[clist id=”1470325158334″ post=”35841″] In order to plan for and prevent phishing attacks, it is crucial to have some insight into the attacker’s world. It is vital to know more about what goes into such attacks, from the initial planning and preparation stages, to how phishing networks help make attacks happen, to the delivery of bait and collection of data. Not only will this information help businesses and organizations prepare for inevitable attacks, but it can shed valuable insight on key steps to take to defeat attacks, sometimes even before they start. While there is no way to guarantee that attackers won’t target you or your business, forewarned is forearmed.
Planning and Preparation
Like any military campaign, a phishing attack begins with a lot of legwork. It requires considerable research, planning and preparation well before the attack is launched. These are not one and done affairs in many instances. They’re carefully orchestrated attacks that would do any tactician proud.
Gathering Information – The First Step
The first step in planning a phishing attack is to gather information. The phishing group (in most instances, these are groups or networks, not lone hackers out for personal gain) must decide on a target and then gather crucial information that will allow the attack to penetrate any security protocols. Most hacking groups use IRC (internet relay chat) to conduct planning and strategy sessions, as well as discussions about targets, methods, and more. IRC is used because it is anonymous and secure. Phishing groups are organized into networks or gangs, usually with no central leader. Called “scale-free networks,” they operate on group consensus, rather than direction from a central source. A prime example of this is the Avalanche Gang, which was formed in Eastern Europe in 2008 and is thought to be responsible for most of the attacks and havoc in 2009. Interestingly, the Avalanche Group was a splinter from an older group, called Rock Phish. Both have disbanded by this point, but no members were ever apprehended, so you can bet they’re still out there, plotting and stealing data. Once the group has formed and begun talks through online chat, members begin to take on specific tasks. Some will design spoofed websites. Others will code emails and graphics. Still others will create the text for each email or notification the group will use. Others spread their nets across the Internet looking for information to use against their target. They’ll go so far as to obtain employee names, social media account information, and more. After the primary target has been identified, along with any specific individuals within the organization who will be the point of entry, the group baits the hook, so to speak. The bait can take any number of different forms, but the most common is to use an email message designed to evoke worry or concern, and a phishing site that completely mirrors the expected destination site. For instance, in 2008, a whaling attack (one targeting C-level execs) used a fake subpoena email. The email included accurate personal information about each executive, including names, phone numbers and addresses, and looked so authentic that 2,000 different executives fell for it. Take a moment to think about that. These weren’t low-level employees who didn’t know any better. They were high-level leaders with years of experience and business savvy. They all fell for the trick and clicked the link in the email. Rather than prompting them to enter an account name and login, though, the link led to a site that secretly downloaded malware to their computers, where it logged keystrokes to capture account information. This is just one example. Attackers have a wide range of weapons at their disposal, including:
Bank emails supposedly warning about low account balances or nefarious activity detected Free giveaways, from high-value prizes to free food Fake social network notifications, such as an alert from Facebook that a friend had added a picture of the account holder Warnings from cybersecurity companies that an account has been hacked, usually complete with contact information and legitimate company names and URLs
All it takes is a single click, and the rest is history, as they say. With access to a compromised host, attackers can do almost anything from installing vicious scripts to downloading viruses to harvesting data. In some instances, attacker groups have had access to vital company data for months, or even years.
Phishing Networks
As mentioned, phishing is not usually the work of a solitary attacker. Instead, it’s a group effort. These groups are called phishing networks. You can think of them like any other business network – a group made up of individuals with complementary skill sets who work together for a common cause or toward a shared goal. Once upon a time, attackers actually were sole individuals. Such was the case with the Trojan developed by Dr. Rapp and distributed via diskette back in the 1980s. However, it took very little time for attackers to realize that there was strength in numbers. About 2006, cyber-criminals began to band together into networks to exchange information, learn from one another, benefit from the skills of others and reach larger targets than an individual would be capable of doing. So, how do these groups operate? Cloudmark deconstructed the typical phishing network to highlight just how easily they can accommodate individuals with the ideal skills needed to successfully attack just about any organization, regardless of size or industry. They typically include individuals who specialize in mass emailing strategies, including good grammar skills. They also include template designers, server managers, cashers who buy financial information that can be utilized to generate fake debit cards and the like, and bots that run automated scripts. Of course, that’s not the end of it. Phishing networks are generally augmented by a lot of technology. For example, Avalanche Group used an army of bots (called a botnet, and created from compromised PCs) to host spoofed websites and trick people into giving up targeted information. Phishing packages and toolkits also play a role here, as does knowledge of ideal venues for their initial attacks. Chatrooms play a significant role in the success of phishing groups. Because chatroom members are actively looking for conversation and connection, they can be more susceptible to phishing. In fact, Symantec found a phishing group doing just that in 2013. The group used an Asian chat application that ostensibly let users speak with Indian and Pakistani women, but really just stole their account credentials. Phishing groups also have the knowhow and motivation to create entire armies of infected, compromised PCs. By combining these infected machines into a network, they’re able to achieve larger goals. The initial infection can come from any of a number of sources, including drive-by downloads, Trojans, emails containing links to infected sites or even infected files, and “fast flux,” which is a DNS technique used to hide infected sites behind proxies. In short, these groups are complex and sophisticated. They are large, widespread, and autonomous. Individual members are anonymous, motivated, and skilled. By bringing together individuals with skills ranging from website design to virus coding to impactful writing, security vulnerability identification and strategy, these networks can pose a threat to even the largest businesses, organizations, and even government agencies.
Delivering Bait and Collecting Data
Phishing attacks are all about the bait. The network could go through all the effort of obtaining information about specific employees or executives within a business, but if they are not capable of creating tantalizing bait, all that effort is for naught. As you can imagine, the bait is all-important. If it’s not compelling, then the target won’t take the desired action (clicking a link, for instance). That means the attackers are deprived of their goal, whether it be access to a PC, financial information, personal data, or something completely different. There are many forms of bait used by phishing networks, too. [cta id=”1470255850051″ post=”35841″] One of the most common is a forged email. In this situation, an email is forged to look as if it came from someone else within the organization. It looks absolutely authentic, all the way down to the domain from which the email is sent. That makes it incredibly difficult to detect. The purpose of the email could be almost anything. Among of the most common are attempts to get the recipient to:
Click a link that will take them to a spoofed site where their credentials might be stolen, or malicious software downloaded to their computer Directly provide some type of information requested by the sender, usually account credentials or other information that would allow attackers to achieve their goal Download an infected file, which could be a Word document, Excel sheet, or an infected PDF, among other things Click a link to a website where a worm will be downloaded to their PC, stealing their address book’s contact information and sending further fake emails
Of course, forged emails are just one trick in the attacker’s playbook. They may also engage in what’s called “clone phishing,” In this instance, the email’s recipient is tricked into thinking that the email is a reply to a previous message, or a forwarded message or document from someone they know. Brute force phishing is also used. The name really says it all. In this situation, an attacker would create random letter and number combinations of subdomains associated with a company’s primary email sending domain. This works because most companies have more than one email sending domain, and some of those are not DMARC-ready. Chatbots are another way that attackers send bait to would-be victims. Social networks are primed for this sort of attack. A chatbot sends an individual a friend request. When the recipient accepts the request, the chatbot almost immediately sends a message with a link to the targeted individual. The link would purport to be something of importance to the target (remember that the phishing group has done its research, and knows what makes the targeted individual “tick”).
Once the Bait Is Taken
The entire goal of any phishing attack is to get the target to “bite,” to take the bait. Once the bait has been delivered and the target has taken it, the real fun begins. This is where attackers gain access to the information they want. If the attackers have gained administrator credentials, they can do any number of things, including trapping other users. In a worst-case scenario, the attackers use DNS cache poisoning to take over an entire server and redirect all traffic to spoofed websites. They will also be able to intercept data and even scan hard drives and email inboxes and other folders. Once they’re in, phishing attackers will begin the process of data extraction. They will scrape databases to obtain personal and financial data and add it to a spreadsheet. They are particularly interested in some specific types of data, including:
Social Security numbers Full names Physical addresses Email addresses Credit card numbers Passwords
Once the information has been scraped and stored, the phishing group takes the final step in their plan. They sell that information on the black market, where others will make use of it to steal identities, set up new credit card accounts, or create brand-new identities with someone else’s personal data. The data is sold to the highest bidder, and the phishing group splits the profits. A single person’s cell phone number and email address can be worth as much as $1,200 to the right bidder in the right location. Phishing attacks are frightening both for the potential data that can be stolen and the ease with which many of these attacks are carried out. Moreover, any business, organization, or government agency can be victimized. The only defense is to be aware of the threat and prepared to take it on.
