Post

Phishing Attack Techniques

Posted Updated
By
6 min read
Phishing Attack Techniques

Phishing Attack Techniques

Phishing remains one of the most prevalent and effective cyber threats today. Attackers constantly evolve their methods to trick individuals into revealing sensitive information or installing malicious software. Understanding these techniques is the first step in building robust defenses.

This blog post will delve into various phishing attack techniques, providing examples, and highlighting tools and resources to help you stay safe online.

1. Pretexting

Pretexting involves creating a fabricated scenario (a “pretext”) to manipulate a target into divulging information or performing an action. It often relies on social engineering and building a believable, but false, backstory.

  • Example: An attacker might impersonate an IT support person, claiming there’s an urgent “security issue” that requires you to verify your login credentials over the phone or by clicking a malicious link. Another common scenario is an attacker posing as a senior executive needing immediate financial transfers for a “confidential” project.

  • Defense: Always verify the identity of the person making the request through a different, trusted communication channel (e.g., call them back on a known company number). Be suspicious of urgent or unusual requests, especially those involving money or sensitive data.

  • Resource: The Social-Engineer.org website offers insights into social engineering tactics.

2. Spoofing and Impersonation

Spoofing involves disguising communication from an unknown source as being from a known, trusted source. Impersonation is a broader term where an attacker pretends to be someone else to gain trust or access.

  • Email Address Spoofing: Attackers forge the sender’s email address to appear as if it’s coming from a legitimate source, like your bank or a colleague. The “From” address might look correct, but the actual sending server is malicious.

    • Example: An email appearing to be from “service@paypal.com” but upon closer inspection, the actual sender domain is “paypal-security.xyz”.

  • Domain Spoofing: This goes a step further, where attackers create domains that look very similar to legitimate ones.

    • Example: Using “microsof.com” instead of “microsoft.com”.

  • Defense: Check email headers for the true sender. Hover over links before clicking to see the actual URL. Use email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance), which help verify email authenticity.

  • Tool: Online email header analyzers can help you examine email origins (e.g., MXToolbox Email Header Analyzer).

3. URL Manipulation

Attackers manipulate URLs to deceive users into thinking they are visiting a legitimate website when they are actually directed to a malicious one.

  • URL Shortening: Using services like Bitly or TinyURL to hide the true destination of a link. While legitimate for convenience, attackers abuse them.

  • Subdomain Spoofing: Creating subdomains that appear legitimate but are under the attacker’s control.

    • Example: “https://www.google.com/search?q=paypal.login.attacker.com” instead of “https://www.google.com/search?q=login.paypal.com”.

  • Homograph Attacks: Using characters from different alphabets that look identical or very similar to Latin characters (e.g., using a Cyrillic ‘a’ that looks like a Latin ‘a’).

  • Typosquatting: Registering domain names that are common misspellings of legitimate websites, hoping users will make a typo.

  • Defense: Always hover over links to see the full URL before clicking. Be wary of shortened URLs in suspicious emails. Use a reputable password manager that auto-fills credentials only on legitimate sites. Enable Punnycode warnings in your browser if available.

  • Resource: The Anti-Phishing Working Group (APWG) provides information on phishing trends, including URL manipulation.

4. Encoding

Attackers use various encoding techniques to obfuscate malicious code or evade detection by security tools.

  • Base64, URL encoding, HTML encoding: These methods convert characters into different formats, making the content less readable to humans and some automated scanners, but easily decodable by browsers.

    • Example: A phishing link might use URL encoding to hide malicious parameters within the URL.

  • Obscure JavaScript: Malicious JavaScript can be heavily obfuscated to hide its true intent, making it harder for security tools to analyze.

  • Defense: Modern browsers and security software are increasingly adept at detecting and decoding these obfuscation techniques. However, users should still be cautious about suspicious links and attachments. Keep your browser and security software updated.

  • Tool: Online decoders (e.g., CyberChef) can help analyze encoded text, though caution is advised when dealing with potentially malicious content.

5. Attachments

Malicious attachments are a classic phishing vector. Users are tricked into downloading and executing files that contain malware.

  • Example: An email claiming to be an invoice or a shipping notification that contains a “.zip” file, a “.docm” (macro-enabled Word document), or a “.pdf” file that, when opened, downloads or executes malware.

  • Defense: Never open attachments from unknown or suspicious senders. Even if the sender seems legitimate, if the email is unexpected or unusual, verify it through another channel. Use antivirus software and keep it updated. Be cautious of common file types that can carry macros or scripts (e.g., .docm, .xlsm).

  • Resource: The National Cyber Security Centre (NCSC) in the UK offers excellent guidance on dealing with suspicious emails and attachments.

6. Abuse of Legitimate Services

Attackers leverage trusted cloud services and platforms to host their phishing infrastructure or distribute malware.

  • Google Drive, Dropbox, etc.: Phishing pages or malicious files can be hosted on these services, making them appear legitimate due to the trusted domain name.

    • Example: A shared Google Drive document that, when opened, is a fake login page for Google or another service.

  • Using trusted reputations to send malware: Attackers might compromise a legitimate account on a service and then use that account to send out phishing emails or distribute malware, leveraging the service’s reputation.

  • Defense: Even if a link appears to be from a legitimate service, scrutinize the content carefully. Look for signs of manipulation (e.g., requests for sensitive information that don’t align with typical service behavior). Report suspicious activity to the service provider.

  • Resource: https://phishtank.org/

7. Pharming

Pharming is a more advanced and insidious form of cyberattack that redirects users from a legitimate website to a fraudulent one without their knowledge, even if they type the correct URL. It’s often a “two-step technique.”

  • DNS Server Poisoning: The most common pharming method. Attackers compromise a Domain Name System (DNS) server, which translates human-readable domain names (like “https://www.google.com/search?q=google.com”) into IP addresses that computers understand. By poisoning the DNS cache, the attacker can redirect requests for legitimate websites to their malicious server.

    • Example: You type “yourbank.com” into your browser, but due to poisoned DNS, your request is unknowingly routed to an attacker’s fake banking website.

  • Defense: Use reputable DNS servers (e.g., Google Public DNS, Cloudflare DNS). Ensure your router’s firmware is up to date and secured. Be vigilant about unexpected certificate warnings in your browser. Consider using a VPN (Virtual Private Network) to encrypt your DNS queries.

  • Tool: DNS lookup tools can help you verify the IP address associated with a domain (e.g., DNSChecker.org).

To get in touch with me or for general discussion please visit ZeroDayMindset Discussion

Breach Detected, SOC-101
study cybersecurity phishing_analysis
This post is licensed under CC BY 4.0 by the author.