Phishing attacks existed way before the birth of our dearest pal, the Nigerian prince. Surprisingly, his royal highness is still wreaking havoc today, causing victims a whopping loss of $700,000 every year.
Have you ever asked yourself, “why do people still fall for the same trap since the 90s?” Well, the most probable answer is that phishing attacks have evolved ever since his royal highness first emerged on the digital landscape, the internet.
People may be well-aware of the infamous Nigerian prince scam, but they may not be aware of the many types of phishing attacks that perhaps use the same approach but a different technique.
We have already covered what phishing is in our previous post, explaining everything from what it is and how you can avoid it. So, we are going to skip straight to the phishing techniques and some real examples of phishing attacks.
13 Types of Phishing Attacks
Symantec reveals in its Internet Security Threat Report that around 65% of cybercriminals primarily prefer spear phishing for targeted attacks, followed by water-holing (23%) and trojan attacks (5%).
If you aren’t aware of these attacks, you can never defend yourself against them. So, let’s discuss the top 13 phishing types that cybercriminals rely on.
1. Spear Phishing
A single spear-phishing attack can cause a loss of $1.6 million in damages on an average. The attribute that adds to the efficiency of a successful spear-phishing attack is its targeted approach. Unlike other phishing types, spear phishing targets specific individuals.
Courtesy of Proofpoint
Cybercriminals learn everything they can about the victims to make a social engineering attack successful, such as their:
- Email address
- Social media accounts
- Place of employment
These insights allow them to create targeted messaging and add a personal touch to it, making the email seem completely genuine.
Spear Phishing Example
Proofpoint, an enterprise security company, reported a series of spear-phishing attacks in 2019.
The attack targeted European government entities and non-profit organizations. The attacker impersonated himself as a representative of the World Health Organization (WHO) and sent the email with the following message, “Critical preparedness, readiness and response actions for COVID-19, Interim guidance.”
The attachment that came with the email contained a variant of info stealer: Sepulcher. As the name suggests, an info stealer may come as a variant of malware designed to steal your data.
When you farm, you cultivate a land, sow a seed, and wait for the fruits to appear. Similarly, in pharming attacks, a cybercriminal installs malicious code on a system or server. The code will trigger itself and redirect you to a fraudulent website that may steal your personal information, credentials, or other sensitive data.
Courtesy of Securelist
Another pharming technique may involve DNS cache poisoning. DNS stands for Domain Name System, which is more like a web directory for the internet. When you request access to a website, the request goes to the DNS, where it skims the directory to match your requested domain.
But when a DNS is corrupted or hijacked, it may redirect you to a hacker-controlled website to steal information.
Back in 2015, Securelist spotted a series of pharming attacks by Brazilian threat actors that targeted home routers. Brazilian cyber criminals were using pharming attacks to change a router’s DNS settings to redirect users to fake websites.
Unsurprisingly, it was further reported that the fake email received 3,300 clicks in 3 days.
3. Clone Phishing
As the name says it all, a cybercriminal replicates a legitimate email in a clone phishing attack and sends you a revised message containing malicious attachments or links. A clone phishing email mostly uses a fake email address that resembles a genuine email IDid.
Courtesy of Kratikal
The email message sometimes remains the same, or it may be slightly changed to add urgency to it. For instance, it may contain a virus alert and urge you to download a tool or change your password by following a link.
In a clone phishing attack, the attacker already has access to the email that is sent to you from a legitimate source. It may sometimes be a corresponding message to make it more convincing.
Clone Phishing Example
In 2018, CERT NZ was informed about a growing number of invoice phishing scams that were affecting many businesses in New Zealand. Cybercriminals somehow obtained access to business emails where they skim emails to filter ones with larger transactions.
The cybercriminals then sent a cloned email that seemingly came from a business email, altering the payment or invoice that the customers were expecting.
A similar invoice scam email left a New Zealand couple with a loss of $53,000 and their new home.
Sending fake emails isn’t the only phishing attack that cybercriminals are adept at. You can be phished even through a text message unless you don’t fall into the alluring trap. Smishing is a form of phishing attack where threat actors send you deceitful text messages.
BREAKING!! New SMS phishing campaign pretending to be from the United States Post Office being pushed out to cell phones today. So far the link in the SMS being used is this domain m9sxv[.]info. Here are a couple of sample texts we have collected. #infosec #malware #smish #osint pic.twitter.com/90xSWYCUbZ— Eric JN Ellason (@SlickRockWeb) September 15, 2020
The fake text messages often contain malicious links that may direct you to either spam adverts or malicious websites that may steal your contacts’ phone numbers and your bank credentials, to name a few.
Sometimes, the message may contain a phone number, urging you to call back for further discussion regarding tax filing, etc.
In September 2020, a CEO of a company reported that he received a smishing text message that imitated the United States Postal Service (USPS). The recipients were lured through an urgent message that pretended to be an upcoming USPS delivery. The recipients were requested to click the provided link to track the delivery or see further details.
If spear-phishing attacks are targeted at individuals or employees, whaling attacks harpoon C-suite executives. Unlike the latter, whaling emails are more formal, sophisticated, and subtle. This type of phishing attack aims to primarily steal the credentials of a CEO’s email address (Business Email Compromise) as it may open doors to more valuable and high-paying targets.
As mentioned, it is one of the most sophisticated forms of phishing because the fake email requires heavy research on the target and finding out the best possible reasons to make them share their sensitive data.
In 2019, Lithuanian Evaldas Rimasauskas was jailed for scamming two huge US organizations for $122 million. Evaldas sent fake emails to the victim companies making it appear to be sent from Quanta Computer Inc., a legit Taiwanese company.
Evaldas was successful in scamming those huge US organizations because of the successful whaling attack that resulted in obtaining his credentials to a legitimate CEO business email.
6. Search Engine Phishing
SEO poisoning and search engine trojans are some of the common synonyms used for search engine phishing attacks. Here, an attacker may set up a fake website and ranks it on search engines like Google or Yahoo.
Courtesy of Microsoft
Once the fake URL is successfully ranked, it is then used to bait gullible targets and steal their information, such as email address, social security number, and password. There are various ways to conduct these types of attacks, such as through fraudulent giveaways or discounts.
Search Engine Phishing Example
In 2019, Microsoft noted a phishing campaign where some of the top search results for a certain set of keywords were poisoned. As a result, the pages redirected users to phishing websites.
7. Link Manipulation
Link manipulation is one of the forms of phishing attacks that use other techniques to make this attack successful. As you can guess by its name, phishers send links to targets via emails, texts, or social media that redirect you to a phisher’s website. They spread the malicious URLs through different social engineering attacks like spear phishing.
The purpose here is to steal sensitive information, install malware, or redirect users to spam adverts.
Link Manipulation Examples
In 2005, a personal blogger reported an eBay phishing scam that used the same phishing technique to redirect users to malicious URLs or spam websites.
As you may have noticed that email seems to be the most popular medium through which phishers phish their targets. But, as phishing has evolved with time, a phisher may approach you with a deceitful intention through voice calls as well. Phishing through voice messages or calls is called vishing.
A phisher may pretend to be a call center agent or a representative from your local bank. In fact, they may even call you with a spoofed ID to make their façade more convincing. They may use technical jargon and use the same tone, such as that of a bank representative, to make you fall right into their trap.
In 2014, a UK resident was left £68,000 out of pocket when she fell victim to a voice phishing (vishing) attack. The voice phishers impersonated a representative from her bank’s fraud department, telling her that her card may be used for fraudulent activities and she needed to transfer her funds to a separate secure account provided by the phishers.
The resident was later provided with a refund by Barclays as goodwill.
9. Session Hijacking
Phishers use many clever techniques to phish unsuspecting users. Session hijacking is amongst those clever forms of phishing. The attacker prompts the user via an email or social media post to click a URL. The URL may seemingly come from a legitimate domain, but it is tagged with the phisher’s session ID, for example, example.com/login?SID=xyz.
Courtesy of Zscaler
Once a user logs into their account via the same URL, all the information will be logged to that session ID from where the phisher will obtain it.
Session Hijacking Example
In 2013, Zscaler reported a number of phishing attacks that also included session hijacking attacks. The attacker posted an interesting video with a link that asks the user to follow a series of steps, including sharing personal data, such as name, age, and email address.
Later, Facebook countered these phishing attempts by prompting a window with a warning message.
10. Content Injection
Content injection phishing is also referred to as content spoofing. It is a common practice used by hackers and phishers alike to trick users into providing their data. In this type of phishing, a phisher changes some part of the content and replaces it with fake content or a link to some phishing website.
Courtesy of Techgirlkb
Most of these types of attacks are seen on static web pages like a 404.
Content Injection Example
Take, for instance, the following URL in the image and the respective content on the website. As you can see, the attacker has added an additional parameter at the end of the URL to redirect users to a fraudulent website.
11. Web-Based Delivery
Web-based delivery attacks are also called Man-in-the-Middle attacks. MITM is one of the most common types of attacks that allow cybercriminals to intercept a network through a vulnerability. The attacker then secretly spies on every communication which is made between a server and a client (user).
MITM attacks are hard to detect, which is why it is difficult to even have a well-secure server to differentiate between a legitimate user and a MITM hacker.
Web-Based Delivery Example
In 2006, the Washington Post reported a series of MITM phishing attacks against a certain service of CitiBank. The attacks were reported to have originated from Russia, integrating multiple techniques. The attacks successfully bypassed the 2-factor authentication method implemented by the bank.
Keyloggers are mostly the result of a successful phishing attack. A phisher sends a phishing email to individuals or a group with a link to a malware keylogger. Once the user installs the keylogger, whatever they type on their keyboards goes straight to the data logs created on the phisher’s system, including your passwords, emails, or credit card number.
Courtesy of Proofpoint
Keyloggers are the most basic forms of hacking but the most efficient ones because hackers hide these keyloggers in executable files in a pretty clever way.
In 2017, a group of threat actors sent phishing emails to users working in a US-based insurance and financial services firm. The attacker prompted the users to download the attached MS Word file, but to view the content, they needed to download another app.
Usually, threat actors use macros in these instances to ditch any detection. But this email contained a payload that was based on Visual Basic Script, which makes the threat even harder to detect.
Malvertising means malware-based advertising. This type of phishing attack uses adverts on websites and applications to lure unsuspecting users and prompt them to click the advert. Once the advert is clicked, it triggers malware that can either install a keylogger, virus, or ransomware, or force unsolicited content onto your screen.
Malvertising phishing isn’t limited to banner ads. In fact, it may come in the form of text-based ads, video ads, or animated ads. A phisher may sign up on a hosting website and rent online space so they can display malware-fueled ads. A phisher may also exploit a vulnerability on a hosting platform to carry out the same activity.
Attn: NYTimes.com readers: Do not click pop-up box warning about a virus -- it's an unauthorized ad we are working to eliminate.— The New York Times (@nytimes) September 13, 2009
Over the years, hackers have targeted a great number of websites to carry out malvertising phishing attacks, including some known websites, such as London Stock Exchange, Yahoo.com, and The New York Times.
In 2009, The New York Times shared a tweet with their readers informing them about a malicious pop-up box appearing on their website and contained a virus. Later, the newspaper giant fixed the vulnerability to fix the threat.
Be Aware and Be Cautious
Threat actors are capitalizing on the lack of awareness of phishing attacks and their consequences, so there are many phishing reports every year. Verizon notified in its 2020 report that 22% of attacks in 2019 involved phishing.
It is a must for every internet user to learn more about what phishing is and help each other in spreading its awareness. This will enable everyone to be on their toes upon seeing unsolicited or unexpected emails and pop-ups.