Mobile Critters: Part 2. Phishing.

Phishing is undoubtedly the most ubiquitous attack of the last 10 years, if not more. It has been used successfully against companies large and small, sometimes leading to devastating results. 

Is opening emails from a smartphone safe?

Email-based threats are nothing new and have been around for almost as long as email itself. Initially, just a nuisance, the harmless chain-letter emails of yesteryear morphed into so-called “419” scams, before eventually stepping up to the modern style of phishing we know today. This move towards criminal intent evolved in parallel to the Internet itself. In the early days, there was little eCommerce and few corporate resources hosted on the Internet. However, as the Internet was monetized and company portals and systems moved online, the value of access to those systems became clear.

What is social engineering and how it works.

And so bad actors started trying to get their hands on credentials for online platforms. Phishing is ultimately a form of Social Engineering – tricking the victim into handing over credentials for a website, platform, or corporate system. Depending on what access the attacker gains, further malicious activities can be carried out.

In the corporate world, the attack commonly plays out like this: First, the attacker sends an email spoofing a commonly seen company or service. This could be sharing a file via DropBox or Office365, a parcel tracking service such as UPS, or maybe more devious, such as reflecting a current news event, such as Covid-19 or the Hurricane Katrina disaster.

These emails often invoke a sense of urgency by suggesting that action must be taken quickly, or create intrigue, for example appearing as if someone has shared the entire company’s bonuses list with you. This encourages the target to click the embedded link or open the attached document to view the information.

Fake website alert!

For the second stage, the attacker has set up a website that looks like a familiar login page, such as Office365. However, entering your username and password into this page sends a copy of those credentials off to the attacker. 

Often this is where the attack ends, however, the use of Multifactor or Two-Factor Authentication is a strong protection against phishing, adding a randomly generated code to your login process. A basic phishing attack won’t capture this code, but a more sophisticated infrastructure may also ask you to enter the MFA code, all of which is captured and replayed into the real system.

Finally, once an attacker has a username, password, and potentially a valid MFA code, they can access the system. This could be anything from a corporate email, HR, or CRM platform through to a personal gaming account, online banking, or shopping site. From there, money can be accessed, goods can be bought fraudulently and deeper attacks against a company can be staged.

Kinds of phishing attacks you should be aware of.

Several variations on Phishing work in a similar way, including Vishing (voice phishing), Smishing (SMS-based phishing), Whaling (targeted phishing against the company’s “big fish”), and Spear-Phishing (highly targeted phishing). While MFA provides good security against phishing and many modern email systems detect phishing quite easily, the best protection is to have well-trained staff who can spot a phishing attack before any credentials get typed out.