ZTH-CH4: Hook & Sling - Phishing For Gold
To this date, phishing is one of the most prevalent first stages of entry to an organisation, a lot of threat actors
There are hundreds if not thousands of blog posts, awareness articles, and documentation on phishing, user awareness, and breaking down specifics. This blog post has been sitting in my drafts for about three years but I decided to finish it and get it out ahead of hacktober/cyber awareness month.
To this date, phishing is one of the most prevalent first stages of entry to an organisation, a lot of threat actors(Threat Actors: persons or entity that has the capability to cause disruption also known as a malicious actor) will leverage multiple campaigns to get into an organisation or look to gain access to certain information.
What?
In our daily lives, we probably see phishing a lot and don't even realise, think of a Nigerian prince offering you vast amounts of wealth, or a company sending you a text saying you've won something or another.
So one could argue that a lot of us have been conditioned to see phishing and spam and ignore it however unfortunately that's just not the case. When attack and entry methods expand they encompass many different scenarios that attempt to coerce users into doing bad things to harm companies without their knowledge.
More common techniques nowadays are focused on SMS-based phishing pretending to be from a bank or a delivery company. They usually have the primary aim of harvesting your personal details so that the attackers can use them elsewhere or sell them on with your number for committing identity theft.
How?
What makes up a good phish then? The genetic makeup of a good phish really varies but usually, the three properties are present:
- A hook - something that interests you in the email, instructions, or something enticing
- Urgency - More often than not, phishing emails contain some form of action that is time limited and has a sense of urgency/threat.
- Consistency - Older advice when it comes to phishing has always said to look for spelling errors and poor English however phisherfolks have wisened up in most cases and now use tools like google translate and Grammarly to tighten up their pre-text(email content) to try and hook you in more.
When these three are combined along with the source being from an entity you supposedly trust, an attacker stands to convince you to hand over your details or download a malicious document and execute their malware.
Why?
Often the motivation for phishing is several reasons which broadly fall into the three categories below, arguably they are all technical forms of power and each fosters the other but alas:
- Access / Credentials
- Financial Gain
- Power
A typical scenario may be that we want to gain access to credentials for initial access into a company. So a phishing campaign is crafted to mimic certain scenarios relevant to the individual. These can be anything from company changes, and password policy changes through to fear-based alerts and everything in between.
In other instances phishing can be leveraged to coerce folks into handing over their hard-earned cash in a variety of different ways, often starting out as an unpaid invoice, an unclaimed order, or postal charges but social engineering in the form of phishing can get very complex whereby initially someone may just contact you to start a conversation and once you are hooked on the conversation they'll start to ask for money or a favour, this is often very similar to the Nigerian prince scenarios just with a different initial outset.
Stay aware of these types of attacks, people are the weakest link in the security chain, if you ever receive an email just have a think before you click that link or before you hand over your details to someone you don't know.