Be careful when replying: If you find an email suspicious, you should not respond to the sender directly. Start a new communication – always only via the official communication channels of your company.
- Security certificates: Check specified security certificates or seals for web services and websites. Authentic seals and certificates can be clicked, and you will then be redirected to the certificate or seal provider.
- Passwords: Use strong passwords and create separate passwords for each service you use. In a data incident, only the access data used for the respective service are affected. We’ll tell you how to create secure passwords in the article “Secure passwords: Strong passwords increase security.”
- Safe browsing: rely on a secure browser and use an ad-blocker. Ideally, it would help if you also used a VPN to disguise your surfing tracks.