Plenty More Phish in the Sea: Phishing Landscape is changing

By: Matthew Hammerstone

17, December, 2019

Categories:

News -

  •  
  •  
  •  
  •  
  •  
  •  

 

 

 

Think this. You are finding your way around an unknown place, trying to find the train station. Seeing you in a muddle, a stranger approaches you and guides you. He then tells you that he can help you get the ticket faster and asks you to give him some of your important documents. Since you are in a hurry, you give it only to realise later that he was a fraudster!

 

Now, just translate this to a web setting. Phishing is somewhat like this. The ultimate goal of a phishing scam is to obtain valuable personal information from the user so it can be used for other crimes. Earlier phishing scams targeted users through email. Now, phishing scams have ‘evolved.’

 

Phishing has spread from emails to phones to social media and messaging apps. While phishing scams have spread across channels, they have also become more targeted. For instance, during the World Cup in Russia, fans looking for affordable tickets were duped by phishing scammers who enticed them with fake free trips. There are also the tax vishing scams, air tickets scams, sextortion scams and shopping coupon scams. All these phishing scams leverage natural human behaviour to obtain critical information, like personal and card details. Sometimes, scammers seek payment in bitcoins. ‘Formjacking’ is yet another threat that users face, particularly on ecommerce websites. In this form of phishing, a malicious JavaScript code is inserted into the payment page of the website to skim card payment details. In a more recent form of ‘Formjacking’ the malicious code disappears after the data is collected, making it all the more difficult to trace the culprits. A recent phishing scam was aimed at harvesting Steam gaming accounts. The level of sophistication and attention-to-detail is evident from the embedded JavaScripts that mimicked conversations between fake users, a valid and trusted TLS certificate and also multi-factor authentication! Argh! Isn’t that one of the top security features for online transactions?

 

Another phishing type on the rise is a lateral phishing attack. In this attack, the scammer uses a compromised email of a company employee to extract authentication details rather than money. The level of precision with which phishing attacks are planned are demonstrated in Business Email Compromise (BEC) attacks. For example, the Curious Orca gang validates the previously acquired information by sending blank emails. They know that the ones that bounce back are not valid and so target the rest. Additionally, the social engineering that goes into devising these phishing scams has also become more refined. In a recent cyberattack, fraudsters used Artificial Intelligence-based software to mimic the voice of a Chief Executive to demand transfer of money to an account claimed to be of a company supplier.

 

Emerging Technologies and Phishing

 

With emerging technologies, phishing attacks might get all the more sophisticated. Perhaps a harbinger is the recent research that revealed flaws in 4G and 5G networks that can enable attackers to intercept calls. They have found vulnerabilities that can enable attackers to hijack a connection and misdirect victims to phishing sites. In fact, with 5G and Internet of Things and the resultant connected world, attackers will have more options for points of attack, considering the expansion of the threat landscape. In fact, Artificial Intelligence might be used to up the sophistication level and complexity of phishing attacks. For all you know, you might be chatting with a chatbot which might be a ‘Phish-bot.’ The use of emerging technologies for cybercrime has already begun. A recent report by the UN Security Council’s Sanctions Committee on North Korea stated that the country employed Marine China, which uses a blockchain platform, to circumvent international sanctions. The report also states that North Korea has undertaken ‘spear-phishing’ attacks against 17 countries, resulting in USD 2bn in losses.

 

How can enterprises safeguard their networks from cybercrimes? Learn more about cybersecurity threats and the way to protect your enterprise from this evolved menace at the upcoming Cybersecurity & Cloud Expo 2020 in Olympia, London.