How smart criminals are fooling you into their (email) phishing trap

If you think that ‘I would never click that’ phishing email holds true for you, read here why you are
probably wrong and might be at risk!

Smart criminals are fooling you into believing you are clicking a honest email or text link, while in fact you are falling victim of their refined tactics.

Ask yourself, would you click this link? This is a clear example of a phishing email.

This is a clear example of a phishing email. Do the test below if you think you are immune to social engineering attacks.

Test your performance and create awareness

There are in almost infinitive amount of possible ways phishing can trick you. In fact, around 27% of people fail social engineering (the word used describe the general subject of tricking another human being into believing something that is actually false) tests according to a report by positive technologies.https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Social-engineering-2018-eng.pdf

Do you think you are so IT savvy you would never fall for these tricks? or do you want to simulate how you would perform under a various of different attack vectors? Test you knowledge and enter the challenge below:

• Cognitive biasses
• Time limit
• No good answers
• What to do? → call/reply/etc
• How to mitigate? → 2FA?
• Firefox IDN Homograph
• SMS vs app 2fA

How did it go? Did you think the test was easy and found out it was actually quite hard? Did you score 100%? If you want to jump right to a smart little wizard that gives you excellent advise on when to trust and when not to. Use the model below:

• how to tackle (already build)
• 1 do i have an account? → NO. do not proceed https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

Want to learn more about phishing and how it works? Read more below!

We want you to take action, exploit your device or your credentials!

Phishing is a way of convincing you that a real company or person you know asks for something that is not actually true. This can happen with a variety of results in mind. Generally speaking these are the three types of results an attacker is trying to pursue:

1. Ask you to perform an action. Example: Wire money to a Nigerian prince because he is in need of a ‘middle person’ and will reward you ‘generously’.
2. Exploit your device by installing malicious software or gaining access to your device, information or a location. Example: Take your private photo’s, Copy your sensitive files, Install a keylogger, take over your computer.
3. Exploit your credentials. Example: Login to your bank and wire money, use your credit card credentials to order products, steal your identity, login to on and offline services to get to other valuables or sensitive information that you may have.

The results are any of the following:

• Stealing from you. The intended result is usually stealing from you or extortion. This can be for money, information or other types of property.
• Stealing from others through you. In this case you are the ‘middle man’. This can be with you knowing about it or in complete secretly. For example by using your credentials to gain access to a website, computer or physical location to steal from others. Ea. Copy the ID of a bank employee to gain access to the bank’s systems, use the administrator passport of the IT manager to gain access to the companies files, etc…

Why is phishing working so well?

Data shows that the average click rate on email phishing is 3,4%. If you consider the amount of phishing emails that are send every day this is a massive amount of people. As it may appear you will want to understand what you can do to counteract any form of phishing to avoid becoming the victim of such an attack.

The reason why it’s so hard to spot an attack is because attackers try to exploit various shortcomings in the human brain called ‘cognitive biases’. This is a complex word to describe that our human brain has a few blind spot’s. We are prone to hundreds of such (small and big) quirks. The ones that are most exploited and some phishing text examples are listed below:

Can you see how the attackers skilfully crafted their wording to get a grip on one of the principles of human behaviour?

Want to read and see more examples or find out more about this subject? Find out more in this study by the Technical university of Eindhoven, NL.https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwir5Mzjg7HsAhUxMewKHRBhA_gQFjADegQIAhAC&url=https%3A%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fsec19-van_der_heijden.pdf&usg=AOvVaw1ZrLdA43pb69_35pasF673

How does the plumbing of a phishing attack work?

Phishing is basically tricking you into an action that you do not want to take. Attacks come in all sorts of size and shapes. More about that below. First we explain how a typical attack works: See figure below for illustration from Cloudflare (https://www.cloudflare.com/learning/access-management/phishing-attack/)

How it works:

1. The hacker carefully prepares his attack and set’s up a ‘trap’ and pushes ‘send’ to thousands of email addresses.
2. You receive an email that looks like ‘the real deal’ and you trust it’s content. You click the link.
3. The website you expect to be shown is duplicated by the attacker in such a way that you believe it to be genuine. You enter personal credentials.
4. The attacker now has your personal information and uses this data to access the legitimate website to exploit

Take note that the attacker usually sends out the email to hundreds, thousands or even millions of email addresses. These are found by buying hacked email addresses or researching or hacking into email databases of the company that they are trying to mimmic. The more specific the contact details, the better the attack will work.

In other words, if the attacker knows you are a client of company x but not of company y and might even be able to find out who is in charge of (for example) the IT department of company x. The attacker will have much higher chances of succeeding when he will targets his attack exactly towards this combination of information. He will send out a email targeting only clients of company x with the email signature of the person that manages the IT department there. The more specific a attack becomes, the better it will work.

What kind of information is at risk?

Are you willing to loose money? Access to your personal files? No? We also think so…

Typical types of information that criminals are after are the ones below. These should really concern you as it is common that they give access to a much broader base of information.

• Usernames
• Passwords
• Credit card numbers
• Bank account information
• Other important data

For example: If you use the same credentials for multiple websites or companies these can be used to reset passwords for payment agents like paypal.com, help on execution Identity theft, etc…

What types of phishing emails are there?

Phishing emails and texts come in different forms and types. Each with it’s own intent and setup.

Advanced-fee scam or Quid Pro Quo scam

“If you allow us to move a large sum of money through your bank account we will grant you 35% of the money for your service.”

The email asks for a ‘fee’ to process a transaction. An example of this is the ‘Nigerian Prince’ email. This is actually a very old technique that tries to ‘reward’ a person for doing something for the requestor.

This attack should be mitigated by using the principle: If it’s too good to be true, don’t trust it!

Account deactivation scam

“You need to do this now if you don’t want to loose’, your account with (insert big tech name here)!”

The attacker tries to create urgency by threatening that your account is going to be deactivated if you’re not loggin in. This type of email requests you to click a malicious link and/or give your login and password directly.

Sometimes this attack is so well constructed that it actually takes you to the legitimate version of the website you are asked to insert the details for. By doing so it’s very hard to recognise that you have been scammed.

This attack should be mitigated by never clicking a link in a email but instead surfing directly to the companies website through your internet browser and logging in via that route. This way you single out a possibly compromised link.

This email type takes advantage of the ‘Scarcity’ principle.

On a side note: this advice is hard to do when you get a ‘password reset’ email that you have requested yourself. It is typical for these emails to usually contain a link to reset passwords.

Whaling scam

“Hi x, Please wire 22M to the following account below before noon. I need it for the deal with y, Your truly, Jeff Bezos, CEO Amazon”

With whaling the attacker tries to use the authority of the email sender’s to demand something from you. For example a fake email is created that is supposedly send by the CEO of the organisation to the CFO or a an accountant to wire money to a certain account, give credit card details or similar.

For this attack the social media accounts from the people involved are ‘scrapped’ and this information is entered in the email to create trust with the recipient.

This attack should be countered by verifiing in person that the request is legit. The best way to do this is try to reach this person by a way that you know is safe and involves direct communication such as a personal or telephone conversation. Ask the requestor if the message is valid directly.

Countermeasures

Prevention, defense and awareness

Defense

How to check for validity of a potential phishing message?

As you most probably don’t want to get scammed it’s important to check for validity. There is potential risk in anything you do with a computer, or other device connected to the internet so always beware. You’re first reaction to anything you have not requested yourself or is unexpected behaviour: dont’ trust it. Once you go into this mental state you are a much harder target.

General writing and plausibility

When you think any of the following things. Be extra cautious:

• Too good to be true? → don’t trust. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.

Social engineering is the craft of manipulating human feelings like curiosity and fear to lure you into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital world.

• I dont have an account or don’t know the sender or company personally? → don’t trust. Try verifiing that this person or company is legit by reaching out to them via another way. For example search for the person’s or companies phone number through an internet search on another device and call to check the legitimacy of the message.

There are many ways that the attacker might impersonate anyone or any company you know. Your first check should be: Do I know this person? If not, consider not interacting with the message at all.

Another good way of minimizing the change of receiving malicious email is using an email service that is ‘approve only’. It allows you to personally screen new incoming senders and reject them if you do not know them. You can only interact with emails after you have confirmed that this is what you want. Currently only ‘HEY’ offers this concept/feature. See screenshot below:

Fake hyperlinks and URL's

The hacker needs to take you somewhere to be able to convince you to enter data or perform a action. They will in almost all cases try to make you click a link that is malicious. So you should always be asking yourself:

• Is the senders email or phone number valid or fake? → Many attacks use so called ‘domains’ that are almost identical to the real company or person they are trying to imitate but are not the real deal.

The easiest way to check the actual link the click is going to take you is by looking at the bottom left part of the screen of your internet browser. Can you spot where it is?

The reason this is so important is because there is a possibility that a link is masqueraded as another link by using programming language. See below examples of links to Google.

<a href='https://www.w3schools.com'>https://google.com</a>

https://google.com

The two look identical, but the actual destination link in the first example is
https://www.w3schools.com

To navigate safely around the internet, you need to understand that a URL consists of the following 4 parts:

If you know how to check where the link will take you. It’s our strong advice to check the following points before clicking:

Another, more advanced trick hackers use is to mimic a letter with another (unicode) character that looks just like it. See following example:

https://www.аррӏе.com/

Visiting this page on Firefox web browser leads to the following website:

The reason this domain looks 100% identical to the real domain is that the attacker (in this case the poster of the blog post about the vulnerability) is that the browser translates the ‘Cyrillic "а"’ used in the domain into the regular ‘a’ when it displays in your browsers address bar

Masking hyperlinks and URL’s

Another trick that hackers use is the masking of URL’s through url shortening services. Some examples of these are Bit.ly, Cutt.ly and TinyUrl. There are many more but they have one thing in common. The Urls that they produce don’t match the original domain of the company that sends you the email. Look at the examples below:

Find the link address by hovering your mouse over the hyperlink. All internet browsers show you the ‘destination’ url. If it does not contain the companies domain name, don’t click it!

Bad URL:

https://bit.ly/3dapvd5#297552383a2716822a10377

Good URL:

https://trade.aliexpress.com/order_detail.htm?orderId="1231212212"

Behind the first URL might be any destination. There is no way to check. So best you avoid URL’s like those altogether.

• Does the email contain an image, link or attachment that I did not request? → Don’t trust. Phising email links or images that can be clicked often lead to fake websites. Attachements can potentially harm your computer by infecting them with spyware, mallware, keyloggers or randsomeware. It’s highly recommended you never click, open or install attachments that you did not personally request with the sender of the email.

Don’t get fooled by the file type. Any file type can be malicious. Even .PDF files or cute cat or dog photo’s.

Desperate to open a .pdf or image file? Use your browser or an online cloud like Google drive or Dropbox instead of opening the document on your computer. This way the document ‘runs’ in a different environment than your physical device (phone, computer)

Fake websites

The website you visit looks exactly like the ‘real’ one. The attacker created a duplicate website to steal any information you enter. You may be brought to this site by clicking an email hyperlink, forum post, messenger app link or even a search engine result.

To mitigate this type of attack, you can do the following two actions:

1. Check the domain name. The only reliable way of checking any website is through checking the exact URL link. This hyperlink should be exactly same as the one you know for this site. If you are in doubt, call the company and ask for their website link.

2. Check the SSL certificate. A basic check before visiting any site should be that the site has a SSL certificate. You can quickly check if this is the case if the website has a logo with a lock in the corner before the url of your browser. See examples below. This logo displays the fact that the website has a valid ‘SSL certificate’. This means that the information between your computer and the website that is exchanged is encrypted. If a website does not have this lock or flag, do not enter any personal information regardless of the situation.

You can also go as far as checking if the domain name SSL certificate is registered to the actual company. There are many guides out there that will tell you how to do this for your particular browser.

3. Double check.Once you are on the website and you have checked the domain name there is usually only one more thing you can do to keep yourself safe: ‘use your common sense’. As you read previously in this article, criminals use deceptive language to trigger you to take a certain action. If you read the website and find the layout, or maybe the wording a bit strange and feel the ‘urge’ to do anything, stop and reconsider. Better to do a double check first. Search for ‘reviews’ of the website with the words: ‘scam’, ‘phishing’ or ‘phishing attack’. Often you are not the only one being targeted and somebody else already reported about it.

Attachments and other software.

If you really think that the attachment of a email is real and not a form of malware, spyware, ransomware or a keylogger? These are the steps you can take to decrease risk:

1. Make sure you have an anti-virus software installed and that it’s updated. This is a bare minimum. If you don’t have this, proceeding with downloading files is just too big of a risk. If something happens you have no way of defending yourself. Are you willing to loose all your photo’s and files?
2. Software: Go to the website of the software vendor and see if you can download from that location instead. It’s almost never the case that software send over email is legit.
3. If you do trust the source, check if the software vendor has a ‘integrity’ or ‘hash’ page. This is a number that comes out of a calculation that you can perform on the file before opening it. The number should match the software vendor’s published number. There are different ‘hashing methods’, each will give a different number. Use one of the following software to do the hashing for you: Visualhash, Rehash or MD5Sums . See the Keepass integrity page for examples of this method.

4. Other easy measures you can take to minimize the threat-model is by checking the so called PGP key signature of a download. This is excellent practice but too complicated for most people.

Account security

User credentials are often the target of phishing. You should protect yourself by enabling ’2 step authentication’, also known as ’2 Factor Authentication’ or ’2FA’ on all accounts that allow it. This setup is basically an extra layer of security. The usual setup:

1. Your user name and password
2. A ’2 factor authentication’ app on your phone

The app on your phone generates time specific codes that you need to enter when loggin in to a service that has been setup with 2 factor authentication. This setup allows you to defend yourself even if some of your personal information like your user name and password are compromised. Without access to your phone the attacker cannot enter the account.

Popular apps to setup 2FA on your Android or iOS phone are:

• Authy (https://authy.com/)
• Microsoft (https://www.microsoft.com/nl-nl/account/authenticator)
• Google (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=nl)
• Lastpass (https://lastpass.com/auth/)

It’s also possible to use dedicated devices for 2 factor authentication. Some of the more popular are:

• Yubikey (https://www.yubico.com/)
• Google Titan security key (https://cloud.google.com/titan-security-key?hl=nl)

It’s important to note that you should avoid ‘SMS 2 factor authentication’ if possible. This is because SMS and the protocol behing it is not build to handle sensitive information and can be hacked relatively easy. If your account or service has a 2FA option. Use an app on your phone or hardware device if possible. Only settle for SMS if no other option is available.

Prevention

There is nothing more effective as incident prevention. To do phishing prevention you essentially minimize the effect vectors that a malicious entity has on you. These are relatively straightforward to do but hard to maintain the discipline for:

• Never give out personal information to anyone via email, phone or text messages.
• Never befriend people that you don’t know in real life.
• Never trust someone or something that you have not double checked.

Other ways to work on prevention are tests and trainings. Unfortunately these are hard to come by for free. So we made one. Scroll up to the top of this page to take the test!

Or take the one from Google here (https://phishingquiz.withgoogle.com/)

The data

32% of data breaches involved phishing according to the Verizon Data breach investigations report (DBIR). Out of which most attaches (96%) involve email phishing. Only 3% of attackers used a website and a mere 1% uses text messages. The average click rate on email phishing is 3,4% but the level of sophistication is rising sharply!

37.9% of Untrained Users Fail Phishing Tests

The most worry some fact is that 37.9% of Untrained Users Fail Phishing Tests KnowBe4, one of the industry’s leading cyber awareness training organizations, states in their 2020 Phishing By Industry Benchmarking Report that nearly 38% of users who don’t undergo cyber awareness training fail phishing tests. Knowing that only 1 in 5 organisations perform these tests monthly, there is a lot of ground to cover still.

What are these other terms that I see floating around?

Spear phishing

With term the general activity of the attacker gathering specific data about you or your company and aiming to utilize that specifically for your case. 90% of all phishing attacks work this way. The more specific the targeting, the higher the succes rate of the phishing attempt.

This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous.

They obtain these pieces of information off stolen or publicly available locations. Check for yourself by googling your own name:

Clone phishing

With clone phishing the attacker creates an identical copy of an email that they know or suspect to come from a legitimate source and change the links or attached files to trick the victim. Opening these links the will infect your computer or take you to a malicious website. See ‘Website forgery scam’.

Social engineering

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.Wikipedia

Social engineering happens because of our human instinct of trust. Cybercriminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network. They do so by utilising any or a combination of the following human behaviours:

• Fear
• Greed
• Curiosity
• Helpfullness
• Urgency

There are 4 main attack vectors:

• Vishing - Social engineering techniques over a phone or voice messaging system (audio notes or phone) to gain access to your personal or financial information.
• Phishing - Social engineering techniques over email to gain access to your personal or financial information.
• Smishing - Social engineering techniques over a text messaging system (texts or whatsapp) to gain access to your personal or financial information.
• Impersonation - Pretending or impersonating somebody to physically gain access to a system or building.

Baiting

Baiting is a ‘false promise’. It involves offering something in exchange for login information or private data. The ‘Bait’ can be anything. A free download, a discount code, a free sample or sensitive or valuable information. If you download the bait malicious software in the form of spyware, malware, randsomeware is installed on your computer. This will allow the hacker to get to their target.

The bait can also be something physical. For example a ‘left or forgotten’ USB thumb drive. Attackers will make it look as authentic as possible so the chances of you recognizing it are slim. Instead, focus on the rules for phishing: ‘Did you request this?’ If the answer is ‘No’. Then it’s probably wise not to trust the device.

Pretexting

Also known as impersonation. Essentially the physical form of phishing. Pretexting is when a hacker tries to create a relationship with the target by impersonating somebody else. The intent of this attack is to gain access to sensitive information or funds.

This form of attack is highly effective as the trust bond between the target and the person being impersonated is already there. For this reason your guard is already very low and you do not expect the attack.

Scareware

As the name already gives away, this attack is focussed around scarring its victims to motivate them to perform a specific action. We all know the pop-ups that appear on some websites or in emails with messages like ‘Your computer may be infected with harmful spyware’. These messages are always fake so don’t bother interacting with them

Examples

Google has a nice repository of scams that are associated with them on this page:https://support.google.com/faqs/answer/2952493?hl=en

The university of Berkely has an excellent repository of phishing examples. Feel free to look through them below and check if you would have spotted that it’s malicious.https://security.berkeley.edu/resources/phish-tank