Hikvision Senior Director of Cybersecurity: Identifying Phishing Attacks, Three Advanced Phishing Tactics Explained
In recent blogs, Hikvision senior director of cybersecurity Chuck Davis discussed phishing hacks and malware related to the coronavirus, and tips to avoid them. In this blog, Hikvision’s Davis covers an overview of phishing attacks, what they are, how to identify them and avoid becoming a victim of them.
Phishing takes many forms and those forms evolve daily. It’s true, some phishing attacks are so good they can even dupe seasoned cybersecurity experts. On the contrary, common phishing attacks are easy to detect. And, the more you understand about phishing tactics, the better you get at recognizing when you need to be suspicious and take extra caution. Keep reading to learn more.
What Is Phishing?
Phishing is the attacker’s dependable, longtime friend. Around since at least 1995, phishing is used to trick people into providing credit card information, login IDs and passwords, and to gain access to your computer, protected systems and/or networks.
Phishing is the malicious use of social engineering to obtain sensitive information or access from an unsuspecting victim. This usually comes in the form of email, social media links, or other digital means that an attacker can use to trick a victim.
The United States Computer Emergency Readiness Team (US-CERT) defines phishing as follows:
Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing email is usually crafted to appear as if they have been sent from a legitimate organization or someone known to the recipient. They often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information such as account usernames and passwords that can further expose the victim to future compromises. Additionally, these fraudulent websites may contain malicious code. (http://www.us-cert.gov/nav/report_phishing.html)
History of Phishing
The practice of phishing, “originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later” according to phishing.org. The practice has become one of the main methods of attack and is increasing at a rapid pace.
Understanding the history of phishing can help you avoid falling prey to this type of scam. To learn more about the history of phishing, read this post on phishing.org.
Basic Phishing
Phishing attacks come in all shapes and sizes. Most of the basic phishing email have easy to spot characteristics, if you’re looking for them. The following example is from 2012. Even though it’s old, I think this email would still trick many recipients.
You can see in the following image, that the email appears to come from “Customer Central” and sent from an e-mail address using the domain name, “comcast.com.”
Gmail does not do us any favors by masking the full destination email address. You can see in the image below that it appears to be sent to “pllpt.” This is greyed out and in small text so it’s easy to overlook, but the fact that the recipient’s real email address is not in the “To:” field is our first clue that this may be a phish attack.
The email indicates that the customer’s credit card information on file is declining the payment and the email requests that the recipient update his or her credit card information by clicking on the link.
A quick or casual review of this link may seem safe. The URL begins with http://account.comcast.com. But look at the rest of the URL: http://account.comcast.com.5he.biz/
Remember that the last two sections before the forward slash (/) indicate the domain name of the destination. In this case, the domain name is 5he.biz and account.comcast.com are all subdomains of 5he.biz.
Interestingly, the author of this phishing email did not try to mask the actual link, which is easy to do and might be a little more effective in tricking someone to click on the link.
After clicking the link, you can see below that the URL has changed to yet another domain name. This time it begins with “login.comcast.net” but again, notice the trailing forward slash does not come until much later in the URL, which means that the domain name for this page is actually o7b.name.
The next, very interesting thing to note here is that the rogue site looks exactly like the actual Comcast xfinity authentication page. Below, compare the screenshots of the rogue site and the actual Comcast xfinity page. They are nearly identical!
The rogue site:
The real site:
Three Advanced Phishing Tactics Explained
Many of you reading this have received phishing email and you likely know some tricks to identify a basic phish. In this section, you may learn some new tactics that attackers are using to trick us.
Tactic No. 1: URL Masking
This tactic is actually quite basic but it is the cornerstone of more advanced tactics. One of the main tips in finding a phishing email is to hover over links to see where they go before you click. That is a great tip, but there are phishing tricks that attackers use to mask a URL. Here are some examples of how easy it is to mask a URL. If you hover over the link below, you’ll notice that it does not link to yahoo.com, but rather, google.com.
Tactic No. 2: Advanced URL Masking
Hovering over is a good way to scrutinize a URL but it’s not 100 percent accurate. There are ways to “click-jack" URLs that will show one link when you hover over it but send the user to another link when you click.
One method of executing this is to write JavaScript that shows one domain when you hover over the link, and sends you to a different page when you actually click! Hover over the following example. You’ll see that the link points to https:www.google.com. Now click on that link and see which page opens up.
Tactic No. 3: Unicode Domains
Another tactic is to use character sets that look similar to English/Latin characters, but are not. In this example, apple.com was registered using Cyrillic characters instead of English/Latin characters.
https://apple.com/ - This is the REAL Apple URL with English/Latin characters.
https://аррӏе.com/ - This is a fake site using Cyrillic characters.
When you click on the second link in Firefox and some other browsers, the URL shows the Cyrillic characters. The good news is that most modern browsers now show the Punycode URL.
A security researcher registered the above domain. You can read his blog post here to learn more about this type of attack.
Read more about preventing phishing and other hacks Hikvision’s cybersecurity blog link.