Posted on May 13, 2015 by lexi
Cyni Winegard, Information Security Analyst
Phishing is a term used to define any illegal attempt to gather sensitive information such as usernames, passwords, credit card details and bank account information. This method for information gathering can be extremely harmful to you or your employees.
According to a Forrester Research Inc. report “Reinvent Security Awareness To Engage The Human Firewall” published December 17, 2014, “Spear phishing attacks are extremely sophisticated today. They're able to dupe even a moderately trained eye and manipulate a user's overly trusting nature; many times they appear almost as legitimate as a real email, using compelling hooks laden with accurate information gleaned from other successful attacks, or even information found on social media sites. As the attack focus turns to the user, security is forced to rely on the workforce to avoid these devious attempts, or at least report incidents immediately when they do occur.” Phishing attempts also utilize other websites, text messages, and phone calls to gather information.
A notable phishing attack affected Target stores in 2013. Attackers stole 110 million customer credit card records through a phished subcontractor account, resulting in the resignation of their CEO and CIO.
How hard is it to phish?
Remarkably, phishing emails are very simple to create. Some crude emails don’t even have HTML images in them; they are simply social engineering attempts. One very popular phishing email, that is still seen today, is from a supposed Nigerian prince promising a large sum of money for a small up-front investment. This “prince” requests bank account information in the email. Some other emails that have come up recently are fake Wal-Mart order emails that download a dangerous virus once opened. These emails are very easy to make, with a little bit of time and reading.
Creating the email
The more detailed an email is, the easier it is for the victim to fall for the attack. The Wal-Mart email is a prime example. Many consumers purchase items from Walmart.com on a regular basis. This provides an avenue of attack for phishers. The chance for success is great. All that is needed to create the phishing email is the HTML source code embedded in any Walmart.com order email. With a little bit of basic HTML knowledge, the email can be recreated to direct recipients nearly anywhere. For example, an attacker can edit a Walmart.com email with just a few clicks. In the email, the user can click on the order status to view the order, which is highly likely since they probably haven’t ordered anything recently. The link can lead to a website that looks remarkably like Walmart.com but has subtle differences that indicate it is not a real website. Viewers may not notice these differences and input sensitive information, leading to a compromise. If an attacker knows basic HTML, designing this intricate attack could take less than a week.
Protecting yourself and your company from phishing emails is simple and has been reiterated over and over: don’t open an email if you don’t recognize it, if you aren’t expecting it or if it looks suspicious in any way. The domain could have a simple misspelling, such as “wallmart.com”, which many users would overlook. Having overly suspicious users is much safer than having users who are too trusting.