25 Popular Phishing
Techniques Used By Hackers
Phishing is one
the hacker’s favorite attack method that they use to hack login id passwords.
Today we will learn Popular Phishing
Techniques that hackers nowadays use to hack social networking sites or
email passwords. In simple terms phishing
is basically a method in which hacker uses Phish or fake pages or fake
applications to capture the sensitive information from victim.
Sensitive information can be user id passwords, bank account
details, personal details, phone number, even verification codes that
authorized services like Google and Facebook send to phones for verifying
authenticity.
Here I Have Compiled For
You Some Of The Popular Phishing Techniques
Deceptive Phishing
Deceptive phishing refers to any attack by which fraudsters
impersonate a legitimate company and attempt to steal people’s personal
information or login credentials. Those emails frequently use threats and a
sense of urgency to scare users into doing the attackers’ bidding.
For example, PayPal scammers might send out an attack email
that instructs them to click on a link in order to rectify a discrepancy with
their account. In actuality, the link leads to a fake PayPal login page that
collects a user’s login credentials and delivers them to the attackers.
The success of a deceptive phish hinges on how closely the
attack email resembles a legitimate company’s official correspondence. As a
result, users should inspect all URLs carefully to see if they redirect to an
unknown website. They should also look out for generic salutations, grammar
mistakes, and spelling errors scattered throughout the email.
Spear Phishing
Spear phishing is a much more targeted attack in which the
hacker knows which specific individual or organization they are after.
They do research on the target in order to make the attack more personalized
and increase the likelihood of the target falling into their trap.
Spear phishers can target anyone in an organization, even
top executives. That’s the logic behind a “whaling” attack, where fraudsters
attempt to harpoon an executive and steal their login credentials.
Whether it’s a request to send a wire transfer, or an apparent failed ACH transaction, cash movement issues are urgent and compelling. The attachment and the embedded “email” link in the message are both likely to result in malware being installed if clicked.
Ransomware
Ransomware for PC's is malware that gets installed on a
user’s workstation using a social engineering attack where the user gets
tricked in clicking on a link, opening an attachment, or clicking on
malvertising. Ransomware denies access to a device or files until a ransom has
been paid
Trojan
A Trojan horse is a type of malware designed to mislead the
user with an action that looks legitimate, but actually allows unauthorized
access to the user account to collect credentials through the local
machine. The acquired information is then transmitted to cybercriminals.
CEO Fraud
In the event their attack proves successful, fraudsters can
choose to conduct CEO fraud, the second phase of a business email compromise
(BEC) scam where attackers impersonate an executive and abuse that individual’s
email to authorize fraudulent wire transfers to a financial institution of
their choice.
Whaling attacks work because executives often don’t
participate in security awareness training with their employees. To counter
that threat, as well as the risk of CEO fraud, all company personnel – including
executives – should undergo ongoing security awareness training.
Organizations should also consider amending their financial
policies, so that no one can authorize a financial transaction via email.
Session Hijacking
Here , the phisher exploits the web session control
mechanism to steal information from the user. In a simple session hacking
procedure known as session sniffing, the phisher can use a sniffer to intercept
relevant information so that he or she can access the Web server illegally.
Whether it’s an immediate alert of potential fraud on your credit card or bank account, or simply a vaguely disturbing or confusing ‘advisory’, don’t ever click the links. Open a browser, proceed to the main web page of your financial institution, and use the contact links on the page - or call the phone number on the back of your physical credit card or ATM.
Malvertising
Malvertising is malicious advertising that contains active
scripts designed to download malware or force unwanted content onto your
computer. Exploits in Adobe PDF and Flash are the most common methods used in
malvertisements.
Pharming
Some fraudsters are
abandoning the idea of “baiting” their victims entirely. Instead, they are
resorting to pharming – a method of attack which stems from
domain name system (DNS) cache poisoning.
The Internet’s naming system uses DNS servers to convert
alphabetical website names, such as “www.microsoft.com,” to numerical IP
addresses used for locating computer services and devices.
Under a DNS cache poisoning attack, a pharmer targets a DNS
server and changes the IP address associated with an alphabetical website name.
That means an attacker can redirect users to a malicious website of their
choice even if the victims entered in the correct website name.
Note : To protect against pharming attacks, organizations
should encourage employees to enter in login credentials only on
HTTPS-protected sites. Companies should also implement anti-virus software on
all corporate devices and implement virus database updates, along with security
upgrades issued by a trusted Internet Service Provider (ISP), on a regular
basis.
Keyloggers
Keyloggers refer to the malware used to identify inputs from
the keyboard. The information is sent to the hackers who will decipher passwords
and other types of information.
To prevent key loggers from accessing personal information,
secure websites provide options to use mouse clicks to make entries through the
virtual keyboard.
Malware
Phishing scams involving malware require it to be run on the
user’s computer. The malware is usually attached to the email sent to the user
by the phishers. Once you click on the link, the malware will start
functioning. Sometimes, the malware may also be attached to downloadable files.
Email/Spam
Using the most common phishing technique, the same email is
sent to millions of users with a request to fill in personal details. These
details will be used by the phishers for their illegal activities.
Most of the messages
have an urgent note which requires the user to enter credentials to update
account information, change details, or verify accounts. Sometimes, they
may be asked to fill out a form to access a new service through a link which is
provided in the email.
Security Alerts
A variation on the warning theme designed to hit a sensitive
button - 'your account has been disabled after it was the victim of
unauthorised access', or a variation on that theme.
Given that users now receive such warnings, this attack can
be disarming.
Drop Box Phishing
Some phishers have specialized their attack emails according
to an individual company or service.
Take Dropbox, for example. Millions of people use Dropbox
every day to back up, access and share their files. It’s no wonder, therefore,
that attackers would try to capitalize on the platform’s popularity by
targeting users with phishing emails.
One attack campaign, for example, tried to
lure users into entering their login credentials on a fake Dropbox sign-in page
hosted on Dropbox itself.
To protect against Dropbox phishing attacks, users should
consider implementing two-step verification on their accounts.
Link Manipulation
Link manipulation is the technique in which the phisher
sends a link to a malicious website. When the user clicks on the deceptive
link, it opens up the phisher’s website instead of the website mentioned in the
link.
Hovering the mouse over the link to view the actual
address stops users from falling for link manipulation.
Too often users instinctively associate malicious phish with
a demand. Psychologically, offers register differently, so when users receive
what appears to be an unsolicited gift (in the form of an order, package,
airline ticket confirmation or similar), an instinctive action is often to
click for more information.
Smishing
This is also called SMS Phishing. Phishing conducted
via Short Message Service (SMS), a telephone-based text messaging service. A
smishing text, for example, attempts to entice a victim into revealing personal
information via a link that leads to a phishing website.
Content Injection
Content injection is the technique where the phisher changes
a part of the content on the page of a reliable website. This is done to
mislead the user to go to a page outside the legitimate website where the user
is then asked to enter personal information.
Solicitation
Solicitation comes in form of Job offers, singles meet up,
pharmaceuticals. whether it’s a job offer, singles meet up, discount on
pharmaceuticals, or other unsolicited solicitation, it’s quite likely to
produce undesired results if the links or attachments are clicked. This is one
of the oldest of the lot but keeps turning up in new forms.
Google Docs Phishing
Fraudsters could choose to target Google Drive similar to
the way they might prey upon Dropbox users.
Specifically, as Google Drive supports documents,
spreadsheets, presentations, photos and even entire websites, phishers can
abuse the service to create a web page that mimics the Google account log-in
screen and harvests user credentials.
A group of attackers did just that back in July of 2015. To
add insult to injury, not only did Google unknowingly host that fake login
page, but a Google SSL certificate also protected the page with a secure
connection.
Web Based Delivery
Web based delivery is one of the most sophisticated phishing
techniques. Also known as “man-in-the-middle,” the hacker is located in between
the original website and the phishing system. The phisher traces details during
a transaction between the legitimate website and the user. As the user
continues to pass information, it is gathered by the phishers, without the user
knowing about it.
Natural curiosity is a weapon of choice for social
engineering. Most users when approached via social networking will click on the
inviting party’s profile, “just to find out who it is”. In most phishing
emails, every link can trigger malware, up to and including links that appear
to be to images or legal boilerplate at the bottom.
Phishing Through Search
Engines
Some phishing scams involve search engines where the user is
directed to products sites which may offer low cost products or services. When
the user tries to buy the product by entering the credit card details, it’s
collected by the phishing site.
There are many fake bank websites offering credit cards or
loans to users at a low rate but they are actually phishing sites.
People are habituated to receive these and barely notice
when the form is abused in phishing attacks. Common brands (and sometimes
obscure ones that grab the attention) are used to disarm suspicion until it's
too late.
So There You Are With All The Phishing Techniques You Can
Avoid
No comments:
Post a Comment