Credit: Bing Image Creator
Post date: 24/11/23

Current Update: Understanding Phishing

Next: ???
Phishing Basics

Understanding Phishing

So I checked Wikipedia obviously, I mean why not and one of the earliest recording on phishing attack was financially motivated. Although most cyberattacks these days are financially motivated but threat actors sometimes individuals groups or nations engage in phishing for various reasons.

Threat actors credulously trick their victims to expose themselves for exploitation. Most phishing attacks are via spam emails with malicious link or attachment and on social media platforms. This has become the go-to social engineering technique.

Attackers weaponize emails with malicious attachments which may contain executable payloads to install backdoors credential stealers or keyloggers or malicious links that lures users to fake sites which may look legit with forms or popups asking for login credentials.

The countless techniques and technologies employed by threat actors all aiming at getting access to a victim's credentials and other private data makes it difficult to ever see it coming. Some of these sophisticated social engineering(People Hacking) techniques could trick you into not knowing the mail you received or the website you are on or the person you are exchanging info with is not real.

  • Whaling → CEOs, high profiles watch out
  • Spear phishing → managers and other leaders or big brands watch out
  • Smishing → fraudulent text messages. Well, turns out phones can run malware payloads
  • Vishing → fraudulent calls
KEY WORDS: Tricking, baiting, malware, redirecting links, credentials, payload.

Motivation

Many victims of phishing attack and cyberattacks, in general, may be intelligent and skilled in their respective fields, yet they can be naive or uninformed about cybersecurity awareness. Breaches often start small but can escalate to cause significant damage to an organization's or individual's reputation, finances, or data security.

For this, there are tips and bits in this diary to help assist internet users to spot check their online activities for potential phishing threats.

Credit to CompTIA as this is also inspired by their security plus certification in hopes candidates will pick a thing or two from this to broaden their knowledge scope on this module (phishing ) in preparation for the sec+ exam.

You probably have heard of cyberattacks on nations, businesses and organisations. There seems to be no lucky keystroke to end this. Some of these victims are capable to at least provide some sort of security measures but why don't they I ask. Well after reading this post Cybersecurity breaches survey 2023 - GOV.UK (www.gov.uk) I could say there is hope but still a long way to go according to the stats provided. Under “cyber accreditations and following guidance” section what caught my eye was larger organisations are mostly unaware of cysec policies and guidance. whoops!

Back to phishing, My bit as learner in this field is to share. I thought to myself what if we are able to put threat awareness in the hands of employees and the average internet user, at some level this could make a difference as the weakest point/link to almost every cyberattack is … The Human.

In my opinion threat awareness should be general knowledge for all internet users.

What Could Go Wrong

So, what could go wrong? I can block my credit card or reset my password. However, things may not be as they seem, and there might be too little or no time for a rescue.

  • Credential and identity thefts

    Well thinking I've got nothing to hide, threat actors getting their hands on my credentials and identity is a big win for them as these information could and will be used to impersonate me and trick a relative for money or post on social handles to destroy my reputation. oops

    An attacker managing to drop a payload for a backdoor or key logging can in some cases gain access to my financial details like credit cards and other private information without me having no idea my own computer is leaking my secrets out. oops

  • Data Breach

    Work for an organisation? I sure hope the leakage of customers data won't be because I ignorantly clicked on a link I had no idea installed payloads to steal data. being a victim of a phishing attack could expose yours and the organisation's data or lock access to vital data or resources needed for daily operations of the business.

  • Ransomware

    How deep is the pocket, I might as well pay to get the precious family memories decrypted if there is no backup or to keep rendering service to the customers relying on me, I might pay to get my data decrypted. If I am fortunate the decryption keys will work. This is not a situation to be in. Organisations rather should invest to put in measures to prevent ransomware attacks as it could cost double the investment if fallen a victim.

Threat Aware

Files

  • Double Extensions
    • Request methods decodes url encoding automatically so decoding a request method in a script or code could potentially decode a second encoding if available on a url and execute hidden payloads. This could be a payload disguised as excel file payslip.exe.xlsm.
  • Double-checking links before clicking on them because google.com and googIe.com are not the same.
  • Cautious when opening a macro enable files ( the extensions usually has 'm' in them, so I realised “open in vm or disable macro”)
  • File names that don't seem right usually exaggerated to spark urgency reaction.

URLs and Emails

  • By simply hovering on a url link, browsers display the full link in the bottom left corner of the screen.
  • Right click to copy url links, check the domain on third party sandboxes like virusTotal.
  • Online url shorteners can do the reverse as well or sometimes the characters ('+'', '/'', '?'') also reveals the full url.
  • Most legitimate websites use https(SSL/TSL), if a url uses http:// and not https:// it's not safe carefully.
  • Watch out for pop ups
    • Do not click your way through pop-ups take 5 seconds to read them
  • Check to re-confirm email senders address if there are any attachments or links.
  • Most organisations will use in house domains for their departments email addresses and not gmail and yahoo and outlook and likes (custmersupport@amazon.com vs customersuppport@gmail.com).

Prevention & Detection

  • Ensure updates and patches as they can help prevent malware executables aimed for 0-day vulnerabilities.
  • Multifactor authentication, password managers as next layer in case credentials are leaked.
  • Using up-to-date antivirus and disabling macros.
  • The oletools for malicious file analysis incase a suspicious file lands in inbox.

Knowledge Sources

  • TryHackMe Phishing Rooms
  • CompTIA Sec+ Study Guide
  • Wikipedia