Phishing attacks become more sophisticated


Forbes reports that cyber attacks are becoming more sophisticated, citing an example of an Iranian hacker using a fake Facebook profile to target a technical consultant at consulting house Deloitte via a phishing attack.

According to the report, the hacker created a fake profile under the name of ‘Mia Ash’ – creating multiple social media accounts and backing the profile up with photographs.

Under the Mia Ash persona, the hacker gained the trust of the consultant, eventually convincing him to download an Excel file which was infected with malware.

Deloitte’s security systems picked up the malware fortunately, but Forbes raises the point that this attack ‘breaks new ground’ and raises questions about the lengths that attackers will go to in phishing attacks.

The article, written by Jason Bloomberg, president of Intellyx, an industry analysis firm, raises awareness of the different types of phishing attacks.

Spear-phishing, angler-phishing and cat-phishing

Spearphishing refers to an attack whereby large numbers of spam emails are sent with the ultimate goal of encouraging a few people to download a malicious link and is specifically targeted at people or a group of individuals.

Bloomberg says: “The key to spearphishing is that the hacker needs to know something about its target, so that the emails appear to be specific to them. For example, a common spearphishing attack purports to come from the target’s boss, and contains sufficient information to fool the recipient into taking an action, like clicking a link, downloading a file, or in the most shocking case, sending a wire

Anglerphishing uses social media to create an online persona.

“Criminals create a fake brand support page on these social media websites, in order to redirect customers to phishing websites,” according to FraudWatch International. “They impersonate the social media teams of various businesses (banks, retailers, etc.) to gain the trust of clients, who then feel safe and willing to share sensitive personal data.”

The ultimate aim is similar to that of spearphishing – downloading malware via an online or email link.

New in the business arena is catphishing, most commonly used on Internet dating sites. The purpose of this type of engagement is to create an online ‘relationship’ in order to extract money or some other benefit.

The most important thing to remember is that the profiles look real and that attackers spent a lot of time and effort building their persona.

Phishing could be targeting your company

Your company may not be safe from these types of attacks. Catphishing is expanding to include targets which may be viewed as having privileged access to company information.  A common attack strategy includes upstream attack strategies – if you can’t attack the company, consider who has access to company information which may be an easier target.

Bloomberg says that the ‘Mia Ash’ scenario represents both a spearphishing and a catphishing attack.  He cautions that targeting employees at large organisations is often done through social media such as LinkedIn initially. He cites a similar attack which was initially perpetrated utilising LinkedIn.

LinkedIn profiles are created with a list of full education background, current and previous job descriptions and even group memberships or qualifications. Some profiles are so well established that they include ‘supporter personas’ which supply endorsements, adding legitimacy to the profile.

According to Bloomberg, the attack on Deloitte was perpetrated by Iranian state-sponsored hackers. These types of attacks require patience and “a modicum of common sense”, but do not require the extensive resources of zero-day attacks.

The goals behind these types of attacks vary – they can include introducing malware on to a corporate network with the intention of utilising ransonware on to the system.  Or, it can be with the purpose of establishing a relationship in order too undertake industrial espionage.  As Bloomberg asks “Who among us might not share confidential intellectual property with a trusted business contact, even though we only know them through LinkedIn and email?”

As attacks become more sophisticated, perhaps the most important question to consider is – How do you recognise such an attack? [NIST and OSIsoft partner to advance cybersecurity solution development].