Phishing, a common cyber threat that involves various deceptive tactics designed to compromise user security and steal sensitive information. While some may have a general idea of what phishing is, others may be out of loop when it comes to how many phishing techniques exist.
Phishing tactics frequently include spoofing methods to persuade individuals and coax them into taking the bait. These deceptive schemes are crafted with the intention of deceiving recipients into giving sensitive information to unauthorized parties.
This guide provides an in-depth exploration of diverse phishing techniques, including HTTPS phishing, clone phishing, angler phishing, and pop-up phishing. By understanding these tactics and implementing proactive security measures, individuals and organizations can protect themselves against phishing attacks.
Phishing stands as the reigning champion among social engineering tactics, a broad category encompassing various attempts to deceive individuals. In a typical phishing campaign, you may receive an email masquerading as a legitimate communication from a reputable and familiar organization, prompting you to update or confirm personal details either by responding directly to the email or visiting a linked website.
The URL provided may closely resemble familiar addresses you've encountered before. The email's content might be skillfully written to persuade you into complying with the instructions provided. Essentially, phishing is a type of social engineering, which often works hand in hand with other sneaky tactics such as spreading malware, injecting code, and infiltrating networks. This partnership creates a potent arsenal for attackers to wreak havoc. Now that we have an idea of what traditional phishing is, lets look at some lesser-known phishing techniques.
HTTPS phishing exploits the trust associated with secure connections to deceive users into interacting with fraudulent websites. Attackers leverage HTTPS encryption to create convincing imitations of legitimate websites, tricking users into disclosing sensitive information or downloading malware.
According to Open Text Cybersecurity’s 2023 Global Threat Report, the usage of HTTPS surged from 32% in 2021 to surpass 49% in the previous year, marking an impressive increase of almost 56%. The report also highlighted a common misconception among users who believe that HTTPS sites are automatically secure due to the padlock symbol displayed in the browser. However, the report cautioned that attackers are aware of this misconception. They exploit it by registering domains, obtaining certificates, and setting up malicious websites to deceive unsuspecting users.
.
Image 1: Padlock in Browser
Source: TonyHerman.com
It seems that domain registrars and certificate-issuing authorities are experiencing challenges in thwarting fraudsters' efforts to obtain and misuse authentic certificates to boost their phishing success rates.
Open Text also noted a rise in the ratio of HTTPS to standard HTTP websites in 2022.
"Although the surge in phishing activity witnessed in April coincided with a decrease in HTTPS usage, the heightened phishing activity observed in October and November corresponded with the highest adoption rates of HTTPS throughout the year.
This trend suggests that over time, attackers may have acknowledged the advantage of exploiting users' trust in HTTPS URLs as secure, opting for these URLs over HTTP counterparts during peak phishing periods." – Open Text
Clone phishing involves creating fake copies of legitimate emails, including attachments or links. Attackers exploit trust in previously received communications to trick recipients into interacting with the malicious content, often leading to credential theft or malware infection.
In clone phishing attacks, messages may differ, but they usually share similar traits. They often convey urgency, pushing recipients to act quickly. These messages commonly include harmful links or file attachments, essential for the attacker's plan.
For example, an employee receives an email seemingly from their company's HR department, informing them of an urgent issue with their payroll information. The email appears authentic, using the company's logo and email format. It urges the employee to click on a link to verify their details to prevent a disruption in their salary payments.
Unaware that it's a malicious message, the employee clicks the link and unknowingly provides their login credentials to the attackers, compromising their account and potentially exposing sensitive company data. In this scenario, the attackers have successfully cloned a legitimate email from the employer, exploiting an individual’s trust and sense of urgency to deceive them into divulging sensitive information.
Angler phishing exploits social media platforms and messaging apps to target individuals with fraudulent offers or messages. These attacks often lure victims into clicking on malicious links or providing personal information under the guise of legitimate “opportunities”.
Angler phishing attackers scour through the social media profiles associated with a targeted company. After identifying individuals expressing dissatisfaction, whether in tweets or Facebook comments, these attackers reach out to them via direct messages using fake accounts.
As a result, social media users, eager for a quick customer service resolution, often engage with these messages, believing they're communicating with genuine company representatives. The attacker typically uses a social media handle resembling that of the targeted company to enhance the lie.
Once contact is established, the attacker tries to coax the victim into revealing sensitive information, such as passwords, or trapping them into clicking on malicious links that lead to malware downloads.
Pop-up phishing involves the dissemination of deceitful messages that unexpectedly "pop up" while users browse the internet, often occurring when threat actors compromise legitimate websites with malicious code.
These messages are particularly effective due to their convincing content, often portraying fraudulent security alerts aimed at unsuspecting visitors. They typically convince individuals to download supposedly necessary tools, like antivirus software that is actually malware. The pop-up may also convince the victim to contact fraudulent support phone numbers - a tactic increasingly observed in recent times. Let’s look at an example of how easy it can be for people to fall victim to pop-up phishing.
Image 2: Pop-Up Phishing Example
Source: Information Security (Washington Unv. in St. Louis)
In the healthcare sector, a nurse, let's call her Sarah, is diligently reviewing patient records on her hospital's website when suddenly, a pop-up message claiming to be from the IT department appears on her screen. The message warns Sarah that her computer has been compromised and urges her to download an urgent security patch to protect patient data. Concerned about potential breaches, Sarah clicks the prompt and unknowingly installs malware onto the hospital's network, granting cybercriminals access to sensitive patient information.
HTTPS Phishing – to safeguard your organization against phishing schemes utilizing SSL certificates, educate your team about HTTPS cyber threats:
Clone Phishing – preventing clone phishing attacks is tricky because the attacks can be subtle. Here are some ways to protect your organization:
Angler Phishing – take a look at these tips for avoiding angler phishing and protecting your organization from social media scams:
Pop-Up Phishing - here are some guidelines for organizations to help prevent employees from falling victim to pop-up phishing scams:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium has services that can help:
What Is Clone Phishing? - Check Point Software
Understanding and fighting clone phishing - Trustpair
2023 OpenText Cybersecurity Threat Report | OpenText (bfldr.com)
HTTPS Phishing Attacks: How Hackers Use SSL Certificates to Feign Trust | Keyfactor
Common Phishing Attacks | NCDIT
What Is Clone Phishing? - Definition, Examples & More | Proofpoint US
What is angler phishing and how can you avoid it? | NordVPN
What Are Angler Phishing Attacks? Definition, Risks, and Prevention| KuCoin
Phishing Attack - What is it and How Does it Work? - Check Point Software
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.