Upload
o365infocom
View
214
Download
0
Embed Size (px)
DESCRIPTION
In the current article, we will continue our journey to the land of “mail threats and dangers,” and this time; our main focus will be on one of the most dangerous and deadly types of mail attack – the Phishing mail attack! The main points that I would like to emphasize regarding Phishing mail attack are: • The lack or the partial knowledge that we have about the characters of Phishing mail attack. • The greater vulnerability of our mail infrastructure to Phishing mail attack. • The greater vulnerability of our user to Phishing mail attack. What is the meaning of mail Phishing attack in simple words? | Part 4#9 http://o365info.com/what-is-the-meaning-of-mail-phishing-attack-simple-words-part-4-of-9/ | Eyal Doron | o365info.com
Citation preview
Page 1 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
hat is the meaning of mail Phishing attack in
simple words? | Part 4#9
In the current article, we will continue our journey to the land of “mail threats and dangers,” and
this time; our main focus will be on one of the most dangerous and deadly types of mail attack –
the Phishing mail attack!
Dealing with Spoof and Phishing mail attacks | Article Series -Table of content
The main points that I would like to emphasize regarding Phishing mail attack are:
The lack or the partial knowledge that we have about the characters of Phishing mail
attack.
The greater vulnerability of our mail infrastructure to Phishing mail attack.
The greater vulnerability of our user to Phishing mail attack.
Page 2 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Phishing Mail Attack? Who, What, Where And When
Let’s start with a formal definition of Phishing mail attack as described by the Wikipedia:
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and
credit card details (and sometimes, indirectly, money), often for malicious reasons, by
masquerading as a trustworthy entity in an electronic communication.
The word is a neologism created as a homophone of fishing due to the similarity of using a bait
in an attempt to catch a victim.
Communications purporting to be from popular social websites, auction sites, banks, online
payment processors or IT administrators are commonly used to lure unsuspecting victims.
Phishing emails may contain links to websites that are infected with malware.
Phishing is typically carried out by email spoofing or instant messaging, and it often directs
users to enter details at a fake website whose look and feel are almost identical to the legitimate
one.
Phishing is an example of social engineering techniques used to deceive users and exploits the
poor usability of current web security technologies.
[Source of information – Wikipedia]
Why Should I Spend My Time On Getting To Know Better The Character Of
Phishing Mail Attacks?
The answer is that if we want to know of to protect our organization from Phishing mail attack,
we need to know our “enemy,” the way he thinks, the way he attacks, the characters of the
attack and so on.
The need to recognize the characters of Phishing mail attack is “our need,” and also “our users
need.”
Page 3 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
We need to be familiar with the characters of Phishing mail attack, so we will be able to create
and configure the required defense mechanism + to be able to instruct our users.
Our users should be familiar with a Phishing mail attack so in the scenario in which the Phishing
mail attack will duck our defense systems (false-negative negative scenario); our users will have
the knowledge that required for identify an event of Phishing mail attack.
What is the reason for the strange term Phishing?
As a child, I loved to fish.
I have a picture in mind of an endless blue sea.
You throw the bait into the deep and blue water, and patiently wait for the “strong pull,” in
which you know that the fish bit the bait.
The same concept is implemented in a Phishing attack.
The fisherman prepares the bait (the attacker creates the Phishing mail), and “throw” his bait in
the big blow sea. In our scenario – the list of the destination recipients who could become his
potential victims.
The fisherman (the attacker) doesn’t know if there are any fishes in the “sea” and if a specific fish
decides to bite the bait.
Page 4 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
All he can do is – waiting patiently for the “strong pull,” in which you know that the fish bit the
bait.
The different flavor of Phishing attack
It’s important that we will be aware of the fact that the term “Phishing attack,” is not translated
automatically only to Phishing mail attack.
The opposite is true; Phishing mail attack is only a specific flavor of “Phishing attack.”
The mechanism of “Phishing attack” can be implemented via different channels such as:
Phone channel – addressing the victim by sending him SMS message or directly call him.
IM (instant messaging) – addressing the victim via instant messaging applications such as
Skype
Social network channel – addressing the victim via well-known social networking such as
Facebook, etc.
In our specific article, we relate only to the flavor of – “mail Phishing attack” but most of the
information about the characters and the logic of “Phishing attack,” is identical to all the types of
the different flavors.
Page 5 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The different building blocks of Phishing mail attack
Later, we will go into more specific details of the “Phishing mail attack” but for now; it’s
important for me to emphasize that the term “Phishing mail attack” is translated to an “array of
attack methods” that are combined and gathered into a specific channel that we describe as a
Phishing mail attack.
The Phishing mail attack is based on a very simple concept of – finding the weakest link in the
chain and via the “weakest link” access additional territory.
Page 6 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
For example – the Phishing mail attack was designed to use social engineering for addressing a
specific human weakness. The attacker is tempting the victim “to do something” such as open a
specific file.
The “specific file” is actually a malware, that tries to exploit existing weakness that exists on the
user desktop (now the user desktop becomes the “weakest link”).
For this reason, Phishing mail attack belongs to the notorious family of “new type of attacks”
that describe as – advanced threats.
Additional reading
Advanced persistent threat
Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention
Finding Advanced Threats Before They Strike: A Review of Damballa Failsafe Advanced
Threat
Protection and Containment
Advanced Threat Analytics for Incident Response
Microsoft Advanced Threat Analytics
Announcing Windows Defender Advanced Threat Protection
Advanced Threat Protection
3 Advanced Threat Protection Essentials
Page 7 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The Sophistication Level Of Phishing Mail Attack
In the same way that the term “car,” can relate to many different types of “cares” begging with
an old or simple car versus, luxury car, the term “Phishing mail attack,” can relate to very simple
Phishing mail attack or to a very sophisticated Phishing mail attack.
Simple Phishing mail attack
The characters of a “simple Phishing mail attack” could be translated into a simple, very easy to
identify the attack because that attacker made a very little effort to execute a “professional
attack.”
For example, the characters of “nonprofessional Phishing mail attack” will include the following
characters.
1. Sender’s identity
The attacker will not make the required effort to use an applying identity or well-known E-mail
address and instead; we use a general E-mail address from a public mail provider such a GMAIL
and so on.
2. The destination recipient
The Phishing mail will be targeted to a specific recipient or the E-mail content will not address
the specific recipient by his name. Instead, the Phishing mail content will address the recipient
by using a general description such as – “dear organization user”.
3. Phishing mail content
The style of the Phishing mail will be very simple and will not mimic the “look and feel” of the
mail style that the “original organization” uses.
Phishing mail connects will not include a sophisticated social engineering method which should
convince the victim to do something and instead, will include a very simple request such as –
“please open the following file” (the malware file).
Page 8 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Professional Phishing mail attack
Versus the simple Phishing mail attack, the other type of Phishing mail attack can be considered
as a well-crafted, and professional Phishing mail attacks, that can easily bypass our security mail
infrastructure and successfully attack our users.
For example:
1. Sender’s identity
The sender identity – the attacker can use a method in which the information about the sender
looks identical (or almost identical) to the sender information that appears in a legitimate mail
The attacker can invest resources in research and find information about you and your manager
and use not just a “simple identity” of the user from your organization but a very specific
identity such as your manager identity.
2. The destination recipient
The “destination victim” that the attacker tries to attack is not a random list of Potential victims,
but instead, a very specific destination recipient. The attacker invests the required time to learn
about the company structure, the specific persons that hold a key position (CFO, CEO, etc.).
3. Phishing mail content
The attacker will invest the required resources for
Page 9 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Getting a sample E-mail message from the organization which he uses his identity.
Create an E-mail message template that looks identical to the original E-mail message
style of the person which he spoofs his identity. The E-mail message style can include a
specific font, the size of the font, the signature style and so on.
The level of sophistication can also be expressed in the specific social engineering method or
narrative that the attacker uses as the Phishing mail content.
A Professional attacker will craft “good content” that includes a relevant incentive to do the
specific “thing” that’s appealing to you or relevant to you as a person.
The Basic Logic Of Phishing Mail Attack And The Phishing Mail Structure
Regarding the subject of Phishing mail attack logic, the logic is quite simple:
The attacker tries to present an identity that can be trusted by the victim, and then, ask him to
“do something” (bitten the bait) that will “activate” the attack.
Page 10 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The basic structure of Phishing mail includes the flowing parts:
Part A – The “trust” part
This is the part, in which the attacker is trying to “establish a relationship” with the victim.
Very similar to the logic of a “Business Card.”
The message is – I am a reliable and trusted the person. You can trust me and trust the “thing”
that I will ask you to do below.
Part B – The “Call to Action” part
This section includes two parts:
1. The “logic” for doing the specific action
Before I ask you to do something, I want to explain and convince you to read the reason for
doing the specific action.
2. The “the Action” part
This is the part, in which the attacker explicitly stated what is the “action” that he asks from the
victim to do.
Most of the time, the “action” will be:
Page 11 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
1. Open a specific file (malware)
2. Click on a specific link (URL) that will lead the victim to a specific Phishing website and then,
“do something” when he gets to the website such as provide personal details, deposits a
money to a bank account, download the specific file and so on.
What Are The “Thing” That The Attacker Asks From The Victim To Do?
Theoretically, there are endless options for the “things” that the hostile element can ask from to
a victim to do. In reality, there are two major “request” that the hostile element asks most of the
time:
1. Access a specific website
The Phishing mail attack includes a link (URL address) to a specific website.
The website serves as the “trap,” that the attacker had already prepared.
There could be a couple of variations to the Phishing website which the attacker is redirecting
his victims too:
A legitimate website that was compromised by the hostile element.
A non-legitimate website that was created to mimic a legitimate website.
A non-legitimate website which includes a forum, in which the victim fell in his details.
A non-legitimate website which includes a malware file that the victim is asked to
download and open.
Page 12 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
A non-legitimate website that exploits the existing vulnerability of the victim’s browser for
injecting hostile code to the user desktop.
2. Click on a malware file that is attached to the Phishing mail
The other type of Phishing mail attack is straighter forward.
The attacker doesn’t convince the victim to access a particular website and then download and
“activate” a specific file (malware) but instead, attached the malware directly to the E-mail
message.
In case that you think – “hahaha, my mail infrastructure will block any type of executable files,
and for this reason, my mail security infrastructure will prevent this scenario (a scenario in which
the E-mail message includes executable file), the bad news is that in nowadays, most of the
malware appear as a legitimate Innocent file such as – Microsoft office document (Word
document, Excel document and so on).
Page 13 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
One of the most famous and deadliest Phishing mail attacks are the attack that includes the
Ransomware malware that appears as a legitimate attachment.
When the victim opens the “Innocent attachment,” the malware encrypts the victim’s hard disk
and asks for a ransomware!
Page 14 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Additional reading
Ransomware
Ransomware
Ransomware
Locker: Cryptolocker Progeny Awakens
Plan Your Phishing Mail Attack | Step By Step Instructions
The header is a little dramatic.
Our main purpose is not relayed to teach you how to plan and execute a successful Phishing
mail attack, but instead, enable you to get into the mind of the attacker who is set in his room,
and “cooking” his Phishing mail attack.
Note – In case the “title” makes you feel slightly angry because the article includes instructions
that can be used by the “dark side” to become better at planning a Phishing mail attack, don’t
worry.
Page 15 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The “bad guy” doesn’t need my help and my guidelines. They are professionals who master this
field.
The life cycle of Phishing mail attack includes three major phases:
1#3 | Preparation phase
In this phase, the attacker makes all the necessary preparations that will serve as the building
block for the Phishing mail attacks.
Decide what are the target victims.
The attacker needs to decide who are the “destination victims”.
For example – a Phishing mail attack that will be targeting a specific organization or a specific
destination recipient in the organization (Spear phishing).
Another option has sent the Phishing mail attack to a harvest E-mail address list.
In a scenario of Spear phishing, the attacker will conduct research about the role of the specific
recipient whom he wants to attack, his relationship with other organization users, etc.
Decide, which spoofed identity to use
Page 16 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The attacker can choose from a wide range of “spoofed identities” beginning with a very general
sender identity, and ending with choosing a spoofed identity that uses the domain name of the
target victim and even the identity of a very specific user.
For example, a Phishing mail attack in which the Phishing mail is sent to the company CEO, and
the spoofed identity that the attacker use is the spoofed identity of the company CFO.
Plan and design the style of the E-mail message.
In a “sophisticated” Phishing mail attack, the attacker will spend effort in crafting an E-mail
message that will mimic that exact style of the “original E-mail message” that is used by the
specific organization. For example, mimic the exact signature of the user whom he spoofs his
identity.
Choosing the specific human weakness that will be exploited by using social engineering.
The attacker will need to decide about the specific “human weakness” that he is going to target.
For example
Greed – inform the victim that he is the winter in some lottery, if you click on this link, you
will win a big prize, get a free trial and so on.
Curiosity – learn the secret of losing 10 kilos in 10 days.
Humanity – if you click this link, you will help hungry children.
Fear of authority – this is your manager, please provide the following details for the next 2
hours!
Page 17 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
In the following diagram, we can see the part of the initial phase of the Phishing mail attack
Additional reading
Social engineering (security)
5 Social Engineering Attacks to Watch Out For
The Threat of Social Engineering and Your Defense Against It
Social Engineering: Concepts and Solutions
The additional part of the preparation phase could be:
Find a website that you can attack, attack the website and “inject” malware code to the
website that will infect users who will access the specific website.
Copy the source code of a legitimate website, such as a bank website and build an
identical website that looks exactly the same as the original website.
Purchase sibling domain name, which will use as a subtle variation of a legitimate domain
name of the website that you are mimicking.
Design and create the malware file that will be attached to the Phishing mail.
Page 18 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
2#3 | Sending the Phishing mail phase
This is the phase in which the attacker needs to find a mail server that will be used for
distributing the Phishing E-mail message.
3#3 | Executing the attack phase
The Phishing mail is just a “bridge” or a “gateway “to the main course of the meal – the specific
attack that the hostile element wants to execute.
Theoretically, there is no limit to the type of the “attacks” that can be executed.
The most common type of attacks is:
Malware files | Virus
Page 19 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
A very well-known and deadly attack is the “Ransomware virus” which will encrypt the local hard
drive.
Malware files | Trojan
There are many types of “goals” that the attacker wants to achieve using a Trojan.
For example – some of the Trojan will enable the attacker to remotely control a specific user
desktop; some of the Trojan will enable the attacker to steal the user password (keylogger);
some of the Trojan will enable the attacker to convert the user desktop into a zombie machine
and so on.
Another popular Phishing mail attacks are – attacks in which the victim is asked to click on a link
that will lead him to a website that was created or controlled by the attacker.
Page 20 of 20 | What is the meaning of mail Phishing attack in simple words? | Part 4#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Assuming that you have to manage to successfully complete all the above steps, you are
entitled to be described as a “proud Phishing mail attacker”!
Additional reading
How to recognize phishing email messages, links, or phone calls
The next article in the current article series is
Why our mail system is exposed to Spoof and Phishing mail attacks |Part 5#9