To Phish or not to Phish?
Ahh, ok, if you are considering that title with anything other than peaked amusement, you are on the wrong site.
Most of us in the security community are well enough aware of what Phishing and Spear Phishing are, but for you newbies out there who are wondering if this is related to your Padi Scuba Diving certifications – we can assure you that it’s not.
Wikipedia defines Phishing in the following manner.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim.
And defines the even more insidious Spear Phishing like this.
Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the Internet today, accounting for 91% of attacks.
Threat Group-4127 used spear phishing tactics to target email accounts linked to Hillary Clinton‘s 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented accounts-google.com domain to threaten targeted users.
So, we are some 10 years into the time period of Phishing and apparently, its still alive and kicking.
Today, some service pretending to be linkedIn set me this email below. Don’t worry, its just an image of the email.
So, how does this work?
These type of emails are set up to get users to click and go somewhere.
That somewhere, might be a fake site, set up to attempt to get the user to login as if they were logging into the real service. It takes all of 180 seconds or less to use specific linux tools to grab an entire site from wherever. No, no help from me, if you don’t already know what the tools are, we aren’t telling here.
This fake site might not only try to entice the user to give up their username/password, but if it finds that the user is using a browser that is susceptible to certain kinds of attacks, that user may find that they have inadvertantly downloaded something that they should not have.
Further, the hacker may also decide to passively monetize the visit by using either Google Adsense on the site or running a browser based monero crypto-coin application which won’t directly hurt the user – but it will steal cpu cycles in order to decrypt monero.
The primary reason that this attempt is so successful is because it uses multiple attack vectors.
If you click over to the site, figure out that you don’t want to login, the browser based Monero program is already stealing your CPU cycles and enriching the hackers. If 100,000 people visit in a week and 95,000 click off almost immediately, this still leaves 5,000 computers working on the block-chain problem. Of those 5000, most will click off within an hour, but 500 users may have 10 or more browser tab windows open and if they leave to look at something else, its quite possible that their computer may end up working on blockchain problems for several weeks or more.
The block-chain work was not the primary reason that the hackers set up this system, but it sure is handy for making some money in the background.
The real reason is that the hackers are primarily looking either directly for credit card information or indirectly trying to piece together a profile on you that might allow them to figure out what other sites you go to and eventually crack your entry to a site that can either directly or indirectly help them to profit.
If you don’t quite understand this last paragraph, don’t hold your breath, because we are not going to go into any more detail that might give amateur script kiddie persons more information than they really need to know.
Another example of Phishing – this one also from our friends at Wikipedia