In the first part of this two-part post, we detailed some of the most common phishing techniques currently used by hackers, including email phishing, smishing and content spoofing. Here are some additional schemes you should be aware of.
Traditional email phishing uses a “spray and pray” approach—sending as many emails to as many people as possible. Spear phishing, on the other hand, is a targeted attack in which the hacker goes after a narrower audience: an individual or a specific organization. With a little research on the person or company, a phishing attack is much more likely to be effective and manipulate a user into divulging private information. An email may appear to come from a supervisor, such as the CEO of a firm, or someone of authority.
Keystroke logging is the act of recording the keys struck on the computer keyboard—the information is then sent to hackers to decipher passwords and other types of information. Keystrokes can be captured in many ways. For example, there is hardware that can covertly identify keystrokes by sound and repetition of keys, and some hardware can capture data as it is exchanged between wireless keyboards and its receivers. There are also viruses that can infect your system and transmit keystroke data directly to hackers. Smartphones are particularly vulnerable to keystroke logging—keystroke logging software is relatively common and easy to purchase online.
Some websites provide options to use mouse clicks to make entries through the virtual keyboard, as a way to combat keyloggers.
Malvertising is a form of advertising that may look legit, but contains active scripts that download malware or unwanted content onto your computer. Generally, the advertising network or website is unaware they are delivering malicious content. Any visitor visiting a site risks infection. Sites that have carried malvertising include the New York Times, the NFL and AOL.
How is that possible? Explains the Center for Internet Security, “Many websites, especially large ones with several hundred thousand users per day, rely on third party vendors and software in order to display its ads, which in turn reduces the direct oversight and the amount of vetting that takes place. This automation makes online ads vulnerable to malvertising.” Since ads on a webpage constantly change, one visitor can be infected, but the next ten people who visit the exact same webpage, are not. This makes it difficult to track the source.
Many malvertising schemes manipulate vulnerabilities in Flash. While there is no full-proof way to escape infection, disabling Flash will limit the risk.
Search Engine Phishing
Just because a site appears on your next Google or Bing search, doesn’t mean it’s safe. Malicious sites can take advantage of search optimization the same as legitimate sites. Some product sites are designed solely to entice users with low cost products or services, but merely exist to collect credit card information. These sites include fake bank websites offering low-rate credit cards or loans.
Man In The Middle
This is one of the more sophisticated phishing techniques. A hacker intercepts communication between two systems, usually between a consumer and an authentic website. The hacker can trace the details of a transaction, reading emails and gathering financial or personal information without the user being aware of the hacker’s presence. Often, a hacker will modify a message in order to gain confidential information, but it appears as if the two parties are still communicating normally.
There are ways to thwart such attacks, or at least make them more difficult, including email encryption and implementing certificate-based authentication on your, or your organization’s, computers.
Social Media Phishing
With the popularity of social media, it should be no surprise that a number of phishing schemes have been developed to take advantage of these sites. One example is “angler phishing,” named after the anglerfish which uses a glowing lure to attract prey (you may remember this fish from a scene in Finding Nemo). With this phishing attack, a fake customer-service account is posted, such as one from a bank or retailer. Their clients share personal data, convinced they are communicating with staff from a trusted company.
In fact, according to Internet security company Fraud Watch International, there was a 150% increase in social media phishing between 2015 and 2016 and that “In 2015, a study showed that of all the social media accounts supposedly owned by renowned brands across various industries (such as Amazon, Starbucks, Chanel, Nike, BMW, Shell, Samsung and Sony), 19% were fake.”
We Stand With You
No one can be smart all the time, and hackers continue to develop new strategies and tools to slip past even the most observant of users. A partner like Single Path can help. We can train employees, establish procedures and protocols, and both install and maintain the software and hardware you need to guard against the majority of attacks. We can also provide guidance if or when your security is breeched. With Single Path Security offerings you get a security leader and extensive, customized services.