In this article, we are starting our new short course on Phishing. In our last articles, we explore the art of human hacking – social engineering. In Part 2, we hit a little on the concept of Phishing. Phishing is one of the most used attack vectors out there. In this short post, we will discuss some of the concepts and types of Phishing, and in later lessons, we will go deep into phishing techniques, tools and procedures. So, let’s get started.
What is Phishing?
Phishing is the practice of sending an illegitimate email claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information. Phishing emails and pop-ups redirect users to fake web pages that mimic trustworthy sites, which ask them to submit their personal information.
Types of Phishing
- Spear phishing – Spear Phishing is a targeted phishing attack aimed at specific individuals within an organization. Attackers send spear phishing to send a message with specialized, social engineering content directed at a specific person or group of people.
Ex – Attackers craft a specialized email attaching a malicious word document which is then forwarded to key people of the organizations like system administrators, engineers, Accounts people, etc. When the target looks at the legitimate email which came by the HR mentioning the salary bonus in the attached doc file. The user get curious and click on the malicious document triggering the PowerShell command which runs in the background and pulls the extra payload from a malicious website, resulting in the full system compromise. We have seen a number of spear phishing attacks in the wild done by some nefarious state actors from Russia, China, and North Korea.
- Whaling – Whaling is a phishing attack in which the attackers target high-profile executives like CEOs, CFOs, politicians, and celebrities who have complete access to confidential and highly valuable information. It is more like a spear-phishing attack, however, in this case, the attackers for the “Whale” in the organization, because if you compromise the top people of the company, you can manipulate the most important decisions and workflow of the company.
Ex – Crafting a specialized spoofed email from one of the third-party clients or an anticipated important report, which a CEO, CFO, or CTO will be expecting from one of their employees, results in a definite click on that malicious document.
- Pharming – Pharming is also known as “Phishing without a lure”. This attack is a little more sophisticated, in this, the attacker gets hold of the system either by using spear phishing techniques or some known exploits. Then they redirect the victim’s web traffic to a fraudulent website by using techniques like DNS cache poisoning or Host file modifications.
- Spimming – Spimming is a variant of spamming, that exploits Instant messaging platforms to flood spam across the networks. Attackers use bots to harvest instant message Ids and spread spam.
Ex – An attacker can write a python script that scrapes userID from the source code of the social media platforms and then sends a specialized spam message to every userID he/she gets, resulting in malicious advertisement and more victims in the attacker’s hit list.
Also read: Understanding the CIA triad |Episode #2|
So, that’s it, a short introduction to Phishing. We saw what Phishing is, its types, and a few examples for the explanation. In the later sections of this short course, we will see how we can harvest user credentials using Phishing. Before continuing to this course, I would highly recommend the Social Engineering basis course – PART 1 & PART 2. Till then, “Happy Hacking”.