Who doesn’t love a good fishing trip? Go ahead, picture the scene: it’s just you, some cold ones and your boat, sailing along in the middle of a placid silver-blue lake. But wait! What’s that grabbing hold of your line, tugging as if it’s the master and you’re the one getting caught? Well, guess what? When it comes to phishing, you’re the one being reeled in.
A Brief History of Phishing
Phishing is any attempt to collect sensitive information via misleading and or malicious emails or websites and isn’t a new phenomenon – it’s a threat that’s been making rounds and evolving since the mid 1990’s. Starting out life back in the heyday of AOL, the technique was developed by a bunch of technically-inclined criminals who recognized the unique opportunities they were presented with by the emergence of this flashy new invention: The internet. (Disclaimer: The internet wasn’t actually all that “new” by 1995, but around that time frame is when it became popular among even non-techies.)
Crime and/or scamming people are hardly new concepts; But paired with the power of the internet, they create one heck of a powerful punch. A group of hackers known collectively as “warez” was exploring the idea of creating randomized credit card numbers to be used to open AOL accounts. Eventually, AOL caught on to the rouse and suspended all users with whom they could associate the fraudulent credit cards. Sensing it was time to go bold, the group created an AOL hacking tool called AOHell, which allowed hackers to pose as legitimate AOL representatives over Instant Message. The “representative” would then tell the potential victim that AOL needed to verify the account, in an attempt to coax password and credentials out of them.
As the internet has evolved, so have the tactics, and moreover so have the stakes. Today, when we talk about the current phishing epidemic, it’s true that we may be talking about the troves of badly spelled, almost funny emails that go straight to your Spam folder. Surely, you’re far too savvy to fall for emails from stores and/or people that clearly don’t exist. You’re on guard when it comes to clicking links (because we have told you Oh. So. Many. Times!). You hopefully even have some sort of understanding that phishing attempts can come via your favorite social media platforms, like those Facebook posts kindly requesting that you fill out surveys in exchange for free stuff.
In this model, many, maybe even millions, of emails are sent at a time to email addresses that hackers have scraped with specialized tools. The return is low, because most people know how to spot these baddies a mile away. The investment is equally low, but even if a just small proportion of potential victims fall for the rouse, the hacker turns a nice little profit.
But phishing can get much worse and way more personal. This is called spear phishing.
Think of phishing like a tuna fisher’s net; many fish may swim into the net, but more wriggle their slippery way out than those who meet their untimely end on a dinner plate, next to a main of mac n’ cheese. Spear phishing, on the other hand, is like a harpoon, one long and deadly instrument, zeroed-in on one unfortunate target.
When it comes to spear phishing, personalization is the name of the game. The less generic, more tailor-made the ploy, the higher the chances are that the attack will succeed. Spear phishing a much higher stakes game than regular ‘ol phishing.
Whereas phishing requires little more than someone who has an email address scraping tool and less than stellar writing skills to craft a few email scripts, a huge amount of effort goes into creating a convincing spear phishing attack. Attackers might spend months crafting their ploy; First, they’ll scope out corporate social media accounts, company websites and blogs, studying them to learn the intricate workings of the company hierarchy. They will learn who works in which department, who the influencers are, and the company values. They might even learn which third-party companies their target deals with and the type of vendors that would typically solicit them.
With this information, they craft highly convincing emails that appear as if they have come from a trusted source, like another company looking to do business with them, or the company bank or something along those lines. This was the method used by hackers who infiltrated famed security giant RSA in 2011, JPMorgan Chase in 2014 and perhaps most notably of all, the DNC in 2016.
The hacking of John Podesta’s DNC email account reads something like a comedy of errors. Naturally, the campaign was facing a constant barrage of phishing emails. They knew which ones to watch out for until an utterly-well crafted one came, throwing his poor aide for a loop. The email warned of the many attempts to access Podesta’s account and instructed him to change his password immediately using the link in the email. Spooked, his aide sent the email to the campaign IT staff to inquire about its validity. The IT personnel told her it was “legitimate” and to “change his password immediately”. What he meant was that it was IL-legitimate and he should reset his password directly with Google. That’s not what the aide heard though; The aide took thought he meant that she should reset the password with the link in the email, which directly lead to the exposure of over 60,000 emails.
This isn’t the first time nation-state entities have used spear phishing techniques and it’s far from the last — because, as we see so clearly, spear phishing is incredibly effective and efficient.
Phishing can get Pretty Savvy, too!
But before you assume that spear phishing = really cunning, really dangerous and phishing = not so intelligent, not so bad, think again.
Just last week, a new phishing campaign was spotted and this one has all the brains and brawn of a well-executed, sharp spear.
Like the Podesta debacle, the email hoax that is hitting inboxes as we write seems to come from none other than Google. It all starts when you get an email from a friend that has a file attached to it. The email’s subject and the name of the attached file are the same as the a subject and attachment you once sent, which makes it seem as if your friend is replying to your email (albeit most likely belatedly).
What you don’t yet know is that your friend also got a similar email, one that used the subject line and attachment name of an email that he or she had recently sent. Your friend took the bait and opened the attachment and that’s when the malware began its crooked job of collecting email addresses, email subjects and attachment names from his or her sent emails.
Back to you. You’re thinking this email is from your bud, so you open the attachment. This in turn, opens a new web page, a picture-perfect copy of the Gmail login page. The crafty hackers have even worked out the URL so that it perfectly mimics Gmail’s URL. They do this by inserting the real Gmail URL into a different URL and applying lots and lots of padding around the URL, so all that you see is the Gmail part of it which obscures the rest of the evilness.
When you click the link, it gives hackers access to your account and everything therein. Then it sends that same email with subject lines that have been lifted straight out of your “sent” folder to all your contacts. The impressive tactics are so well-designed and executed that even tech-savvy types have been falling for the ploy.
Protecting Yourself from Phishing
To steer clear of the smart variety of phishing/spear phishing attempts, there are a few things you can do:
- Employ multi-factor authentication: This will keep hackers from accessing your data even if they have bypassed the password.
- Think like a hacker: With every questionable email, think “is there a chance this can be malicious?” Any time you answer yes, hit “delete”.
- Learn their methods: Education is the number one way to keep safe from getting reeled in, so read as much as you can and learn what’s out there and what’s trending in phishing techniques.
- Silence social media: One of the best tools hackers have with which to collect data on you are your social media profiles. Once they know where you live, what you do for a living and other details, they have all they need to create a perfect attack email.
- Check out URLs and look for padlocks: True, this tip wouldn’t have kept you from getting hit with the Gmail tactic above, but in most cases, the URL and the HTTPS and padlock will indicate if a website is legitimate or not.
- Implement a reliable security program: A solid security program like RCS will keep nasty malware off your computer and out of your devices.
- Keep away from shady links: There you go, we said it again. Maybe this time people will listen.
The phishing/spear phishing epidemic isn’t going away anytime soon. The more you know about the tactics, the better prepared you’ll be to stand up to them.