Blue Teaming
KimCrawley,
Jan 16
2022
Phishing scams can be very destructive cyber attacks. Every use of computer technology to do deliberate harm is a cyber attack, and phishing illustrates how important it is to understand social engineering. Even many of the most sophisticated cyber attacks deployed by advanced persistent threat (APT) groups involve social engineering at some point in the attack chain. It’s much easier and more effective for an external attacker to enter a network through a human being with a privileged user account than to try brute forcing internet-facing vectors or exploit by other completely technological means.
And once the attacker has tricked a human being into granting them access to their privileged user account, the attacker can proceed with no further human interaction. Often, they can even privilege escalate from an account with limited privileges until they have root.
Phishing is one of the most common ways that cyber attackers fool people into granting them account access. Phishing is when an attacker pretends to be a trusted entity, such as your bank, utility company, employer, a government agency, Amazon, Apple, or Google. To facilitate the scam, an attacker will imitate a trusted entity’s emails, webpages, web apps, text messages, or social media posts. This is easier than ever these days, because phishing kits can easily be purchased on the Dark Web which imitate specific companies, service providers, and government agencies. Phishing kits contain the webpages and graphics that can be used to succeed in the scam.
A classic typical phishing attack often goes something like this. A user gets an email that looks exactly like the emails they get from their internet service provider, graphics and all. “A hacker may have compromised your account, click here to change your password!” If the user clicks on the link, they’re directed to a phishing website that imitates their ISP’s genuine website. The webpage could infect the user’s machine with malware. The webpage could also have a form for them to change their password which asks for their current password. Then there you have it! The attacker has their real password, and may have also infected their phone or PC with spyware or some other type of malware.
It’s also important for us l33t hacker computer nerds to understand that we too can succumb to phishing attacks. In fact, cybersecurity professionals are often targeted with phishing these days.
Here are five dangerous phishing scams that are important lessons for all of us to learn from.
When John Podesta, the campaign manager for Hillary Clinton in 2016, was successfully phished in March of that year, it presented an excellent example of how powerful people are targeted by cyber attackers.
The phishing attack that targeted Podesta is what we call spear phishing. Spear phishing targets a specific individual, and often attackers will research their target quite a bit so they can more successfully socially engineer them. Many other phishing attacks are promiscuous, they may target Canadians in general who have Scotiabank bank accounts, for instance. Spear phishing will target one specific person, likely due to their power or privileged access.
In March 2016, Podesta received an email from an attacker who pretended to be Google. The email said someone in Ukraine tried to access his Google account, and to click on the link to change his Google password. The campaign’s IT team advised Podesta to go directly to Google’s site and also set up 2FA, and to avoid clicking on the email link. But he did click on the link!
The sensitive data that was exposed in the attack ended up on WikiLeaks and revealed a lot of private information about Clinton’s campaign. It was a nightmare for the Clinton campaign team.
This phishing campaign from 2020 is a great example of how promiscuous phishing attacks can exploit people’s financial desperation.
The phishing emails that November pretended to be from the IRS (the US tax agency) and promised $1,200 USD in COVID-19 relief money. “"Further action is required to accept this payment into your account. Continue here to accept this payment..."
The phishing site the link led to imitated the IRS’s Get My Payment site. A lot of victims shared their sensitive personal and financial data with the cyber attackers.
Ubiquiti Networks is a tech company in the United States. In 2015, a very detailed spear phishing campaign targeted the company’s Chief Accounting Officer. The attacker impersonated the CEO and their lawyer.
While pretending to be the CEO via phishing emails, the attacker compelled the targeted CAO to transfer large sums of money to various accounts to facilitate a supposedly secret corporate acquisition.
Ubiquiti Networks only learned about the attack once the FBI contacted them. $46.7 million USD was lost in the scam.
Christmas is coming in a couple of months. And the Christmas holiday season is a time when many people feel they need to demonstrate Santa Claus’s generosity to charitable causes.
Cyber attackers exploit these emotions. The FBI warns people to avoid these phishing email scams:
“If you receive an email purporting to be from a charitable organization, do not click on links. These could be attempts to download viruses onto your computer or cell phone. Watch out for charity names which sound very similar to well-known charities, as well as email addresses that are not consistent with the charity soliciting donations. Instead, search for the charity using an internet search engine to ensure you’re connected to the actual charitable organization.”
In January 2016, Crelan Bank, a large financial institution in Belgium, was victimized by a very sneaky phishing campaign.
Attackers compromised a corporate executive’s email account. From there, the attackers pretended to be the CEO to other people who work for the company. They compelled employees with internal financial access to transfer large sums of money to the attacker’s accounts.
This attack cost Crelan Bank about $75 million USD, and was only discovered through an internal audit.
So as you can see, phishing attacks can target anyone. Some are promiscuous, some are spear phishing attacks. They have varying levels of sophistication. The best line of defense is to be aware of them, and to contact trusted entities directly rather than clicking on links in emails, text messages, and social media posts. For what it’s worth, I have advised a financial institution I do research for to avoid sending customers emails with links in them. Train people out of that habit!