Phishing as a part of IT security
A phishing campaign is often carried out as part of a larger audit project in order to complement a company's security audit and provide a complete overview of the company's security. As in all areas of IT security, sensitization for social engineering is also a continuous process that must be repeated, varied and improved on an ongoing basis.
Attacks by means of social engineering are increasing again. What types of phishing are there, how do you recognize them and how can you protect yourself against them?
What is phishing?
Attackers use email and/or fraudulent websites in an attempt to impersonate trustworthy counterparts. Their aim: They try to elicit sensitive information such as passwords, user names and credit card information from victims. Phishing is a form of social engineering.
Types of phishing
- Phishing in mass mailing: Very broadly designed attacks with as many recipients as possible. The mail message is usually formulated very impersonally and is easy to unmask.
- Spear phishing: The targeted attack is usually aimed at a single person or a small group of people. The mail message is highly personalized. Because of the extensive research done beforehand, it is more difficult to unmask the fraud attempt.
- Whaling: A spear phishing attack directed at high-ranking corporate members.
- Smishing: Phishing by SMS.
Six simple ways to recognize phishing
- The sender pretends to be a familiar company (e.g. “PayPal Customer Support”)
- Compromised attachments (e.g. zip files)
- Intimidation tactics (e.g. “Overdue invoice”)
- Impersonal salutations (e.g. “Important message for all PayPal customers”)
- Manipulated links (link is displayed as www.paypal.com/login, but leads to www. hackersite.com)
- Fake domain names (a domain such as www. payppall.com or www.paypal.customerssupport.com is used)
Professional phishing prevention
The best form of prevention can be found in effective employee training and the usual technical protection mechanisms such as malware scanners, sandbox solutions or blocking of known phishing IPs. The human being is always the weak point in phishing. He or she decides whether to click/open an email attachment without thinking or to delete it.
IT service providers have recognized the problem of insufficient awareness of phishing and offer complete social engineering frameworks. This enables extensive campaigns to be carried out to deal with sensitive information and to raise awareness of phishing. Part of this can be fake phishing attacks to detect vulnerabilities.
Social engineering frameworks offer the following functionalities, among others:
- Creation and sending of phishing emails directly from the framework (administration, recipient, sender, mail server, etc.)
- Simplified creation and hosting of a phishing website (simple editing, cloning of existing pages, SSL configuration, forwarding, ready-made forms)
- Statistical analysis of campaigns (success rates, transmitted “phished” data, anonymizing options, geoinformation, browser and operating system information)
- Provision of training material following phishing (EDU video, online quiz, etc.)
- Generation and execution of file-based attacks (macros, executables, PDFs, etc.)
Known solutions are: Social Engineering Toolkit, Lucy, SpeedPhishing Framework, Phishing Frenzy, GoPhish.
Use of social engineering frameworks by terreActive
The fake phishing campaigns are tailored to the client's needs. Each company has a different awareness and knows the vulnerabilities related to a social engineering threat.
- The first step is for terreActive to define the timing, target group, medium and aggressiveness of the phishing campaign.
- The scenarios that are developed are discussed with the client, checked again in a test run and released for effective use.
- In the execution phase, terreActive sends phishing messages and collects statistical data on the behavior of the target group.
- After completion of implementation, we process the collected data, draw conclusions and present them to the client in a final presentation. Important: The focus should be on identifying possible dangers, raising awareness of social engineering and instructing individual participants.