Recently, the Ransomware attack, triggered by a phishing email containing the WannaCry virus, has infected thousands of systems globally and may escalate further. The virus dubbed WannaCry, a so-called ransomware, has locked up more than 100,000 computers and sent cybersecurity experts scrambling to patch computers and restore infected ones.
The motive of this blog is to spread awareness on what these phishing emails are and how we can identify them. Lets understand phishing.
One of the major security issues associated with internet users these days is “phishing”. Phishing is a fallacious action performed in order to acquire financial and personal information like usernames, passwords, credit card numbers, social security numbers, date of birth etc. It is an email spoofing in which a legitimate-looking email is sent to some target users. These emails appear to come from familiar and authentic websites. It usually includes exciting or bothersome statements and suspicious redirecting hyperlinks towards fake website spoofing innocent internet users.
TYPES OF PHISHING ATTACKS
1) Deceptive Phishing:
This type of phishing attack broadcasts phishing emails to a wide group of recipients with the intention of acquiring their confidential information. It consists of messages related to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other such scams.
2) Malware-Based Phishing:
These attacks tries to inject malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from any web site, or by exploiting known security vulnerabilities—like un-updated software applications.
3) Keyloggers And Screenloggers:
In this attack keyboard input are traced and relevant information is send to the hacker via the Internet. They embed themselve as small utility programs, device drivers or screen monitors that run automatically inside the system.
4) Session Hijacking:
Users activity is observed until they sign in to their account or perform any transaction and establish their authentic credentials. At that point the malicious software commits unauthorized actions, like transferring funds, without the knowledge of user.
5) Web Trojans:
Pop up invisibly when users attempt to log in. They retrieve legitimate informations locally and pass on to the attacker.
6) Hosts File Poisoning:
Most of the users' PCs running a Microsoft Windows operating system first look up "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted, taking the user unawarely to a fake similar looking website where their information can be stolen.
7) System Reconfiguration:
Perform alteration to settings on a user's PC for pernicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "citibank.com" to "citybank.com".
8) Data Theft:
Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, and employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.
9) DNS-Based Phishing ("Pharming"):
Pharming is a Domain Name System (DNS)-based phishing. With this scheme, hackers manipulate a company's host’s files or domain name system so that requests for URLs or name service return a forge address and further communications are directed to a fake website. The result: users unwittingly enter confidential information and get spoofed by hackers.
10) Content-Injection Phishing:
It describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.
TESTING & IDENTIFYING A PHISHING EMAIL
Below are various attributes that capture the characteristics of phishing emails and which helps to test if an email is a phishing email :
1. Attribute : URL
URL containing IP Address
Example : http://220.127.116.11/signin.ebay.com
2. Attribute : Domain Name
Number of dots or periods
Example : More than 3 dots suspect the legitimacy of site
3. Attribute : Hyperlinks
Hyperlinks in email does not route to same location as is supposed to do.
Unusually long hyperlinks
Example : http://payment2.works.com/wpm/validatecode=2139877...nvuhufyeru993fu
Disparity between “href” attribute and “link text”
Example : <a href = "”http://www.bogus.com” ">Paypal.com</a> Instead of <a href = "”http://www.paypal.com” ">Paypal.com</a>
4. Attribute : Keywords
Frequently appearing words in phishing emails.
Example : Win!; Jackpot; Update; Confirm; Click; Here; Login; User; Customer; Client;
5. Attribute : Input Fields
Phishing sites usually require users to input their personal information and hence embed input fields.
Example : Enter Password, UserID, Security No. , Account No. ,Credit Card No etc.
6. Attribute : HTML Content
Phishing emails consists of content-type with attribute “text/html” in order to use HTML links.
Example : Type of content-“text/html” Instead of “text/plain”
Example : Use of
8. Absence of personalized information
Phishing emails does not contain personalized content about the user Example : Address without name of recipient, Lack of last 4 digits of recipient’s account no.
9. Disparity between domain names in email and sender’s domain name
Phishing emails have mismatch between domain names present inside email and sender’s domain(the domain name referred to by the “From” field of the same email).
Phishing emails uses different ruses to create an urgency situation to trap recipient
(a)The customer's account may be frozen if account details are not provided within a specified time.
(b)Fraudulent activity involving the user's account has been detected and the user must therefore provide information urgently.etc.
The financial loss incurred by internet users and organizations due to phishing is growing rapidly day by day. I hope this blog will be helpful to unfurl the awareness on malicious cyber attacks.
Find my research papers on phishing in below links :