Phishing Attacks

Phishing Attacks

Phishing is a prevalent means of initial attack for most malware campaigns. Phishing consists of technical and social engineering techniques to get a victim to infect themselves by interacting with a phishing e-mail to initiate processes for the malware to work.  Often this is enabling macros in Microsoft Office documents (Aleroud & Zhou, 2017). These documents often invoke code (JavaScript, VBA, PowerShell, etc.) to further infect the system and gain a foothold (Aleroud & Zhou, 2017).

Before looking at phishing messages a brief analysis of the server and client sides involved in email communication is necessary. E-mails start off being created on a computer’s mail program (Outlook, Mail, G-mail, Hotmail, etc.) and is sent to the sender’s mail server (sender) (Chiew, Yong, & Tan, 2018). The server then sends the message through the network (internet) to the recipient’s mail server (receiver). The receiver’s e-mail server pushes the message to the client’s endpoint for viewing in its e-mail program (see Figure 1) (James, 2005).

 Figure 1: E-mail pathway

Phishing e-mails are come in different types for similar but different purposes. The table below defines the most common types of crimes committed by sending phishing e-mails (James, 2005).

Some Types of Phishing:

	Phishing/Spam Traditional malicious e-mail for a campaign that uses the “spray and pray” methodology, which is to send the phish to as many people as possible.		Spear Phishing Unlike the traditional phishing e-mail, spear phishing is targeting specific individuals. While this requires more research on the attacker’s part, it comes across more believable and increases the chance or success.
	Vishing (Voice Phishing) The attacker in vishing needs to conduct social engineering attacks to get the victim to dial a number where the attacker tries to gather credit card information. This technique uses spoofed caller ID.		Smishing (SMS Phishing) The smishing attack is conducted by sending a link through SMS to a spoofed website.

Phishing can be used to commit crimes against unaware victims these crimes usually involve some type of credential stealing to take over accounts or identities. Some examples of crimes committed by these malicious actors using e-mails are (James, 2005):

	Identity Theft All phishing attacks are a type of identity theft. However, some are specific like the ones listed in this table while other criminals use the identity theft for other types of crimes. These attacks try to get the victim to hand over their personal identifiable information.		Credit Card Scams These scams try to get the victim to input or give away their credit card account information. These attacks are similar to bank fraud.
	Bank Fraud Malicious actors use phishing to infect the victim with banking a Banking Trojan to steal account credentials which allows them full access to the victims account.		Account Takeover Its not just financial institutions being affected.  Other industries and types of accounts are also under attack. These include

Not all crimes are just what happens when phishing is sent to a victim. Some crimes use phishing to assist in conducting the crime. Some examples of crimes committed by these malicious actors using e-mails are (Chiew, Yong, & Tan, 2018):

	Espionage Espionage is often conducted by getting a foothold into a network and then using other hacking techniques to move laterally gaining more access. This is usually conducted by nation states against another nation state but could be corporate espionage where one corporation is spying on another for competitive advantage.		Stealing Intellectual Property Like espionage, stealing intellectual property is also conducted through numerous attack vectors, one of which is phishing. While espionage is to gain information, stealing of intellectual property can also be straight stealing. This can be from criminal organizations, corporations or nation state actors
	Use of phishing for a pivot point Using phishing to gain a foothold or build trust with a victim as a jumping off point to gain further access either in the virtual or physical world. Usually, this is to steal anything to sell for profit.		Cryptomining Using phishing to gain foothold into network to gain access to servers or other computer resources to mine cryptocurrencies.

Brief analysis of an email spoofing

Most phishing incorporates spoofing e-mail addresses, websites or both (Chiew, Yong, & Tan, 2018). A recent campaign assessed as being perpetrated from Russia first sends the victim spoofed e-mails with a malicious PDF attachment (see Attempt 1 below). When that didn’t work the malicious actor sent a spoofed Microsoft Office 365 message (see Attempt 2 below) to try and get the victim to click on a malicious link. Since these were back to back this campaign is assessed as targeted. Especially since the indicators of compromise are associated with Russian state actors and were targeting U.S. defense contractors. 

Below are common tools that are used to investigate a cybercrime involved in email communication or committed by sending emails and determine the e-mail is malicious  (Aleroud & Zhou, 2017).
  

	User Training Users are the first line of defense and sometimes the last. The best way to defend against phishing is educated users.		Honeypots Security devices that trap information regarding attacker tactics, techniques and procedures. This allows researchers to analyze current attack methodologies.
	Profile Matching Countermeasures using profile matching use information such as URLs and domain names, their credentials and characteristics to create a feature-based profile. This is then matched against known bad profiles.		Ontology Ontology is a model of concepts and semantic association among those concepts. New terms, phrases or expression can be modeled as concepts found in phishing can be modeled as concepts. This allows for better detection of sophisticated phishing that bypasses the traditional anti-phishing techniques.

As previously stated, the best way to defend against phishing is user training (Jensen, Dinger, Wright, & Thatcher, 2017). Users are the weakest link and the first line of defense against phishing attacks. Training users to understand e-mail spoofing which includes how to look up header information and decipher it is a good first start (Jensen, Dinger, Wright, & Thatcher, 2017). There are plenty of resources to accomplish this.

Knowing how to read a header of an e-mail is also useful (see table below for parts and definition of a header) (Jensen, Dinger, Wright, & Thatcher, 2017). Knowing where to look for information may provide the receiver with information to confirm the e-mail is malicious.

Derived from:  https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header 

Training users to hover over links to see what the link is, is also a good practice and an easy way to pick up on the deception (see example below). 

There are numerous laws that outlaw this phishing activity. Two of these laws are the Anti-phishing Act of 2005 and 18 U.S.C. Section 1028 are used in the U.S. to deter this activity and fight cybercrime.

Anti-phishing Act of 2005 (congress.gov) 

On February 28, 2005, introduced the Anti-Phishing Act of 2005. As reported on the Congress.Gov website the act amends the federal criminal code to criminalize internet scams involving fraudulently obtaining personal identifiable information (PII). The summary on the congress.gov websites states:

This act Imposes a fine or imprisonment for up to five years, or both, for anyone who knowingly engages in any fraud activity or identity theft under Federal or State law. This is defined by:

1. Creates or procures the creation of a spoofed website or domain name. 
2. Uses that website or domain name to steal credentials from any person

This Act also imposes a fine or imprisonment for up to five years, or both, for anyone who knowingly engages in fraud or identity theft under Federal or State law sends a phishing message that:

1. Falsely represents itself as a legitimate business 
2. Includes an Internet location or linking users to an online that falsely purports to be associated with a legitimate business 
3. Solicits means of identification from victims

18 U.S.C. Section 1028 (Link to definition)

Passed as part of the Identity Theft and Assumption Deterrent Act in 1998, it made identity theft a federal crime. However, this requires a predicate offense. This means there as to be another crime and in committing that crime also commits identity theft. Under this Act, a person is guilty if he/she knowingly transfers, possess or uses without authority (permission) any identification of another person with intent to commit unlawful actions, crimes.

Academic References

leroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey. Computer and Security, 160-196.

Chiew, K. L., Yong, K. S., & Tan, C. L. (2018). A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems With Applications, 1-20.

James, L. (2005). Phishing Exposed. Rockland, MA: Syngress Publishing, Inc.

Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to Mitigate Phishing Attacks Using Mindfulness Techniques. Journal of Management Information Systems, 597-626.