As brought up in the social engineering post in this series, while attacks can rely on sophisticated payloads to accomplish malicious goals, oftentimes the point of entry is an action taken by an unsuspecting human. In that social engineering post, I also highlighted that humans are the last line of defense for an organization, in terms of information security. Threat actors will attempt to exploit vulnerabilities in human behavior using tactics such as familiarity/liking, authority, imtimidation, consensus/social proof, scarcity, and urgency. Messaging platforms are a common attack vector for threat actors, leveraging phishing campaigns as the tactic. Phishing is a type of social engineering attack in which a threat actor sends a message, for instance an email, to a target with the purpose of getting the target to do something that triggers a malicious act. An example is a link in the email to a legitimate-looking website asking the target to login. This allows the attacker to obtain the credentials of the target. Another example is malicious file in an attachment in the email that can inject malicious payloads into the target system when opened. Phishing can take multiple forms and leverage multiple vectors. In the rest of this post, we will go over some of the different types of phishing attacks.
A spear phishing attack is a targeted phishing attack. Rather than a broad phishing campaign that could be sent to a large number of people, spear phishing attacks are targeted at specific individuals or specific groups of individuals. Attackers could perform reconnaissance to gather specific information about targets, and tailor the campaign to make it more believable to the target. Individuals may be more likely to click a link or download and execute a file if they feel that the email was specifically sent to them for a reason and called out facts about them to cause them to trust the message.
Whaling attacks bank on a concept of potentially low effort, and potentially high reward. Whaling attacks are similar to spear phishing attacks in that they are targeted at specific individuals. However, whaling attacks are further targeted at executives or wealthy people. The idea behind whaling attacks is twofold. These individuals could be high value, high reward targets, and there is a hope from the threat actors that these targets ar not as aware of cybersecurity threats as they should be.
Vishing is a variant of the traditional phishing attack in that the vector is voice communications rather than email. Threat actors will try to get targets on the phone in hopes that they can trick them into doing something they should not do.
SMiShing is another variant of the traditional email phishing attack that leverages SMS texting as the vector. These attacks seem to be very popular these days and I can see how they can be effective for a few reasons. First, it seems to be an accepted practice that text messages are short, succinct, and maybe even skip common words in order to keep messages short. Because of this, targets may not be as alert to spelling and grammar issues with text messages as they would be with emails. Secondly, these messages will typically have links, however they will be shortened, and you cannot exactly hover over a link in a text message on a mobile device (at least that I am aware of) with a cursor to see where it is actually going before you click it; like you can with an email. Finally, so many legitimate services leverage text messaging to communicate updates to customers and ask for feedback. Threat actors know this and try to exploit that tactic by posing as legitimate companies to lure targets into clicking and following malicious links.
Although technical controls are great assets to organizations in terms of cyber threat defense, the human element is still the last line of defense when it comes to cybersecurity. Threat actors continue to try to leverage the actions and reactions of people to get initial footholds into systems and networks. Phishing and its variants are very popular methods of threat actors to gain that initial access. Cybersecurity awareness training is vital for all employees in an organization, regardless of role.