Speech fishing: we analyze attack methods and methods of protection against them

Phishing is a type of online fraud that uses the principles of social engineering. This is an e-mail, call, SMS or message in the messenger or social network, trying to trick the user into transmitting their confidential data, download some malicious file or transfer money. To do this, the sender appears to be some other person, from whom such a request raises less suspicion.

Spear phishing is a subset of phishing that targets a narrower circle of people. This may be some organization, a group of its employees or an individual, depending on the intentions of the attacker. The message received in this case will be designed specifically for a limited circle of persons. During such an attack, an attacker could try:

• to get confidential data (bank card data in order to steal money);
• install malware on the target device;
• to obtain secrets and confidential data of the organization for the purpose of blackmail or resale to competitors;
• get military data.

Differences between phishing and targeted phishing

1. Target selection. Phishing works on the principle of “spray and pray” (spread and wait): a prepared message is scattered by a large number of people in the hope that at least one of them can be fooled. Targeted phishing is a targeted attack. Its target is a certain company, certain employees or a specific person, and therefore a message will be sent only to them.
2. The skill level of the attacker. Phishing requires lesser skills and is initially designed for a large number of failures. Targeted phishing, as a targeted attack, is more complex and uses more advanced techniques, and also requires more preliminary training.
3. Detection ability. It also follows from the previous paragraph that targeted phishing is more difficult to detect than regular phishing.
4. The purpose of the attack. As a result of any of the two attacks, an attacker may seek to obtain logins, passwords, or other data, but phishing implies a quick gain in benefits, for example, money. An attacker in this case is unlikely to be interested in getting ten accounts from the mails of unknown people. With targeted phishing, even if the goal is an email password, this will be a meaningful step. Perhaps the attacker knows that valuable information is stored in this mail, but it is possible that this is only a stage of a multilevel attack.

Attack course

Consider the progress of a targeted phishing attack using the example of an email message.

First, the attacker conducts a lot of preliminary work to find information about the target. This can be an email address and the names of contractors or colleagues, hobbies, recent purchases or other things that can be found on social networks - any information that can help confuse the recipient in the body of the letter and make him believe in its veracity.

Then, armed with all the data obtained from accessible sources, the attacker draws up a phishing letter on behalf of someone the victim is familiar with (colleague, family member, friend, customer, etc.). The message sent should create a sense of urgency and convince the recipient to send personal information in the answer, enter it by clicking on the link in the letter, or download the malware from the attachments to the letter.

In some cases, in an ideal scenario for an attacker, after the letter “worked,” a backdoor is installed on the target’s machine, allowing you to steal the necessary information. It is collected, encrypted and sent to the attacker.

Protection methods

Technical means of protection:

1. Spam filter It can be installed on the mail server. Some phishing emails can be identified by their content. True, if you try to filter out all unwanted emails in this way, there is a high probability of false positives, since phishing emails (especially with targeted phishing) mimic legitimate messages to themselves.
2. Checking the addresses of the senders of the letter. The specified sender in the letter and the actual sender in the header may not match. The filter can also check, for example, that the sender’s domain is similar to the company’s domain, but is spelled incorrectly.
3. Scan attachments in letters for viruses and in the sandbox. Before the recipient receives a letter containing the executable attachment, it is checked by antivirus or launched in the sandbox.
4. Block letters containing links and executable files in attachments. A tougher variation of the previous paragraph, but really used in some places and protecting against some attack vectors.

No matter what technical protection measures are taken, an unwanted letter can still be in the mailbox. Therefore, it is worthwhile to pay attention to suspicious things in letters:

1. Sender.

   
   
   
   
   
   
   
   • This is someone you usually don’t communicate with.
   • You are not personally acquainted with the sender and none of those whom you trust have vouched for it.
   • You have no business relationship with the sender, and you have never communicated before.
   • A letter from someone outside the company and does not apply to your work responsibilities.
   • You know the sender, but the letter is written in a manner very unusual for this person.
   • Sender's domain is spelled out (for example, sbrebank.ru).
   
   
   

2. Recipient.

   
   
   
   
   
   
   
   • Among the recipients, besides you, there are other people, but none of them are familiar to you.
   
   
   

3. References

   
   
   
   
   
   
   
   • When you hover the mouse over the link indicated in the letter, it is clear that in reality the link that you will click on when clicked is completely different.
   • In addition to the link in the letter there is nothing more.
   • The link contains an address similar to a well-known site, but it made a mistake.
   
   
   

4. Date of receiving.

   
   
   
   
   
   
   
   • Email received at unusual times. For example, it concerns work, but it was sent late at night, during non-working hours.
   
   
   

5. Letter subject.

   
   
   
   
   
   
   
   • The subject of the letter does not correlate with the text of the letter.
   • The topic is marked as a response to a letter that you never actually sent.
   
   
   

6. Investments.

   
   
   
   
   
   
   
   • The sender has attached a file to the message that you did not expect (usually you do not receive this type of attachment from this person) or which has nothing to do with the text of the message.
   • An attachment has a potentially dangerous extension. The only safe file type is .txt.
   
   
   

7. The content of the letter.

   
   
   
   
   
   
   
   • The sender asks to follow the link or open the attachment in order to avoid any negative consequences or, on the contrary, to get something valuable.
   • The text looks unusual or contains many errors.
   • The sender asks you to follow the link or open an attachment that seems strange or illogical.
   • The sender asks you to send confidential data by mail or SMS.
   
   
   

Obviously, it’s not enough to know and follow these rules. It is also necessary to convey this information to other people in the company. It is much easier to resist an attack when it is known that it can occur. It is important to train employees and tell them about phishing attacks. It may also be useful to conduct social testing from time to time to make sure that the information has been successfully acquired.

Total

It is most difficult to resist the attacks of social engineering, since a person becomes the final frontier. An attacker may also be aware of all the technical methods of protection, so he can invent a way to get around them. However, awareness and implementation of simple rules greatly reduces the risk of a successful attack.

Want to make sure your systems are well protected? Or are you interested in how to convey information to employees? Contact us, we will be happy to carry out sociotechnical testing or help with training and talk about such attacks.