Phishing attacks have increased exponentially in recent years. According to recent studies, phishing attempts, for example, via email, accounted for almost half of all emails sent in 2021. From this perspective, the term “phishing” has become extremely popular. There isn’t a day that we don’t wake up to news about an attempt to phishing anonymous companies or citizens through increasingly imaginative mechanisms.
Phishing and social engineering
In phishing attacks, identity theft and social engineering play a key role. Not surprisingly, cybercriminals make use of false identities based on human sensitivity and the needs that people have at all times. When the subject that concerned us was the tax return, the “messages from the Ministry of Finance” were the main focus of phishing attacks; When we were focused on the pandemic, messages related to health, in all its aspects —products, public bodies, security, etc.— were the ones that caught the attention of cybercriminals. Now that the war in Ukraine puts the lack of supplies or freedom of expression at risk, it is more than possible that cybercriminals pose as NGOs or even journalists.
Generic phishing techniques
The objective is always to get the victim to carry out some action that allows the cybercriminal to obtain some type of benefit, be it in the form of an economic transaction, access to information or control of computer systems. Based on this premise, the action of the victim becomes one of the key steps when a phishing attack achieves its objective. For this reason, the strategies used by cybercriminals make use of techniques that are increasingly more imaginative. Below, we collect some of those techniques that have been, and are, used by criminals in phishing attacks. These are ingenious, little-known techniques that are sometimes particularized for sectors or groups of people but that share a common pattern in their way of acting.
Users’ suspicion of links in emails has led cybercriminals to resort to alternative mechanisms to gain the trust of their victims. Phishing techniques have been detected that make use of Google search recommendations that are directed at deliberately prepared websites that have previously achieved high suitability ratings using SEO positioning techniques. Cybercriminals spend some of their time trying to get bait websites to appear at the top of searches, for example, on Google, for certain terms. In this way, when they subsequently make a recommendation to their victims about a certain concept or term, they will be directed to the destination specially prepared to act as a decoy.
Exclusive encrypted information for the recipient
The distrust of a victim is fought using precisely the concern for trust.
Phishing techniques have been detected that make use of Google search recommendations
From here, cybercriminals try to convince their victims with access to resources apparently encrypted and personalized for them. In this way, the recipients perceive a false sense of security. The cybercriminal invites them to use sensitive information, such as username and password, as a decryption mechanism. The confusion between concepts such as “encryption keys” and “information access keys” plays a fundamental role in the success of this type of technique. The usual thing about these attacks is that, through an email, the criminal convinces his victim, for example, that a file contains encrypted confidential information and that only he or she could decrypt it by entering the username and password; something totally impossible to accomplish and that can be confused with the management of public-private key cryptography.
MFA for undefined uses
The use of double authentication mechanisms is increasingly widespread. The financial sector, for example, in compliance with European PSD2 regulations, uses it on a regular basis. But he’s not the only one. Increasingly, email accounts, access to commercial applications or even social networks implement double authentication mechanisms that reduce the risk that password theft can entail. For this reason, cybercriminals resort to MiTM techniques through which they make victims believe that an event has occurred for which they will be sent an authentication code that they must provide. The reality is that said code does not correspond to the operation that the victim thinks he is executing, but instead serves the cybercriminal to access a service without the victim being aware of it. There are many examples of the use of this type of technique. One of the most obvious is a message indicating that an email account or a bank account has been blocked. The victim is then asked to provide the verification code that will be sent to them as proof of identity for their unblocking. Immediately afterwards, the victim will receive a verification code, sent by the real service that the cybercriminal wants to access, and that the user will provide to the criminal if necessary. The end result is known to all.
Microsoft, medium and form
Another technique used by cybercriminals is based on Microsoft tools to confuse victims. Perhaps the most representative example can be found in how cybercriminals invite their victims to download a OneDrive file while at the same time presenting them with a custom-made form from Microsoft tools. The fact that the Internet domains that appear in the form are the same as those provided by Microsoft acts as a “security guarantee” against the victim. The objective is that the victim does not detect that they are not actually accessing a cloud storage service, but rather completing a form that will immediately be sent to the cybercriminal for exploitation. And we could go on… Surely we could extend the list of phishing attack techniques as much as we wanted; but they will all have a common denominator: social engineering will play a predominant role during the process. In fact, it is a key element. An element that can only be combated through continuous awareness of the users themselves. And it is that, now that Artificial Intelligence techniques or the blockchain have acquired greater prominence, the field of action for cybercriminals is very likely to grow at exponential rates. Concepts related to “deepfakes” or “Ice phishing” will appear more and more in the specialized media, revealing new models of phishing attacks. The conclusion in the face of this reality therefore seems obvious: we must remain constantly alert to this reality. It would be naive to think that, with these resources, cybercriminals will not be able to define new techniques, even more imaginative ones, with which they will try to continue deceiving us.
By Juanjo Galán, Business Strategy at All4Sec