Overview[1]#

Phishing (Spear-Phishing) is a Social Engineering Attack to obtain data including Sensitive Data such as usernames, passwords, and Payment Card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an Telecommunications like Email.

Phishing is an example of Social Engineering Attack used to deceive users and exploits weaknesses in current Website security.

Phishing typically directs users to enter personal data at a fake website, the look and feel of which are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are infected with malware.

Phishing may involve use of a HTML link to Malicious Website which then deploys Malicious Software

Phishing may use Punycode so HTML links appear to be reputable Organizational Entity

Phishing Attacks#

More than 2/3 of the incidents in 2015 involved Phishing (Verizon Data Breach Investigations Report).

One-Time passwords and other Multi-Factor Authentication help against your account being used to perform Phishing but not from you being the subject of Phishing

Phishing leads to other Attacks#

Phishing is often just the entry point to more attacks. For example, To obtain a perform such attacks like pass-the-hash or pass-the-ticket, the attacker needs credentials of a user to get in the door.

Phishing Example#

One trick that bad guys use a lot is called CEO Fraud. CEO Fraud involves a scam in which cybercriminals impersonate executives in order to fool an employee into executing unauthorized wire transfers, or sending out confidential Sensitive Data. A sense of urgency is usually employed, pressuring the victim to act before thinking. According to FBI statistics, CEO fraud is now a $12 billion scam.

Spear-Phishing#

Where general email attacks use spam-like tactics to blast thousands at a time, spear phishing attacks target specific individuals within an organization. In this type of scam, hackers customize their emails with the target’s name, title, work phone number, and other information in order to trick the recipient into believing that the sender somehow knows them personally or professionally. Spear phishing is for organizations with the resources to research and implement this more sophisticated form of attack.

2. Whaling#

Whaling is a variant of spear phishing that targets "CXOs" and other executives ("whales"). As such individuals typically have unfettered access to sensitive corporate data, the risk-reward is dramatically higher. Whaling is for advanced criminal organizations that have the resources to execute this form of attack.

3. BEC (Business Email Compromise)#

BEC attacks are designed to impersonate senior executives and trick employees, customers, or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report,  BEC scams were the most damaging and effective  type of cyber crime in 2019.

4. Clone Phishing#

In this type of attack, the scammer creates an almost-identical replica of an authentic email, such as an alert one might receive from one's bank, in order to trick a victim into sharing valuable information. The attacker swaps out what appears to be an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.

5. Vishing#

Also known as Voice phishing, in vishing, the scammer fraudulently displays the real telephone number of a well-known, trusted organization, such as a bank or the IRS, on the victim’s caller ID in order to entice the recipient to answer the call. The scammer then impersonates an executive or official and uses social engineering or intimidation tactics to demand payment of money purportedly owed to that organization. Vishing can also include sending out voicemail messages that ask the victim to call back a number; when the victim does so, the victim is tricked into entering his or her personal information or account details.

6. Snowshoeing#

In a snowshoeing scheme, attackers attempt to circumvent traditional email spam filters. They do this by pushing out messages via multiple DNS Domains and IP Address, sending out such a low volume of messages that reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.

More Information#

There might be more information for this subject on one of the following:

• 3D Secure
• Acr_values
• Attack
• Authentication Context Class Values
• DNS cache poisoning
• Domain-based Message Authentication, Reporting & Conformance
• DomainKeys Identified Mail
• FAPI Read Write API Security Profile
• FIDO2
• IDN homograph attack
• Impersonation-resistant
• Internationalized Resource Identifiers
• Password Anti-Pattern
• Public Key Infrastructure Weaknesses
• Punycode
• QUANTUM
• SIM Swap
• Sender Policy Framework
• Smishing
• Social Engineering Attack
• Spear-Phishing
• Tailgating
• Threat Model
• Unvalidated redirects and forwards
• Verizon Data Breach Investigations Report
• Vishing
• Web Authentication API

---

• [#1] - Phishing - based on information obtained 2017-05-05-
• [#2] - What is Phishing? - based on information obtained 2021-07-21