Don’t Get Hooked! Stay Ahead of Phishing Scams in the Digital Age

Posted on by
Spread ...

In today’s digital landscape, phishing scams are increasingly common. Picture this: You receive an email that claims there’s suspicious activity on your online account, urging you to quickly click on a link or contact a provided number to resolve the problem. In an effort to secure your information, you click on the link to “verify” your details, thinking you’re doing the right thing.

Unbeknown to you, the link leads you to a fraudulent website designed to steal your personal information. This kind of fraudulent tactic is called a phishing scam and using manipulative emails is just one of the many ways that attackers use to steal from unsuspecting targets.

Therefore, understanding how phishing works and recognizing these tactics is essential for protecting yourself. By equipping yourself with this knowledge, you can navigate the online world more safely and keep your information secure.

So What Exactly is Phishing?

This is where a malicious individual attempts to deceive you into taking an action that can cause harm to you or your device. The attacker is able to achieve this by pretending to be a trustworthy business or organization. When an attacker is curating their deceitful message, they can either bait a random person or choose to target a specific person.

Whether they are general or targeted, all phishing attacks have the same strategy

Grab your attention ⮕ engage your emotions ⮕ motivate you to make a rapid decision ⮕ push you to take action based on your decision ⮕ steal your information, or cause harm to your systems

Characteristics of Phishing Attacks

Today’s devices and software are increasingly sophisticated and equipped with algorithms to detect spam and phishing messages. These detection tools use pattern analysis to recognize suspicious links as well as machine learning to filter potential phishing messages. However, attackers are also evolving, and increasingly using sophisticated tactics to bypass these defenses. The following are some of the techniques used by attackers to increase the likelihood of success for the phishing message:

Email Address Spoofing

Attackers can use tools to forge the sender’s address on an email to make it appear as though it comes from a legitimate source. Some of the techniques used in email spoofing include:

  • Header Forging: Attackers can modify the “From” field of an email header to make it look as if the email is sent from a trusted address, even though the actual sender is different.
  • Display Name Spoofing: We tend to concentrate on the display name of an email sender because that is what we see when we receive an email address. Attackers take advantage of this and change the display name to a familiar or trusted name which can mislead a recipient into believing that a phishing email is legitimate.
  • Domain Spoofing: An attacker can register a domain that closely resembles a legitimate one, and use it to send emails that appear to come from a trusted organization. A domain can either be the name associated with a website or the name that appears after the @ sign of an email address. The following are techniques used in domain spoofing:
    • Character misplacements: Involves registering domains that sound almost identical to legitimate ones. For example, they might use slight variations in spelling, such as “example.com” versus “exampel.com” or “exmple.com.”
    • Substituting characters that look similar can trick users. For instance, using numbers or special characters (e.g., “ex4mple.com” or “exampl3.com”) can create visually deceptive domains.
    • Adding hyphens to the domain name can create a lookalike (e.g., “example-site.com”). This may not raise immediate suspicion, especially if users are accustomed to seeing hyphenated domains.
    • Using different top-level domains (TLDs) can create confusion. For example, an attacker might use “.net” or “.co” instead of the legitimate “.com” (e.g., “example.net”)
    • Attackers might append or prepend words to the legitimate domain name to create a deceptive lookalike (e.g., “secure-example.com” or “example-login.com”). These variations can lead people to believe they are accessing a secure site.
    • Creating a subdomain that resembles a legitimate one can mislead users. For example, “login.example.com” might be a fake subdomain created from a legitimate domain “example.com”.
    • Using homographs: Involves replacing characters in a legitimate domain name with characters that look visually the same but are from different alphabets. When we write English on paper, the letters we use to make words are mainly from the Latin alphabet. In the same way, other languages have their alphabets, and some of the characters in these alphabets resemble the ones in the Latin alphabet. Visually, these characters look the same but can have different meanings and computers interpret them differently based on their assigned codes. Attackers can take advantage of the human eye’s inability to tell that characters are not from the Latin alphabet and register fraudulent domains using these characters. A good example is these two domains “example.com” and “example.com” which look exactly alike to the naked eye but the second one leads to a nonexistent website because the characters used are not the Latin characters used to register the original domain.
    • Typosquatting: This involves registering domains that are common misspellings of popular sites. For example, an attacker might register “gooogle.com” to capture users who mistype “google.com.”
  • Open Mail Relays: Some attackers leverage open mail relays which are mail servers that allow anyone to send emails through them without logging in. Emails sent through mail relays can trick the user into interacting with phishing messages in the following ways:
    • Emails are sent from anonymous addresses: The recipient may get curious and be tempted to interact with the phishing email in an attempt to find the source.
    • Open mail relays do not require authentication therefore, phishing emails sent through these servers can bypass security filters that check for known sender domains or known sending patterns. This increases the likelihood that the emails will reach the target’s inbox instead of being flagged as spam.
    • Attackers can send large volumes of phishing emails using open relays, which increases the chances of successfully deceiving some recipients.
    • Emails sent through an open relay may appear more legitimate since they come from a recognized mail server rather than a suspicious or unknown email address. This can lead recipients to let their guard down and engage with the content.
    • Attackers send phishing emails using one or multiple IP addresses of the mail relay servers which makes it harder for security tools to block them since they don’t fit the pattern of known malicious IP addresses.
Tricking Signature-based Scanners

These are the methods used by attackers to evade detection by security systems that rely on predefined signatures to identify malicious content. In the case of phishing, they are security systems designed to detect phishing emails or messages by comparing incoming emails or messages, their links, and attachments against a database of known signatures or patterns e.g. from previously detected phishing emails. Some of the modern tools also incorporate Artificial Intelligence to help detect malicious content through through techniques like predictive analysis. Although they are great tools for early detection, attackers are continuously developing tactics to evade these tools and ensure the success of their phishing emails/messages. The following are some techniques used to trick signature-based scanners into allowing a malicious email/message to reach the target’s inbox:

  • Email Content Manipulation: Attackers may modify the text of the email to avoid triggering filters. Examples include:
    • Word Substitution: Attackers may replace common words with synonyms or misspellings to evade detection. For example, instead of saying “urgent,” they might use “critical” or “immediate,” or they could misspell words (e.g., “urgent”).
    • Randomized Content: Phishing emails can include random phrases or words that serve no purpose other than to alter the email’s structure. For instance, adding a sentence like “This is a legitimate message” can confuse scanners and dilute identifiable patterns.
    • Invisible Characters: Attackers can insert invisible Unicode characters or zero-width spaces into links or text. This changes the appearance of the email to the computer making it harder for scanners to detect malicious content while maintaining the meaning of the message to the target’s eyes.
    • Sending the phishing message as an image or QR code: Since signature-based scanners primarily analyze text, this technique allows them to bypass detection while still conveying the phishing message visually.
    • HTML Obfuscation: Phishing emails often utilize complex HTML structures, including nested tables or CSS styling, to hide malicious links. This manipulation can make it challenging for scanners to interpret the content accurately.
    • Attackers may use URL shorteners or dynamic link generators to obscure the actual destination. By using a shortened link that changes with each email, they can evade detection while still leading users to a malicious site.
    • Altering text formatting, such as using different font sizes, colors, or styles, to create visual confusion and conceal malicious links and requests.
    • Unlike older emails that would only allow text content, modern emails can allow HTML and some attackers take advantage of this to embed malicious scripts to trigger specific actions, like redirecting users to a phishing site. While many email clients block scripts, those that don’t can fall victim to this technique.
    • Some phishing emails will copy the language and formatting of legitimate organizations to make them appear more credible to an unsuspecting user. They can slightly alter the official logos, and use familiar language to further deceive users that the phishing email is legitimate.
  • Phishing emails can use encoding methods, such as Base64 or URL encoding, to hide malicious links or attachments. When the email is scanned, the encoded content may not match known malicious signatures, allowing it to slip through filters.
  • Time-bombing: Attackers can send emails that contain legitimate links which the email scanners will allow through. However, the legitimate links may contain redirects such that when a target clicks on them they are taken to a malicious website.
Additional Techniques used in Targeted Phishing Attacks

We mentioned that an attacker can send phishing emails to random users and wait for any one to fall victim to the attack or choose to target a specific person. Of course targeting a specific person or organization means that attackers will use more sophisticated tactics to ensure success including:

  • Personalization: Attackers gather information about their targets from social media and other online sources which they use to craft emails that appear more legitimate and relevant. Such emails often address the recipient by name or reference specific details about their work or interests.
  • Attackerts can also include industry-specific language in the message to trick the target into believing that the email is from a legitimate source.
  • Tailored Attachments such as documents or files that appear to be work-related and increase the chances of a user clicking on them. These attachments may contain malware that infects the recipient’s device upon opening.

Leave a Reply

Your email address will not be published. Required fields are marked *