Phishing

What is phishing?

Phishing is a type of social engineering attack that aims to exploit the naivety and/or gullibility of legitimate system users.

This type of attack earned its name because, like its homophone "fishing," it uses bait. In a phishing attack, bait often appears as a compelling email. Attackers go to great lengths to ensure that phishing emails appear as legitimate as possible. These emails most commonly direct target recipients to an attacker-controlled website that delivers malware or intercepts user credentials.

Are there different types of phishing attacks?

There are two primary types of phishing attacks.

Standard phishing attacks. This method targets a large number of individuals and counts on one or more victims. The attacker understands that this approach is scattershot. However, that isn’t of much consequence since the attacker only needs one successful victim to gain a foothold.

These phishing scams target a wide audience with general bait.

Example of a standard phishing attack

  1. An attacker sends a mass email to employees posing as a member of the IT department.
  2. The email is a notification for recipients to take the mandatory annual online IT security training module—however, the training module is attacker controlled.
  3. During the course, the victim user is directed to enter their employee credentials which are then delivered directly to the attacker.

A mass distribution is also a double-edged sword. The potential for luring in at least one victim is higher with a larger distribution. At the same time, the likelihood of gaining the attention of the organization’s real IT or security teams is also higher.

Spear phishing. A more targeted phishing attack is known as spear phishing. It requires more time and effort on behalf of the attacker since it targets fewer individuals through a carefully manipulated email. It’s also common for the attacker to spend time building trust with the target before directing them to take malicious actions. This type of attack is more commonly used to place malware on an internal network.

Example of a spear phishing attack

  1. An attacker becomes aware of a sensitive internal project at a target organization.
  2. The attacker spoofs the original sender's email address.
  3. The attacker sends out an otherwise innocuous email to the limited recipient list with the subject line, "Minutes from the last meeting" or "Action Items."
  4. The recipients see what looks to be a legitimate email about a recent meeting regarding the project. Because there is there's an implicit trust, they are much more likely to open the attachment.

Such spear phishing campaigns have been used to gain access to internal networks used by high-level executives in an organization who are authorized to access more sensitive information. The result is the same as a general phishing operation, except the compromise occurs much deeper within the organization. Spear phishing aims to extract specific information or gain specific access to an internal network.

What damage can phishing attacks cause to an organization?

Phishing bypasses technical security factors by exploiting the human component. This attack method has the potential to render technical security controls useless. Spear phishing attacks may allow attackers to gain a foothold into the organization’s systems—all while the organization remains unaware.

Phishing attacks deliver malware that allows attackers to control a victim’s machine. This allows an otherwise external adversary remote access to the internal network.

Phishing attacks also often provide attackers with users’ credentials. These credentials can provide access to restricted systems or data. Privileged access from compromised computers, or credentials to an organization’s systems, allow attackers to bypass many technical security controls. This may also allow attackers to pivot and escalate their access to other systems and data. Ultimately, phishing can result in the complete compromise of an organization. This could include customer and employee data theft, source code leaks, website defacing, etc.

How can organizations prevent phishing attacks?

The degree to which an organization holds up against phishing attacks is a measure of the firm’s security posture. Ideally, spam filters (or another form of intrusion detection system (IDS) block illegitimate emails; anti-virus software blocks malware; or, at the very least, the outbound firewall blocks communication with the attacker.

In the event that these measures fail (or are non-existent), properly configured domains and user accounts greatly reduce the extent to which an attacker can penetrate an organization. Since phishing targets the human component, social engineering awareness training should be a company-wide requirement.

There is no one-size-fits-all solution for phishing attacks. An organization must tailor their defense mechanisms for their unique business needs. To identify the areas requiring improvement, many firms start with a red team security assessment. A red team assessment mimics a realistic attack scenario leveraging social engineering techniques such as phishing. Upon completion, assessors can prescribe tailored mitigation techniques to strengthen the organization’s security posture.

Are you sure your network, physical, and social attack surfaces are secure?