Security Advisory on Phishing Attacks

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS MAC OSX Web Servers Systems Networks Mobile Networks and Telephones
Advisory ID:
ngCERT-2020-0026
Version:
N/A
CVE:
N/A
Published:
December 15, 2020

Summary


Phishing attacks are the most common and effective cyber security threat to individuals, businesses and organizations. Phishing is the delivery mechanism of choice for ransomware and other malware and it is a critical problem that every organization must address through a variety of means. Most phishing messages indicate immediate action is needed to avoid an unwanted time-sensitive consequence. It is important to be suspicious of all requests, and review messages carefully to determine if the message may be a phishing scam.

Description & Consequence


Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card information. This occurs when an attacker pretends to be a trusted entity to dupe a victim into clicking a malicious link that can lead to the installation of malware, freezing of the system as part of a ransomware attack, or revealing of sensitive information. Phishing is still one of the most widespread and damaging cyberattacks. Phishing attacks can lead to financial loss, data loss and reputational damage.

How to Detect Phishing Attacks

Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:

  1. Message indicates urgent action is needed
  2. Message indicates negative consequences will occur if action is not taken
  3. Message is not expected
  4. Message sender is not known
  5. Message cannot be read without opening an attachment
  6. Message requests sensitive information be sent
  7. Message directs users to "click here"
  8. Message uses poor grammar and/or spelling
  9. Sender from: name does not match message signature
  10. Sender email address does not match organization name
  11. Sender email address is not exactly the same as real address
  12. Web site address (URL) of linked site does not match organization.

Types of Phishing Techniques

Five key phishing techniques that are commonly employed:

1) Link manipulation: Link manipulation is done by directing a user fraudulently to click a link to a fake website. This involves, use of sub-domains, Hidden URLs, Misspelled URLs, IDN homograph attacks.

2) Smishing: Smishing is a form of phishing where someone tries to trick a victim into giving their private information via a text message.

3) Vishing: Vishing is the telephone version of phishing, or a voice scam. Similar to email phishing and smishing, vishing is designed to trick victims into sharing personal information, such as PIN numbers, credit card security codes, passwords and other personal data. Vishing calls often appear to be coming from an official source such as a bank or a government organization.

4) Website forgery: Website forgery works by making a malicious website impersonate an authentic one, so as to make the visitors give up their sensitive information such as account details, passwords, and credit card numbers. Web forgery is mainly carried out in two ways: cross-site scripting and website spoofing.

5) Pop-ups: Pop-up messages, other than being intrusive, are one of the easiest techniques to conduct phishing scams. They allow hackers to steal login details by sending users pop-up messages and eventually leading them to forged websites.

When phishing attacks successfully trigger data breaches, phishers can also cause damage by:

  • Initiating and completing financial transactions from the victim’s bank accounts.
  • Using the victim’s credentials for illegal activities or to blackmail the victim’s contacts.
  • Publishing the victim’s personal information to embarrass them.
  • Impersonating the victim to send out fake emails or malicious posts.

Solution


  • Be cautious of all communications. Do not respond to phishing attempts and rather report it.
  • Do not click on phishing links. If an email looks suspicious, don’t click any links in it and don’t open its attachments.
  • Beware of pop-ups when surfing the internet. Legitimate organizations do not ask for personal information via pop-up screens.
  • Install a phishing filter. While it won’t keep out all phishing messages, it will reduce the number of attempts.
  • If you believe you were already tricked by a phishing scam, immediately change your password(s) using a different computer, scan your computer for malware that may have been introduced.
  • Educate staff on the devastating effects and consequences of a successful phishing attacks.
  • Report any incident by sending email to incident@cert.gov.ng or use other available reporting channel on the ngCERT website (gov.ng)

Reference


Revision


Related Articles