[Translation of the article] 7 basic rules for protection against phishing

The fact that phishing is known for a long time. The first phishing attacks were recorded shortly after the appearance of the world wide web. But despite the fact that security specialists are creating increasingly sophisticated methods of protection against phishing, new phishing sites continue to appear daily.

According to some studies, in 2016, about 5,000 phishing sites were created every day. In 2017, this figure will be even greater. The secret to the viability of this type of fraud is that it relies not on “holes” in software, but on vulnerability in human nature, which has access to important data. Therefore, it is useful to once again recall what phishing is, what are the most common types of phishing attacks, as well as ways to counter them.

Phishing in 2017: the main examples of phishing attacks

Phishing is a form of Internet fraud built on social engineering principles. The main goal of phishing is to get access to critical data (for example, passport data), accounts, bank details, closed official information, in order to use them in the future to steal money. Phishing works by redirecting users to fake network resources, which are a complete imitation of real ones.

1. Classic Phishing - Phishing Substitution

Most of all phishing attacks fall into this category. Attackers send emails on behalf of a real-life company in order to seize user credentials and gain control over their personal or business accounts. You can receive a phishing email on behalf of the payment system or bank, delivery service, online store, social network, tax, etc.

Phishing emails are created with great scrupulousness. They are virtually indistinguishable from those letters that the user regularly receives in mailings from a real company. The only thing that can be alerted is the request to follow the link to perform an action. This transition, however, leads to the fraudsters' website, which is the “twin” of the page of the bank’s website, social network or other legal resource.

The incentive to follow the link in such letters can be either “gingerbread” (”You can get a 70% discount for services if you register within a day”) and “whip” (”Your account is blocked due to suspicious activity To confirm that you are the account owner, follow the link ").

We give a list of the most popular tricks scam:

• Your account has been or will be blocked / disabled.

  
  

  Intimidation tactics can be very effective. The threat that the account has been or will be blocked in the near future, if the user doesn’t go into the account right away, makes him lose his guard, click on the link in the letter and enter his login and password.

  
  

• Suspicious or fraudulent activity has been detected in your account. Requires updated security settings.

  
  

  In such a letter, the user is asked to immediately log into the account and update the security settings. The principle is the same as in the previous paragraph. The user panics and forgets about vigilance.

  
  

• You have received an important message. Go to your account to get acquainted.

  
  

  Most often, such letters are sent on behalf of financial institutions. Users tend to believe the truth of the letters, as financial institutions do not really send confidential information via e-mail.

  
  

• Phishing letters tax subjects.

  
  

  Such letters are included in the trend as soon as the time comes to pay taxes. Topics of letters can be very different: notification of debt, please send the missing document, notification of the right to receive a tax refund, etc.

  
  

2. Targeted phishing attack

Phishing does not always hit at random - often the attacks are personalized, targeted. The goal is the same - to force the user to go to the phishing site and leave their credentials.

Naturally, the future victim will have more confidence in a letter, in which they address her by name, mention her place of work, position held in the company, any other individual data. And the information for targeted phishing attacks people most often provide themselves. Such resources as LinkedIn known to everyone are especially “fruitful” for criminals — by creating a resume for potential employers, everyone tries to provide more information about themselves.

To prevent such situations, organizations should constantly remind employees about the undesirability of placing personal and business information in the public domain.

3. Phishing against top management

Of particular interest to fraudsters are management credentials.

As a rule, the security specialists of any company implement a clear system of tolerances and levels of responsibility, depending on the position of the employee. Thus, the sales manager has access to the product database, and the list of company employees for him is a restricted area. The HR specialist, in turn, is fully aware of which vacancies are filled by anyone, which ones have just been released, who are worth raising, but he has no idea about the numbers and the state of the bank accounts of his native company. The head usually concentrates in his hands access to all the critical nodes in the life of the enterprise or organization.

Having gained access to the company's head account, phishing experts go further and use it to communicate with other departments of the enterprise, for example, approve fraudulent bank transfers to financial institutions of their choice.

Despite the high level of admission, top managers do not always participate in staff training programs in information security basics. That is why, when a phishing attack is directed against them, it can lead to particularly serious consequences for the company.

4. Phishing emails from Google and Dropbox

Relatively recently, a new direction appeared in phishing - the hunt for logins and passwords to log in to cloud data storage.

In the cloud service Dropbox and on Google Drive, users, both personal and corporate, store a lot of confidential information. These are presentations, spreadsheets and documents (official), backup copies of data from local computers, personal photos and passwords to other services.

It is not surprising that access to the accounts on these resources is a tempting prospect for intruders. To achieve this goal using a standard approach. A phishing site is created that completely imitates a login page on a particular service. The potential victims to it in most cases redirects the phishing link in an email.

5. Phishing emails with attachments

A link to a suspicious site to steal user data is not the worst thing phishing can do. Indeed, in this case, the criminals will have access only to a certain part of confidential information - login, password, that is, an account in a particular service. It is much worse when a phishing attack results in the compromise of the victim’s entire computer by malicious software: a cryptographic virus, a spyware, a trojan.

Such viruses can be contained in attachments to letters. Assuming that the letter came from a trusted source, users willingly download such files and infect their computers, tablets and laptops.

What is Pharming

Classic phishing with links to questionable resources is gradually becoming less effective. Experienced web services users are usually already aware of the danger that a link to a suspicious site may carry and use caution when they receive a strange letter or notification. To lure the victim into their networks is becoming increasingly difficult.

As a response to the decline in the effectiveness of traditional attacks, hackers came up with pharming - a hidden redirect to fraudulent sites.

The essence of pharming is that at the first stage a Trojan program is introduced into the victim’s computer in one way or another. It is often not recognized by antivirus software, does not manifest itself in any way, and is waiting in the wings. The malware is activated only when the user independently, without any external influence, decides to go to a page on the Internet that interests the criminals. Most often these are online banking services, payment systems and other resources that carry out monetary transactions. This is where the spoofing process takes place: instead of the checked, frequently visited site, the host of the infected computer goes to the phishing site, where, without suspecting anything, indicates the data needed by hackers. This is done by changing the DNS cache on the local computer or network equipment. This type of fraud is especially dangerous due to the difficulty of detecting it.

Phishing Protection - Basic Rules

1. Be sure to check the URL that is recommended to go to for minor spelling errors.
2. Use only secure https connections. The absence of just one letter “s” in the address of the site must alert.
3. Suspicious of any emails with attachments and links. Even if they came from a familiar address, it does not guarantee security: it could be hacked.
4. Having received an unexpected suspicious message, you should contact the sender in any alternative way and clarify whether he sent it.
5. If you still need to visit the resource, it is better to enter its address manually or use the previously saved bookmarks (alas, it will not save you from pharming).
6. Do not use open Wi-Fi networks to access online banking and other financial services: they are often created by attackers. Even if this is not the case, connecting to an unsecured connection is not difficult for hackers.
7. On all accounts, where possible, enable two-factor authentication. This measure can save the situation if the main password has become known to hackers.

findings

Completely destroy phishing in the foreseeable future is unlikely to succeed: human laziness, gullibility and greed are to blame.

Thousands of phishing attacks occur every day, which can take a wide variety of forms:

• Classic phishing . Phishing emails sent on behalf of well-known really existing companies that are virtually indistinguishable from the letters that users usually receive from these companies. The only difference may be in the request to follow the link in order to perform an action.
• Targeted phishing attack . Personalized phishing emails aimed at a specific person. Such letters contain the name, position of the potential victim, as well as any other personal data.
• Phishing against top management . Phishing letters aimed at getting access to the account of the head of the company, CEO, technical director, etc. Once they have access to such phishing accounts, they may continue to use them to communicate with other departments, for example, to confirm fraudulent bank transfers to any financial institution of their choice.
• Phishing Mailing from Google and Dropbox . Relatively new direction of phishing attacks, the purpose of which are usernames and passwords to log into cloud storage.
• Phishing emails with attachments . Phishing emails with attachments containing viruses.
• Pharming . Hidden redirection to a fraudulent site, made by changing the DNS cache on the local computer or network equipment.

Only the availability of timely and most complete information about hacker methods, as well as healthy suspicion of unusual, unexpected messages and suggestions, will significantly reduce the damage from this type of Internet fraud.

Therefore, be sure to read the rules of protection against phishing. And above all, do not give anyone your passwords, make a habit of always typing in the addresses of the sites you need manually or using bookmarks in the browser, be especially attentive to the links in the letters.

Source - Protectimus Solutions LLP