What is phishing? A phishing attack is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal and corporate information. The aim and precise mechanics of the attack can vary, but they usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device like malware based phishing.

What is a phishing attack and why are they so dangerous? Phishing is an example of a technical attack that exploit the most vulnerable part of an organization: its employees. Employees are arguably a corporation’s best asset, but when it comes to keeping data safe they are also the biggest security threat.

Even the most vigilant team members respond to cleverly targeted phishing campaigns, click on files riddled with malware and open attachments from “colleagues” without giving it a second thought. Phishing is not only regular, but it’s also the most damaging and high profile cybersecurity threat facing enterprises today – supported by research from Google, Black Hat and US Homeland Security.

The evolution of phishing

Social engineering techniques have long been part of the cyber criminal’s repertoire. The earliest incidents of phishing transpired over twenty years ago when email was the preferred vehicle of attack. ‘Phishers’ would cast their nets far and wide with rudimentary techniques to encourage victims to part ways with their PII.

Realizing that email was a breeding ground for cyber threats, organizations responded by enlisting email-focused security solutions to protect data, revenue and reputation. Fast forward a couple of decades and the proliferation of mobile technology has dramatically changed the phishing landscape.

Wandera’s recent research revealed that 81% of mobile phishing attacks occur outside of email with apps, messaging services, and websites being the most attractive targets.

What are forms of phishing?

Many questions form around the dense topic of phishing and the many types of phishing – what is phishing, spear phishing, and is there a difference between the two? There is a slight distinction and in fact, there are many other types of phishing. In order to identify a phishing attack and provide adequate protection, it’s important to know the different types of phishing.

Financial Fraud

A phishing attack that attempts to directly gain financial information, such as bank details or online login credentials. One example is fake updates from PayPal look-a-likes that falsify spending receipts, upon which the user will be inclined to investigate. These are typically, but not always, distributed by email. There are also many instances of hackers using SMS to send information to targets as if they are originating from PayPal itself.

The message will often focus on an anomalous payment or important service update, such as confirming the purchase of an item for $29, for example. The recipient is understandably tempted into inspecting this unrecognized transaction further, and clicks through the email to what appears to be the PayPal login page. Here, user credentials can be gathered by the host of the fake PayPal site, which can then be used to access the real PayPal service – offering hackers direct access to the target’s finances.

Service updates

Much like financial fraud, this approach sees hackers pose as services such as Dropbox or a utility provider, often as an indirect means for financial gain. The nature of messages to users can be quite benign, but will attempt to look as legitimate as possible.

Spoof landing pages are designed to capture the real user credentials for these sites, which hackers then use to log in to the real service, and gain access to everything a user has associated with it.

Clone phishing examples examined by researchers at Wandera reveal a variety of different approaches in this manner. These range from dummy login pages for Google, Microsoft and Apple online accounts, to scary and official-looking updates from Government agencies. This technique can even be used to bypass those that include two-factor authentication
(2FA).

A variation of this attack requires a hacker to be online while a target enters their details into the fake page for Microsoft’s services, for example. Attackers will then enter the credentials into the real Microsoft login page, which then triggers a 2FA prompt. The target receives a text from Microsoft, as expected, which they then enter into the fake login page. Meanwhile, the hacker reads the real 2FA code that has been submitted by the user, and enters it into the genuine Microsoft login page, thus surpassing even the strongest of 2FA systems.

Promotional offer

This is a form of phishing in which some kind of coupon or special deal is promoted. This occurs on a mass scale, using entirely automated processes. This might feature tickets for a gig, or heavy discounting on retail purchases. The added benefit for hackers with this technique is that often the promotion involves resharing the initial link, helping spread the attack even further.

This type of attack is particularly successful on social media and messaging apps like Skype and WhatsApp, where it’s more common to trust content from third party sources. Hackers also make frequent use of ad networks and promoted posts to reach even more victims with offers that really are too good to be true.

A popular example of this kind of phishing is a Starbucks promotional page distributed to consumers, where they are invited to sign up to a service so they can receive vouchers for free coffee. Of course, this user information is then accessible by the attacker and can be used for nefarious purposes, such as attempting to use those same signup details to access other more lucrative services. This tactic is more effective than you might initially think – a staggering 55% of web users use the same password for most, if not all, websites.

Spear phishing

There’s not a huge difference in spear phishing vs phishing. Spear phishing is a type of phishing that is much more targeted than other approaches. Here, a particular individual or organization will be attacked using information specific to that target. This might include the impersonation of employees or contractors to extract a certain piece of data, often using manipulation and trust rather than online
pages to execute the attack.

An example of this attack happened at Google and Facebook, where emails supposedly from suppliers were sent to members of the finance department. Fraudsters posed as Quanta Computer, a genuine Taiwanese electronics manufacturer that has both Google and Facebook as clients.

Shockingly, even the shrewd and highly intelligent employees of these tech giants erroneously paid invoices worth tens of millions to these phony suppliers, totalling more than $200m in payments between them. This clever blend of targeted, relevant information and convincing, tailored phishing attempts can prove extremely costly to many businesses.

Whaling

Technically a branch of spear phishing, this type of attack is focused squarely on high profile individuals. Attackers can spend months researching their targets, working out their daily routine and mapping their personal relationships. Once equipped with this highly personalized information, the hacker will begin to use it to their advantage.

One example saw the COO of a well-known media company sent a series of messages from an attacker impersonating a remote colleague – itself an intensely researched bit of information. This email was sent using an almost identical domain name, for example using bloornberg.com rather than bloomberg.com. These were coupled with WhatsApp messages of a similar nature, complete with seemingly accurate images and personal details of the target employee stolen from their legitimate social media profiles.

After building a degree of trust in a back and forth series of messages, the imposter included a note informing the COO that the salaries of some of his direct reports had been publicly posted online. The COO, suitably alarmed, clicked through to see where the info had been published and was asked to download and open an attached file. Included in the file was a nefarious piece of malware, designed by the attacker to gain access to the company’s internal systems and steal vast troves of sensitive corporate data. This incident reportedly cost the organization tens of millions of dollars.

Why mobile?

A lack of mobile security solution features introduces a number of unique characteristics that make it a particularly fertile ground for phishing attacks when compared with desktop.

  • Obscured url – the limited screen space on mobile means that browsers typically remove visibility of the url a user visits, reducing their ability to easily double check suspicious domains.
  • Limited screen size – the aforementioned smaller screens also mean detailed scrutiny of web pages is more difficult.
  • Distraction mode – the fleeting, ‘on the move’ nature of mobile experience means that most interactions demand less concentration from the user. Phishers take advantage of this less focused mode of user attention.
  • Secured medium – for a variety of reasons, people are typically more trusting of mobile devices and apps than they are of desktop software. This misplaced trust makes the different types of phishing attempts more successful.

How to prevent phishing within your enterprise

There’s no simple answer to combat the ever-growing phishing threat. Part of the issue is education, and part of it is infrastructure.

The fact that malicious HTTPS sites are being detected means it’s even harder for app-centric security solutions to realize that important data has been given to a phishing site, as the data is encrypted. It’s imperative for organizations to have full visibility into where their data is being sent if an employee takes the bait.

Wandera has built the only technology that can automatically detect, alert and block traffic to mobile phishing sites in real-time. The Secure Mobile Gateway provides admins with full visibility into all the data being sent to and from the device at all times, preventing attackers from getting their hands on your personal information.

Is mobile phishing the biggest mobile security risk?

Phishing is not only far more prevalent than you might think, but it has also become a major security threat on mobile devices, not just desktop. Find out where phishing attacks are happening, in which apps, and on what operating systems.

Download now