Planning and Preparing a Phishing Attack 2023
In This article we will learn about Planning and Preparing a Phishing Attack.
Introduction about Planning and Preparing a Phishing Attack:
Launching a large-scale phishing attack is a very sophisticated affair involving perhaps dozens of criminals working anonymously on the dark web. Just like breaking into a bank or committing fraud, hackers typically go through a series of steps to get to their prize. In this article, we’ve outlined common planning, preparation, and execution techniques phishers use to help pull off their ruse.
Step One: Gathering Information
The first thing these criminal culprits do is agree on a target. Their meetings, discussions and planning of their operations are usually conducted through Internet Relay Chat (IRC), an anonymous method of communication that has been around since 1988. You could say that these underworld phishing groups operate in much the same way. like a school of fish, where many participants contribute to the creation and execution of an attack and no real central leader; this is what is commonly called a scale-free network.
These scale-free networks seem to coalesce, launch a series of phishing scams, and eventually fall apart. One of the most famous was called the Avalanche Gang, which was discovered in 2008 and was believed to be responsible for two-thirds of the phishing attacks that occurred the following year.
Avalanche operated out of Eastern Europe and were considered an offshoot of another group called Rock Phish. Although both of these syndicates appear to have broken up, at least in name, phishing attacks actually increased in the latter half of 2015. That means they’re still there, just as powerful and more dangerous than ever.
Regardless of what they choose to call themselves, members chat over IRC in a room usually named after potential targets like #westernunion or #banking. From there, participants delegate tasks, with some involved in coding and design; others branch out and gather as much data as possible about the intended victim, which can include getting employees’ names and even looking up their social media accounts. This is sometimes called “spear-phishing”, which we discussed in more detail in the next article.
A subset of spear-phishing is called “whaling,” in which fraudsters focus their efforts on the highest executive levels of an organization. One of the first notable whaling attacks was in 2008, when thousands of US C-level executives were sent fake subpoenas to a federal court in San Diego.
Also Read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
According to reports, the email looked very professional and included the manager’s name, address and phone number. The link provided was supposed to link them to the full legal document, but instead secretly downloaded a program that recorded their keystrokes and passwords and sent them back to the thieves. About 2,000 managers were affected.
Phishing sites and email templates
Once the network has identified its target and gathered as much information as possible, it will “bait” hooks, usually in the form of fake emails, as well as website landing pages or pop-ups. As part of our ongoing education and prevention of phishing attacks, Infosec IQ has created a number of email templates similar to those used in common scams, some of which are shown below.
Low bank balance alert
In this first example, we see an email that purports to be from Chase Bank (notice the logo in the upper right). It may have a subject line along the lines of “Low Account Balance Alert” and is intended to make the recipient worry about their finances and perhaps react without thinking.
The hook is a link in the “Click here to see your statement” line that would likely take the victim to a fake Chase website where they would be prompted to enter their real username/password.
Note that this is a fairly innocuous email and only has one link – recipients are even encouraged to click if they think they’ve received the message in error. However, that click may be the gateway phishers need to gain full access to a user’s bank account.
Free pizza reveals
This is a phishing attack that targets the user’s appetite – after all, who doesn’t love pizza, especially when it’s FREE? Again, the link may lead to a fake website where more information can be obtained, or it may download something to the user’s computer. (What it won’t do is actually give you a coupon for a free pizza.)
Facebook Photo Alert
Of course, Facebook is a natural source of bait for phishing attacks. This type of email is intended to pique the recipient’s curiosity (or vanity). Again, they mimic the look of a real Facebook notification, and notice that there’s a second hook in the smaller “unsubscribe” link.
Hacking warning
This is an example of a more sophisticated spear phishing attack, in this case sent to professors at Cypress International University. Note that this is a much longer email and even includes an email address, phone number and logo from a legitimate security company (Tenable) to add to its authenticity. You will also see a link to connect to http://cloud.tenable.com, which is the name of the actual company server. However, if the user hovered the mouse instead of clicking the link, the real address would be exposed as a scam.
“Miss. Wilton” warns recipients that hackers are using their credentials to gain access to the system and that they should only use the link provided to gain access. The truth, of course, is that the hacking will only begin if they use that link.
Obtaining a compromised host
Once the attackers hit, the rampage begins. If they managed to gain administrator credentials, they could secretly install dangerous scripts and trap more users and data. This can be achieved through a trick called DNS cache poisoning, also known as “pharming”, where hackers take over corporate routers and/or entire networks; they sometimes redirect traffic to fake websites that appear to have the correct URL, or scan hard drives and email inboxes for more important information and also capture any unencrypted data.
Successful hackers can also install malware or spyware on hard drives to turn them into phishing zombies that spread more viruses or control other computers. As discussed in our other articles, they can log keystrokes, take screenshots, disable antivirus software updates, and basically collect a lot of secret information they shouldn’t have.
Configuration of the data transfer mechanism
Now that they have access to the required data, the extraction process can begin. All the important personal information they want is scraped from the database (eg names, addresses, credit cards, social security numbers, passwords, etc.) and inserted into a spreadsheet. Depending on the type of attack, they can collect this information on the fly via a fraudulent popup or web form or by mining existing data.
Then it’s time to send it to the bad guys. According to an autopsy of several compromised phishing sites analyzed by our parent company InfoSec, this stolen data is usually either downloaded or simply emailed to the hacker or group unencrypted.
Both options carry risks for phishers: A hard drive download may require multiple visits to the site, potentially alerting them to an attack. Sending information by email can also trigger an alarm. Still, the report concluded that most hackers prefer the email method for its simplicity and rarely use FTP.
Selling data on the black market
From there, the money starts rolling in as thieves analyze the information and sell it to the highest bidder. TrendMicro conducted an analysis of the global black market prices of personal information and calculated the average amount thieves are willing to pay in China, Brazil and Russia, which are considered the “axis of evil” for data theft.
On an interactive website, they show that an individual’s mobile phone number and email address are worth $1,236 in Brazil, $81 in China, and $100 in Russia. They go on to extrapolate what that means in dollars and damages, citing recent large-scale corporate hacks. For example, violation of J.P. Morgan Chase & Co. in August 2014, 76 million households had their data compromised.
Conclusion
Phishing is both complex and simple: it involves a bunch of criminals working together to trick people into clicking on a link. The stolen data is then extracted, emailed, and the information sold and/or the computer used for more nefarious acts.
Now that you know a little more about phishing, it’s time to think like a criminal—but in a way that helps others in your organization. On our website, registered Infosec IQ users can view a library of sample phishing email templates and edit or create their own.
