Phishing is like fishing, hence the name. The attacker lures their target with bait, often by sending out disingenuous emails to a group of people, and waits for the victim to get hooked. Once hooked, the attacker can trick the victim into divulging sensitive information or carrying out an unintended action by posing as a legitimate and trustworthy entity. It’s also not like fishing, which refers to a harmless pastime.
Ever since the dawn of the Internet, attackers have been breaking into organizations and breaching defences by finding and exploiting vulnerabilities in network perimeters and applications. In response, the answer to security was to throw firewalls at the problem, lock things down and create a seemingly impenetrable fortress. The problem with this approach is that this still leaves users, systems and internal networks ripe for exploitation.
Smart attackers have long since realized that attacking users is far easier and more effective. This is because users are easier to target from the outside-in through legitimate methods of communication such as email.
A successful phishing attack involves a victim entering their credentials into fake websites, clicking on malicious links, installing trojans or ransomware, and divulging sensitive information to attackers. This gives the attacker the necessary foothold to breach an organization’s defences – often times without the organization knowing it got breached at all.
As cyber-criminals become smarter and more efficient in how they conduct phishing attacks, the cost of a phishing attack could run into the hundreds of millions of dollars, especially for organizations subject to regulatory and compliance requirements such as PCI DSS and HIPPA.
What’s the worst that can happen?
Phishing is commonly used to obtain sensitive information such as credit card details, sensitive banking information and passwords, but it certainly doesn’t stop there. The stolen information is then used by the attacker to impersonate the victim and access the stolen account on the victim’s behalf. Account impersonation could not only lead to identity theft, but also to an escalation of an attack since the victim’s account is likely to have access to even more sensitive information than what the attacker initially obtained.
Let’s take a typical example of a phishing attack where an attacker tries to lure a victim into divulging their email account credentials. An attacker might pose as a system administrator asking a victim to reset their password. The attacker would encourage the victim to click on a link to a fake website, most likely one that looks the same as the genuine login page. Once the victim unknowingly enters their credentials, the malicious form captures the victim’s credentials and sends them to the attacker.
Once an attacker has access to a victim’s mailbox, an attacker could read sensitive emails, send emails (possibly phishing other victims) in the victim’s name, and often escalate the attack to other systems by resetting passwords to important accounts which that victim holds.
More advanced phishing attacks may contain documents (such as word processor documents, spreadsheets and presentation files) with specially crafted malicious programs designed to cause harm. An attacker will attempt to lure the victim into opening the malicious document, which in turn will run the attacker’s malware on the victim’s system. Malware can be used to do all sorts of things, including spread to other computers on the network, spread ransomware or even steal specific data from the victim’s system that will enable an attacker to achieve their goal.
One does not simply solve phishing
Like any other problem in cyber-security, phishing is not a threat solved just by throwing dollars and firewalls at the problem.
Securing your organization against phishing threats starts and ends with the user – by protecting them from themselves. Educating users not to interact with “phishy” emails is an important line of defence but there is too much at stake to solely rely on end-users to spot phishing attacks. Instead, a defence-in-depth strategy should be adopted to make sure that when attackers strike, they won’t get far.
What was once an art wielded by skilled attackers has now become a wide-spread and easily accessible form of cyber-crime. With off-the-shelf phishing kits, exploits and malware rampant on underground markets, it has become trivial for criminals to cause a lot of damage with very little effort. Hardened network perimeters taught attackers to phish. Now it’s time to steer our users away from the lure.