The popular cab aggregator Uber became a victim of a massive data breach in Sep of 2022. And how did the attacker get access to the sensitive internal systems? It turns out that the supposedly eighteen year old attacker who was eager to take responsibility for the successful attack said “I was spamming [an] employee with push auth for over an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. Told him if he wants it to stop he must accept it. And well, he accepted and I added my device [sic].”
This sort of attack is called a MFA fatigue attack or MFA bombing or MFA spamming, where a user is bombarded with authentication requests until they relent. In this example the user finally fell for a simple phish on WhatsApp, where he was under the impression that the person contacting him was a legit IT technician. Many had thought push notifications were the answer to all problems with OTP which used to easily get phished by the ‘man in the middle’. However, with every new authentication method, the bad actors creatively come up with a whole bag of tricks to extract or intercept it.
ALSO READ: The Less Talked About Immigration Scam
However, this example shows phishing modus operandi at its best. In general phishing is a type of social engineering. It is a cyber crime where the perpetrator deceives the victim via phone, email, website links, WhatsApp or other channels to harvest their credentials typically using imposter website links and emails. The victim gets fooled into sharing sensitive information such as credit card numbers, login, password, banking information, PII etc. believing the communication to be from a legit source. Such credentials are then used to set off a chain of attacks including any of account takeover and financial fraud, data exfiltration, ransomware, or even cyber espionage. Hence the damage may be to the individual themselves who got phished themselves through identity theft or financial loss, or the organization that they own or work for, and in some cases, it could even be the country or government. Either way there could be huge financial, reputational or other damage at stake.
So, from this it is clear that phishing is not in itself an end goal. I’ve heard people use phishing synonymously with account takeover. That is not accurate. Phishing is a gateway to other cybercrimes. For an individual the phished information could lead to account, profile or device takeover, or even identity theft and fraudulent applications for loans, doxxing, blackmail or even as simple as a CNP transaction on the credit card data phished. For an organization phishing could lead to more disastrous consequences like data stealing, espionage of confidential information, Business email compromise or even Ransomware.
As per the State of Phishing Report of 2022 by SlashNext, the phishing has increased from 50,000 malicious URLs a day in 2021 to 80,000 malicious URLs average daily in 2022. This is a 61% year on year increase. As per Egress software, 90% of all ransomware is delivered through a phishing scam. While The As per CISCO 2021 Cybersecurity Threat Trends phishing accounts for 90% of data breaches. So phishing is a gateway to these more sophisticated cybercrimes. Moreover, as per Verizon Mobile Security Index 2022 83% organizations have reported that mobile phishing attacks are growing more rapidly than other device threats. So why is phishing such a big problem and why does it continue to grow rapidly. The reason for that is simple. Phishing is a kind of attack that relies on human vulnerability as opposed to software or hardware vulnerabilities. This is usually much harder to solve for. As one can’t ensure that employees or otherwise humans can’t be programmatically made to behave a certain way. Human beings can’t be engineered mechanically, but unfortunately, we can be socially engineered. Most phishing tricks therefore touch a basic human instinct such as judgment error, oversight, greed, fear, anxiety, frustration, panic, urgency, lust etc. through a wide array of manipulative tools. And many cybercrimes from what I’ve seen start with a human weakness.
There are various types of phishing as enlisted below –
- Email Phishing – This is the most traditional type of phishing and has been around for years, if not decades. In this type, the perpetrator sends an email from an address that resembles that of a legitimate organization via email spoofing. Here the email is fake but belongs to the legitimate domain. But, they might more easily instead use the company name as the username as opposed to the domain like email@example.com to appear legitimate.
- Vishing – Vishing is shorthand for Voice phishing. In this typology the attacker voice calls the victim and tries to phish out the credentials. A friend recently ordered alcohol by looking up a number online. Strangely he wasn’t aware that home delivery of alcohol is not legal in India. However, while on the call the other party requested for an OTP that would be sent to my friend’s phone. He immediately smelt a phish and hung up. Such tricks are getting increasingly common to intercept authentication credentials.
- Smishing – Similar to Vishing, Smishing is short hand for SMS phishing. This again is gaining in popularity given the scale at which such an attack can be perpetrated. As an example, in late 2022, there was a SMShing attack across all Indian banks where people were receiving a text purportedly from their bank with URLs resembling banking portals. The links would contain the bank name in the sub domain such as ngrok.io/xxxxbank sent via SMS asking for KYC updates or some other pretext to steal the target’s credentials.
- Angler Phishing – Named after the eponymous fish, this is one of the newer forms of phishing attacks. Here the scammer targets victims on social media platforms, by creating imposter social media accounts of respectable companies. A typical example would be of a malicious actor posing as the customer support staff of the respective company or bank whose name is mentioned by the victim in a public complaint, and luring such disgruntled customers, into revealing sensitive information.
- Pop-up Phishing – When malicious code is placed by bad actors in the pop ups that may appear on a website. For example, when the customer says allow notification it may pop up a message that the computer has malware (Scareware) appearing to come from reputed IT companies, as was the recent scam in the US perpetrated from Indian soil, although masterminded by an American national from Glendale, California. A fake toll-free number would be provided, which the victim would call to be only received by the scammer in India.
- Evil Twin Attack – In this form of phishing the attacker creates a fake Wi-fi hotspot (typically free public Wifis with multiple access points with the same name), that looks like a legit one, hoping the victim would hook up to the evil one. This connection is then leveraged to steal a user’s login credentials in a classic man-in-the-middle or MITM modus operandi (MO).
- Pharming and website redirects – In this MO the attacker hacks into a DNS (Domain name server), that translates domain names to IP addresses via a look up. This way, when someone types in the genuine URL they get redirected to the malicious IP address of an imposter phishing website that resembles the original to harvest their credentials, password, card numbers etc. Pharming can also be done to specific users through malicious code hijacking their computer or browser settings. However not all redirects are bad. For example, if you type https://www.phish-bowl.com it gets redirected to https://www.phish-bowl.in and that is fine. Many times, owners of domains buy the same domain name across different TLDs (top level domains).
- Clone Phishing – Here a legitimate original email sent by a business is copied but the attachments or documents is replaced by malicious code that steal the user’s data. Typically, this could happen in a reply on that email to that sender or on an email saying something innocuous like “Resending this.”
- Spear Phishing – In what is a very targeted attack cyber criminals research their victim via open-source intelligence such company websites, LinkedIn etc. to gather company and individual names and positions for instance. Once they have this background information they approach the target, posing as an internal co-worker or familiar name to the target to extract sensitive information.
- Whaling – With much higher stakes whaling is the type of spear phishing that particularly targets high ranking officials in the governments or corporate hierarchy to draw out confidential information, that such persons would usually have access to. Whaling is sometimes referred to as CEO fraud.
- Domain spoofing – In this sort of MO, the threat actor will create a domain that looks like a legitimate one with a misleading URL. For example, instead of https://www.amazon.com it could be http://xyz.amazon-com.io. The content, style, images, layout and branding may look deceptively similar in these web fakes. Sometimes they may mimic sites by making small, hard-to-see changes to the URL using for example Cyrillic characters instead of ASCII characters that look extremely similar, in what is called homograph attacks. While this issue has long been fixed in Chrome 59, however might still be an issue with some browsers. Sometimes the URL could be a shortened URL, so that the real URL can hide behind the shortening. Take a look at this phishing link I received yesterday, for example https://tinyurl.com/SBI-0NLINE-KYC-PANCARD. It’s a short URL but also the ‘O’ of Online is actually the numeral ‘0’. And when I expand it using the + sign, this link points to the very dodgy website called https://sfe3-af.web.app/ which is a confirmed phishing site.
- Search Engine Phishing – With this one, the threat actor makes fake products, offers or messages that pop up at the top of the search results that lure the target to visit the source website. While the search engine is legit the result thrown up is a phish. The hapless visitor that lands on the page is asked for sensitive information before getting access to the product or offer, which gets delivered to the bad actors. The version of this sort of phishing that is currently happening a lot in India is where scammers are adding their own phone numbers to legit organizations on their Google business page. When the victim contacts that number the scammer asks them to reveal an OTP or other information.
- In-person phishing – This is again a new trend I am noticing where a Food delivery agent dressed in a genuine branded uniform polo shirt with the right logos of a food deliver app pretends to do a fake drop. And when the recipient refuses to accept the package which they obviously didn’t order, the delivery agent asks for an OTP to apparently ‘cancel’ the non-existent order.
- WhatsApp phishing – Another common trend in India was WhatsApp phish where the scammers would ask for the 6 digit code under the pretext that it was accidentally sent to the target. Once they have the 6 digit verification code they could connect their own device to the target’s WhatsApp, which is a legit facility provided by the texting service. However, once the account is taken over the next level contact list of the now victim, become the target, and get exposed to the scammer.
As always, let me end this section with a little anecdote that happened first hand. True story. This happened when I was managing the Scam Fraud Loss line for a leading bank. One fine day I got hit with this very obvious phishing email on my internal email. That part was obvious to me. But the mail had been forwarded by someone internal, another employee. This was shocking. I looked up this individual. He was a legit employee, his email address was accurate, it was not a spoofed email, and all the details looked picture perfect. I also looked him up on our corporate directory. And then suddenly, the penny dropped for me. As owner of the Scam prevention function, I had created a distribution list of more than 60 people including CXOs and this individual had forwarded this phishing email to the entire distro. He had unfortunately mistook the only other scam prevention sounding email list in the corporate directory to be the phishing reporting inbox. It requires some eye for detail to spot the difference between a corporate mailbox and a distribution list, I can understand. But this was the sort of oversight that folks could lose their jobs over. And our friend here had marked the email to a bunch of CXOs, no less. Anyhow, as owner of the list I had to quickly get into damage control mode and sent my distro list an email alerting them to not click any of the links.
I shared that story just to drive home the point that anyone can fall prey to a phishing scheme, and that too despite spotting it. And this is the sort of dangerous global pandemic that can get the best of us, despite all the metaphorical sanitisers and masks. Except that this virus is not just global but also keeps mutating. What’s worse is after every few years or so there are only multiple new variants that combat the tools that we developed to control the last variant.
Here are some imperative hygiene Do’s and Don’ts you can follow as part of your ‘How to beat the bad guys 101’ anti-phishing lesson.
- Always report a phish, to protect yourself and others from it. It takes a while to bring down phishing websites, and it is much harder to track down and arrest the scammers behind the phish. So, what you can do to mitigate the impact and run time of a phishing attack is by reporting it early.
- Always tread cautiously if you receive an unsolicited email, text or other communication from someone you don’t recognize, or not on your contact list.
- Always check the phone number of someone familiar in your own records. The display image in social media does not mean anything and could be stolen easily from your friend/colleague or other contact.
- Stop to think before you click on a link. Preferably check it on an app or website that checks a URL for phishing.
- To confirm the sender is indeed who they say they are, before you reveal any sensitive information contact the sender directly via another channel.
- Beware of abnormal requests from unexpected sources such as a senior management official or an IT official asking for your password.
- Ignore emails that contain very little text or are image only. They may hide malicious code.
- Regard emails that contain an HTML document as an attachment with suspicion, even if it appears as a payment advice or something important. Even as recently as early 2022, HTML attachments were being used as the most common attachment in phishing emails, as a successful strategy for escaping detection. Some time ago, there was the attack on Office 365 users, where the bad guys sent phishing emails with an HTML attachment. When the victim opens and downloads the attachment it opens in the browser and quickly redirects to the phishing page.
- Always hover the mouse over a suspicious or unknown person’s email to check if the domain name matches the organization the email has been supposedly sent from.
- For suspicious emails, always scan the email header to see if display name of the email sender matches the return path or Reply/Bounces to fields. If they differ the email name is spoofed and could indicate phishing.
- Always treat with suspicion emails or websites containing spelling and grammar errors, irregular fonts or punctuations, generic greetings, mismatched content or unprofessional sounding communication. I used to have a boss when I was an analyst. He always wrote his emails in a hurry without punctuations. He wrote in hurriedly written sentences with poor grammar and never did a spell check. We had a joke in the team that some day we would report him to the phishing inbox, accidentally.
- Always inspect a link first. Hover the mouse over a suspicious link before you click, and browsers show you at the bottom panel the intended destination, which may be different than what appears in the link you click on. You can even get this by copying link address with a right click and pasting to browser. Do not ‘paste and go’. Or you can check in the clipboard before you paste it into an app that verifies/checks suspicious links.
- Make sure to take down any sensitive information from public domains preferably at source, including phone number, address, job function details, organizational relationships, date of birth and other personal details. If you are unable to contact the website source directly you can even resort to getting your information removed from search results. Google has kindly offered to do this starting last year by filling out this online form https://support.google.com/websearch/troubleshooter/9685456.
- Search yourself online, and take stock of what information out there is public. Phishing always starts with little information that is out there (a phone number or email for instance).
- Always keep all of your social media profiles private or locked.
- Always have MFA authentication set up on all social media profiles, so even if you get accidentally phished, this adds a big stumbling block for scammers to actually break into your profile with just the compromised credentials.
- Never click on a link or open an attachment in an email you were not expecting. Even if it may sound urgent and exciting like a delivery or gift you were not expecting.
- Never ever share your password with a colleague, even in good faith. Passwords are meant to grant accesses and privileges meant only for you.
- Never click on shortened links provided by services like bit.ly or tinyurl.com without checking the full version. These can be used to trick unsuspecting clickers. Not all shortened links are bad, there are legitimate reasons for shorter format links like extremely long and tedious URLs. However, if there is obvious misdirection for ex. “https://www.flipkart.com” going to “http://trickphish.com/flipkart” (deliberately exaggerating that name for effect), or the true destination is obfuscated by an IP address without a name, these could be phishy signals. Turns out bad guys have figured a counter trick to hover by fudging the hover by small addition to the html command, but you should always look at the bottom of the screen to review the true destination.
- Never use a ready link provided in an email to visit the website, always go directly to the intended website by typing the URL into your browser, or from your bookmarks.
- Most importantly never be embarrassed. It can happen to the best of us. Even if you did fall for it, quickly alert your cyber security team about the incident who will follow the appropriate escalation and damage control protocols.
- Never forward messages/emails/texts, that sound phishy.
Shweta Patel is a Fraud & Financial Crime Strategy professional from Mumbai, with an MS in Applied Statistics from the Royal Melbourne Institute of Technology. A career spanning across India, Australia and N. America, banking & finance sectors she has served across financial products: asset, liability, brokerage/trading & prepaid accounts, while managing fraud losses to budgets and owning end-to-end strategy teams across Fraud Risk and AML & CTF.