Part II: Phishing and Malicious Web Pages – Attack Vectors
According to the SANS institute2: “phishing is a trick to get users to do something they otherwise would not do—click a malicious link, answer a question to provide personal details or provide their username and password to a suspicious person.” Phishing, in recent years, has become almost synonymous with suspicious emails. Still, numerous other phishes are delivered through text messaging or via a phone call: SMS Phishing (smishing) or Vocal Phishing (Vishing), respectively. Phishing generally takes advantage of a user’s sense of urgency to complete something for fear of losing access or privilege. Still, it can also take advantage of a user’s curiosity in the case of interesting-looking QR codes that lead to malicious sites or cleverly titled web links left on web pages or social media posts.
Successful phishes rely on a few key factors: authenticity, urgency, and trust.
i. Authenticity: Attackers use these common tactics to trick users into thinking the email is from an authentic source.
Attackers will craft email templates that mirror authentic templates to trick users into believing the email came from an authentic source. Attackers will purchase domains that have a slight typo from the true domain in an attempt to trick recipients into trusting the domain when read at a glance, e.g., itauditlabs.com and itauditIabs.com – the difference in the domain is that the second has an uppercase “i” rather than a lowercase “L” in the word “labs.”
These domains are used as the sender address and the landing page address. The redirect link is made to look authentic like Office 365 or a company portal to alleviate suspicions about the email being illegitimate. Frequently, attackers will copy an entire web page line-for-line to make the page appear as authentic as possible.
ii. Urgency: Attackers instill a sense of urgency with their victims in an attempt to force a higher response rate. Often, this will take the form of impersonating a supervisor to gain the user's trust and requiring a response for some project by a specific time or date. Likewise, using current events like COVID-191, threatening account lockouts if a password isn’t “changed,” or political unrest are all subjects that attackers will leverage as a catalyst to encourage a higher response rate. Finally, attackers will also schedule their emails to arrive when the employees are likely rushed. Sending an email early on a Monday morning when users are getting their week started and replying to mail from later the week prior can encourage users to read less carefully and simply instinctually follow instructions. Finally, they can also utilize a sense of urgency of losing out on a good deal to take advantage of a user. Some phishers place links to malicious websites that provide amazing deals on clothing, accessories, shoes, etc., where the primary intent of the webpage is to collect user data. Users will feel the need to purchase and submit payment cards or personal information to take advantage of a short-term deal.
iii. Trust: Attackers will research organizations and the employees to impersonate users in the organization that the phish targets regularly hear from. Likewise, attackers will utilize spoofed domains or spoofed email headers to make their emails appear as legitimate as possible to the recipients.
B. PHISHING GOALS.
Depending on the infrastructure being attacked and the level of phish attempted, an attacker may try to attain numerous objectives during a phishing attack.
i. User Credentials and Legitimate Sessions: The most common phish is one that replicates a sign-in page from the company website or other commonly utilized technology in an attempt to trick users into submitting their username and password combination. These cloned websites will always send the credentials submitted to the attacker’s server rather than the legitimate service, but in more sophisticated attacks, these pages will also ask for Multi-Factor authentication and send the user's credentials as well as a legitimate session token to the attacker allowing the attacker to piggy-back off a truly authentic session and bypass MFA.
ii. Bait for Response: Sometimes attackers will use their phish in an attempt to start a conversation with a user to gain additional trust, build a relationship, and gain additional information about the company or organization.
iii. Malicious Sites: Attackers may include a link that redirects the user to a malicious site that contains malicious web-code that executes on page-load, web-scrapers that grab details about the user's session like IP address or other machine details, cookie-hijackers intent on stealing legitimate session cookies to different websites, or pages that host malware for download that is disguised as legitimate software—also known as a Trojan. Malicious sites may also use an attack method called “Drive-by Downloads3” which automatically downloads malicious code onto the machine without user consent.3
iv: Malicious Attachments: These attacks are becoming less common as more robust endpoint detection systems and email malware detection has become more prevalent. But attackers may also include malicious documents like PDF, .doc, .xlsm, or malicious executables disguised as legitimate software for users to download and execute on their local system. Often, this malicious software will scrape useful information and send it to the attacker’s server or create a remote session for the attacker to connect to, giving them remote access.
By: Kyle Rozendaal