Phishing emails have long been a figure of fun especially with the widely known, and laughable, Nigerian prince needing your bank account to hold money. Learning from these rather obvious forgeries Phishers have been forced to become much more sophisticated in the way they craft both the email itself and the supporting documents, the website landing page for example, to create a believable story and increase the chance you’ll click on the link. To better understand these mails, and how not to become a victim, we need to take a look at how they’re put together.
First step in any good phish is to make sure the page you’re being taken to looks as legitimate as possible. There are various tools freely available online to copy websites and hackers may take just a single page or the entire site and host it themselves depending on how elaborate they want it to appear. The more elaborate they make the site look the more likely it is to stand up to scrutiny but setting up these spoof sites, and hosting all of the associated assets, takes time and effort that many ‘quick-buck’ hackers aren’t willing to put in check over here. Once they have the ‘assets’ to hand they can then log in to any domain service, like GoDaddy, and register a similar address to the one they are masquerading as. They can use sites such as whois.com to find out the registered keeper of the original site and copy those details over making it all the more difficult to identify the real from the fake.
Once that’s all in place crafting the email is a fairly simple process. Registering with the organisation should give the phisher a template email that they can change the wording on giving them at least a passable email that will stand up to cursory inspection.
At this point there are two possible routes for an attack. Most will simply fire out thousands of emails in a machine gun approach hoping for someone to click the link, either through inattentiveness or negligence. Others will take a more circuitous option but one that ultimately reaps more rewards. Utilising unsecured data on social media, a process know as Open Source Intelligence Gathering (OSIG), hackers will then target the mail to specific users within a group or organisation and use that data to make the phish that much more believable to the receiver.
It isn’t just bank customers that are susceptible to this kind of ploy. Increasingly more and more large companies and businesses are being targeted especially through the OSIG technique with data harvested from sites like Linkedin. All companies hold valuable data, be it financial information or simply customer records, and once a single user has given away their login details to a scam site the hacker then has a way in that will bypass the security set up to keep them out.
Ultimately the defence against phishing attacks comes down to education and common sense. Staff need to be taught to identify unusual requests, like I.T. requesting passwords or logins, and how to perform simple checks like making sure the site has the correct suffix; .com .co etc. Without these basic checks being part of daily business, a sophisticated hacking attack could easily undermine your business from within.