I have published 135 episodes of the Friday Phish Fry, and in the nearly three years of analyzing phishing exploits I have come to understand most of the techniques, tactics, and procedures (TTPs) used by the attackers. This article is going to explain the different approaches used in phishing.
The Email
Everything starts with the email. There are several types
SPAM – This was the first email scourge, but compared to what follows, is pretty innocuous. SPAM (S**t presented as advertising message). Uses mass emailing techniques. The goals are to get people to click through to an offer on a web page. The rewards are “pay to click” (PPC) and purchase commissions through marketing affiliate programs. This is still a problem, but most spam and phishing filters will successfully block these emails.
Phishing – Early on phishing emails were sent out using the same mass mailing techniques that Spammers were using, but the goals were different. The goal was to get people to supply personal information such as user IDs and passwords to different accounts, or to present a fraudulent offer. The money is made by selling the personal information, or hijacking financial, email, and shopping accounts and purchasing high-end gear to be resold online on services such as eBay. The problem with the mass mail approach is that only a small percentage (3-4%) of recipients responded to these early phishing emails. Mass mailing still happens in phishing exploits, but have largely been replaced with more targeted methods.
Spear-phishing – Spear-phishing is a more focused and targeted approach. Usually, an attacker will do quite a bit of research and open source intelligence gathering (OSINT). Some will even engage in social-engineering phone calls using pretexting and other techniques to extract useful information about the company and it structure, network security, and key personnel.
With that information in hand, a limited number of phishing emails are sent to specific employees, usually to get their user credentials. One of the best outcomes for an attacker is to get email account credentials that can be used in BEC or email account hijacking exploits. These can involved follow-up emails asking for financial transactions, wire transfers, and payment of bogus invoices. The rewards can be considerable with BEC and wire transfer tractions into the millions.
Whaling – Whaling is going after the biggest phish, like the CEO or CFO, or small business owners. (I know whales are mammals, not fish, but nevertheless…) The goal here is basically the same as spear-phishing, but the attacker is going after a bigger target. Perhaps the spear-phishing gathered information that will be useful in a whaling attack. The bigger the target, the better the payout can be. Senior executives generally know the least about computers and skip the cybersecurity training that their IT/IS departments are offering, and can be much easier to trick.
Destinations
A phishing email will usually contain a convincing story of some sort, a call to action, and often a stated or implied penalty for failing to respond or participate. The calls to action are typically:
Click on a link or button – This will usually direct you to some sort of web-based landing page.
Open a document attachment – Sometimes the document is a fake invoice that you are asked to pay, or it is the fake replica login screen of a familiar web service such as Microsoft 365, your email account, or social network account. Document attachments are a great way to deliver malware, open a back door on your system, and eventually become part of a botnet.
Call a telephone support or customer service number – Often, especially with fake invoicing schemes, there is a telephone number provided to dispute the sale. Of course once you call them, they will need your credit card information to “refund” the purchase
Landing Pages
On of the common destinations if you respond to a phishing email will the some sort of web page, what is called a “landing page” in marketing. These are HTML landing pages, and they can be hosted a number of different ways. You can sort out the method by looking at the URL or web address in the address bar of your web browser.
Hijacked web sites – Sometimes landing pages will be hosted on the website of another victim, the owner of the website. Unless your website is monitored regularly, you will not even know it happened. The URL will be appropriate for the hijacked domain and website. WordFence Security has a whitepaper that explains the economics behind hijacked websites entitled How Much is Your Hacked Site Worth?
Publicly available resources – Sometime the links will take you to someplace familiar such as Google Docs, Dropbox, or other publicly available hosting services. Often your link will redirect you to the final destination. Again, the pages presented will typically be a login page or a fraudulent invoice. The URL will be a familiar web services provider.
Self-hosted on your own computer – Many of the exploits I receive offer and HTML file attachment that when opened creates web page that is hosted on your own computer. The web page is usually a login screen used to get you to enter your credentials, which are promptly sent to the attacker. The URL will refer to the C drive of your computer, usual in a temporary folder.
If you are looking for representative samples of these sorts of exploits, many can be found on this website. Search “Friday Phish Fry” or some of the keyword terms used in this article. Many exploits use two or more of these methods together, and some take a while to put together and execute. Phishing simulation testing is perhaps the best way to train your employees to be more resistant to these types of approaches.
ShareDEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com