Published : 5 September, 2018 | Last Modified : 9 July, 2021 | Phishing
Phishing has been one of the fastest evolution in hacking history. Different types of phishing attacks spread over the internet in a flash. Here is how it evolved.
America Online (AOL) flagged the concept of phishing in the early 1990s.
Once matched, the phishers accessed this data to manipulate it.
By the time AOL caught up to the scam – after 1995 – phishers had already moved to newer technologies.
The next generation phishers were more advanced and tech-savvy.
Initially, the emails were poorly constructed – with a lot of grammatical errors – but in the year 2003, an idea changed the phishing world.
With those domains, they sent out sophisticated direct emails.
In the same year, Paypal got hit when users received a phishing email asking them to verify credentials, compromising their accounts.
Over time, scammers devised new types of phishing for launching attacks. This article gives you the complete overview of various types of phishing attacks.
Phishing is a cybercrime in which scammers send a malicious email to individual(s) or mass users of any organization by impersonating a known individual or a business partner or a service provider.
Phishing: replace “f” with “ph” in fishing, relating to the term used for past generation hackers – “phreaks”
These emails are carefully crafted such that you open it without any suspicion.
These types of phishing attacks open the door for attackers to enter into your system and access confidential data like bank account details, credit card numbers, social security number, passwords, etc.
Once the information is obtained, the phishers immediately send or sell it to people who misuse them.
Sometimes, phishing not only results in loss of information but also injects viruses into the victim’s computer or phone.
Once infected, phishers gain control over devices, through which they can send emails and messages to other people connected through the server.
Based on the phishing channel, the types of phishing attacks can be classified into the following categories:
Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing → voice + phishing = vishing.
Considering the ease and enormity of data available in social networks, it is no surprise that phishers communicate confidently over a call in the name of friends, relatives or any related brand, without raising any suspicion.
SMS phishing or SMiShing is one of the easiest types of phishing attacks.
The user is targeted by using SMS alerts.
In SMiShing, users may receive a fake DM or fake order detail with a cancellation link.
The link would actually be a fake page designed to gather personal details.
Search engine phishing is the type of phishing that refers to the creation of a fake webpage for targeting specific keywords and waiting for the searcher to land on the fake webpage.
Once a searcher clicks on the page link, s/he will never recognize that s/he is hooked until it is too late.
Unlike traditional phishing – which involves sending emails to millions of unknown users – spear phishing is typically targeted in nature, and the emails are carefully designed to target a particular user.
These attacks have a greater risk because phishers do a complete social profile research about the user and their organization – through their social media profile and company website.
Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack.
This technique targets C-suite posts like CEO, CFO, COO – or any other senior management positions – who are considered to be big players in the information chain of any organization, commonly known as “whales” in phishing terms.
Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because of two main factors: a huge number of users and higher dependency on data.
1. Create multiple levels of defense for your email network.
2. Any phishing attack can succeed only if a targeted victim clicks on a link. Hence, creating awareness and educating the employees and other users about the types of phishing attacks in your network is the best way to prevent phishing attacks.
Isn’t it shocking?
We assume that the domains and websites that we interact with are safe, but hackers do trick us with different types of phishing attacks, by using impersonated domains and cloned websites.
Scammers use Social Engineering to know the online behavior and preferences of the potential victim.
This helps them to craft a sophisticated attack.
Email spoofing is one of the easiest types of phishing used to get data from users without their knowledge.
It can be done in different ways:
Here is an example.
The call to action in the email is to click the link and log in to view the document.
Just by seeing the company’s name and the urgency of action, some users may click on the link.
Compared to other types of phishing attacks, email spoofing has a focused target with a well-developed structure:
“Whom to target? What should be the content? And, which action has the higher probability of conversion?”
An email crafted with these details has higher chances of being opened and phished.
Mass phishing attacks are emails sent to a group of people with some common interest based on their brand preferences, demographics, and choices.
In mass phishing attacks, the emails sent to potential victims are clones of transactional emails like receipts, payment reminders, or gift cards.
Phishers use brands as a weapon for mass attacks because the brands have a lot of credibility among targeted victims.
In URL phishing attacks, scammers use the phishing page’s URL to infect the target.
This has a higher opening rate because:
One way to hook a person with a phishing bait is by using a hidden link. We have all received emails with the action phrase “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE.”
These are examples of hidden links, which makes it easier for scammers to launch phishing attacks.
In the example mentioned above, the phisher had sent an email in the name of “Wells Fargo” and asked customers to check for the service offers by clicking on the hidden call-to-action link: “Click here” – which led directly to the attacker’s page.
Another way to hide phishing links is by using link-shortening tools like TinyURL to shorten the URL and make it look authentic.
Instead of tiny URLs, phishers also use misspelled URLs.
Hackers buy domains that sound similar to popular websites.
Then, they phish users by creating an identical website, where they ask targets to log in by submitting personal information.
Homograph attacks involve the usage of similar-looking words – characters or combinations – that can be easily misread.
Here’s an example.
Once you land on the attacker’s site, the fake page will prompt you to enter login credentials or financial data like credit card information or other personally identifiable information.
These types of phishing scams are aimed at non-technical people.
Scammers exploit the lack of understanding about the difference between a domain and a subdomain to launch phishing attacks.
What will you do?
You will click on the link and end up compromising your credentials!
Here is an example.
This is because anyone can use any well-known domain as a subdomain.
Most people may not be aware of the difference between a domain and a subdomain.
Pop-up messages are the easiest way to run a successful phishing campaign.
Through pop-up messages, attackers get a window to steal the login credentials by redirecting them to a fake website.
This technique of phishing is also known as “In-session phishing.”
Look at the pop-up window given below.
In this example, doesn’t the foreground pop-up seem legitimate enough to mislead customers?
The only prevention we have at present is the pop-up blockers available in the browser extension and settings on different app stores. If your data is very crucial, you should opt for security software that blocks all these threats in one shot to prevent any kind of data security breach.
Phishers run a paid campaign optimized for certain keywords to launch a phishing scam.
This is a well-crafted attack that looks completely legitimate.
Phishers create fake websites with “Exclusive offers” as bait – which look too good to be true!
When users stumble upon these fake sites, they are fooled into sharing their information to claim the offer.
Website spoofing is similar to email spoofing, though it requires the attacker to put in a lot more effort.
Phishers publish a website by copying the design, content, and user interface of a legitimate website.
Some scammers also use URL shortening tools to create a similar URL for the fake site.
Here is an example of a website spoofing attack that mimics the Bank of America website:
It is always a best practice to type the entire link by yourself, instead of copying and pasting the link from somewhere else.
Scripting or cross-site scripting (XSS) uses malicious scripts deployed on the victim’s computer or phone using emails as the medium.
When the browser loads the phishing page, it will execute the malicious script, and the attack would take place without the victim’s knowledge.
Here is how a normal script works when you search for ‘colors’ on Google.
It means the value of the search parameter ‘q’ is inserted into the page returned by the Google search engine.
Let’s say, a scammer creates a script that changes the behavior of this URL when it is loaded in the browser.
The browser will execute the Google search result page.
The fragment displaying the search results for ‘colors’ with the script will change as below:
Loading this page will cause the browser to execute XSSphish_script().
Hackers impersonate themselves on both sides to access confidential information like transactions, conversations, or other data.
Major targets of MiTM:
MITM use two major spoofing execution techniques: ARP spoofing and DNS spoofing.
1. ARP spoofing: ARP spoofing is an attack in which a malicious actor sends a fake ARP (Address Resolution Protocol) message over a local area network. This links the attacker’s MAC (Machine address) address to the IP address of a legitimate computer or server on the network.
2. DNS spoofing: Domain Name System (DNS) spoofing or DNS Cache Poisoning is a form of hacking that corrupts the DNS data in the resolver cache, causing the name server to return incorrect result records.
A possible MITM attack scenario is given below:
In a clone phishing attack, a previously-sent email containing any link or attachment is used as a true copy to create an almost identical or cloned email.
Scammers replace the link or attachment in the email with a malicious link or attachment.
The cloned email is forwarded to the contacts from the victim’s inbox.
The recipients of the cloned email will assume it to be a legitimate email and click on the malicious link.
If you are receiving emails containing images according to your interest, then BEWARE!
It could be a phishing attack.
Attackers use images and other media formats to deliver batch files and viruses.
There are two ways of embedding a phishing image in an email:
1. Linking an image directly to the URL and sending it to the victim as a mass email attack.
2. Using an encoded image (.jpeg) or other media files like song (.mp3), video (.mp4), or GIF files (.gif). In this type of attack, the hacker embeds a batch file (.bat) or virus into an image and sends it as an attachment to a victim.
When the victim downloads the image, s/he downloads the batch file – or virus, thereby infecting the computer or phone.
The attack prompted the user to download a malicious Java ARchive (JAR) that also downloaded a virus.
1. Do not download images from unknown sources.
2. Do not open the images in an incognito window.
3. Use an antivirus or anti-malware in your email service.
4. Use a backup solution to avoid losing data.
In a voice phishing or vishing attack, the message is orally communicated to the potential victim.
Though it doesn’t use technology, this is one of the trickiest types of phishing – you have nothing to confirm or verify what is said over the phone!
Emma Watson got a call from her bank stating that some unusual transaction activities were identified on her account.
To safeguard her money, she was requested to transfer all the amount into a newly-created account.
She mentioned, “They were very professional, and because they knew my name and were addressing me with my name, I didn’t suspect them.”
“They called me on the landline number given to the bank for communication purposes. Also, they used all the banking language,” she added.
Emma had transferred £100,000 into the account communicated to her – Out of which, only a fraction was traced and returned to her.
CEO fraud – a business email compromise – is a part of a whaling attack in which cybercrooks fool the employees into executing unauthorized wire transfers, or disclosing confidential information.
According to the report of the security advisory, more than 70 percent of the scammers pretend to be the CEO – while the remaining comprised CFO and COO signatures – and more than 35 percent of these phishing emails are targeted at financial executives.
CEO fraud or BEC attacks impose a higher risk as well as damage the organization at a higher level.
A few of these damages are listed below:
Injecting malware into a system or network through emails is a common form of phishing.
The usual objectives of a malware attack are:
1. Hijacking a user’s computer or an online session,
2. Stealing a user’s confidential data,
3. Conducting fraudulent activities, and
4. Launching a DDoS attack.
A Trojan is a kind of malware that creates digital backdoors for attackers to hack into your computer without your knowledge.
They are capable of stealing your personal information – like SSN and/or your private files – business details, or making your computer stop working permanently.
Attackers can use the hacked device as a proxy to conceal their identity or send out spam for a mass phishing attack.
“Zeus” was a trojan that helped attackers to steal about $3 million from dozens of US corporate accounts!
A virus is a malicious set of code used to breach into a device to fetch confidential data.
The moment you open a malicious .exe file, your machine will get corrupted.
Similar to viruses, worms affect the computer by replicating themselves.
Worms are one of the most dangerous types of phishing, as they don’t need any human intervention to make their copies!
They use the system’s vulnerabilities to transmit from one device to another, which makes them more dangerous than a typical virus attack.
Ransomware encrypts your computer files to lock them and keep them hostage until you pay a fee for its decryption code.
The estimated loss by this attack was $4 billion USD.
Spyware is a kind of malware that monitors the actions of the victim over a time period.
The objective of this malware is to create a long-term profit for the hackers.
Types of spyware used for various types of phishing:
As all of us know: the best way to learn is by doing it.
Therefore, to understand more about phishing methods, run some phishing test campaigns on your teams, friends, colleagues, and family members.