Learn about the terminology common in the information security landscape by going over some use cases.
In this lesson, we will tackle a very common type of attack called "phishing." By focusing on the wording of the phishing email, we can start to gain a better understanding of how a typical attack works, and why it is often successful. Keep in mind that phishing attacks target humans and our weaknesses, but often rely on weaknesses in a cybersecurity program to be effective and remain undetected. I mentioned the effectiveness of phishing from an attacker's perspective. This is often the case for several reasons. In my experience, there's always a percentage of people that will fall victim to phishing emails, typically do to poor education, well-crafted emails, bad filtering, and other reasons as well.
Part of an effective cybersecurity program actually involves testing for these reasons. As in, engaging in mock phishing campaigns with the intent of getting people to fall for them. It sounds malicious, but of course, when conducted in a professional manner, the emails are benign and the goal is to educate and metrics-based. Statistics are gathered, click-rates are calculated, effective campaigns are studied, and recommendations are created based on the results. Security professionals know that nothing is 100% secure. People will click on the links, malware will be downloaded, sometimes executed, and machines will become infected.
A robust phishing program tries to take into account all the possible outcomes and plan accordingly. So let's get into it. We are going to look at a phishing email and focus on the verbiage used, and break it down and explain what exactly is happening. This is the email: Hello Kathy, your Visa credit card has been deactivated due to suspicious account activity. Please visit www.visa.decativate.info to re-enable your card and avoid fees. Sincerely, The Visa Team. Now let's do a quick aside and look straight at the link, which is in a different color than the rest of the text.
What is the domain, is it Visa? Does it have anything to do with Visa? No. One must look at the link from right to left, and understand that the first dots and the two strings to its left and right, in this case decativate.info, comprise the domain name. Moving farther to the left, there is a .visa, which is a host or subdomain. And even farther to the left is www, which is another host. So the actual domain is decativate.info, which is bogus. It has not been registered and it's only being used for example purposes.
Some people see www.visa and think that it's a legitimate site, because they don't understand the structure of domain names. Do you notice any typos, and would you expect to? Today's phishing emails are much different than phishing emails from the past. Often the verbiage is very professional, but that depends on the authors, the intent, and the type of phishing attack. Intent can range from getting the victim to browse to a site, to getting the victim to input credentials, to wanting the victim to open an attached file. It all depends on what the creators are trying to accomplish.
You might be surprised how many people click on that link. So what is the intent, and why would the attackers want someone to click on the link? To answer those questions, we would have to research the email a bit more; look at the headers, check if there's an attachment, and research the who-is record. Let's focus on the who-is record for a moment. Who-is records are records that are associated with the domain or IP address of a website or network, respectively. The record contains information such as when the domain or network was first registered, who the points of contact are for the domain, and often times, it even provides a means to contact the owners of the domain or network.
Now think about phishing more generally speaking. If phishing is so prevalent, and so many people fall victim to these type of attacks, how come we just don't stop it from happening? What do you think it would take to stop phishing attacks from being successful?
This course was created and produced by Mentor Source, Inc. We are pleased to host this training in our library.