Phishing, Vishing, Whaling - HACKING 17 Most Dangerous Hacking Attacks (2017)

HACKING 17 Most Dangerous Hacking Attacks (2017)

Chapter 5 – Phishing, Vishing, Whaling

Phishing

The word Phishing it does sound like fishing, and this is because the method is indeed very similar. A traditional fisher would typically throw the net into the water and wait for a catch. Wait until fishes, or I should say victims would be fool enough to be caught, and inevitably more fish would end up in the net, more the fishermen will happier be, moreover more net the fishermen uses bigger the chance to catch more fishes.

When it comes to Phishing, the techniques are similarly used. However, the most common form is via e-mail. What the so-called Phisher-men would do is send e-mail that would have an attachment, and being sound like an old friend, the message would contain something like:

, It’s been a long time, and just remembered that you always wanted to see these files, and now I have attached it for you. Let me know your thoughts.’’

Of course, there are many similarities like these, and the reality is that many people become a victim because of their curiosity by trying to open files from unknown sources.

If you were reading this book thinking there is no way that anyone would open attachments like this, believe me, you would be surprised how many people become a victim of Phishing attacks. Again we are humans, and we all thought differently, and we all have different reasons to make mistakes, both knowingly or unknowingly.

When the question approaches people: why did you click on the attachment? – Some may answer that they are waiting for some documents, some just too tired and clicking on any e-mail that’s in the inbox, and of course, there are many of us just too curious.

Curiosity comes in many forms, and when humans get confronted of explaining or answering and being thoughtful, often people respond otherwise.

Let’s take an example by asking ten people if want to see their manager’s e-mails. Yes, they all would say that not interested, however, if the question is that no one would ever know that they had access to their manager's e-mails and they would answer anonymously the typical answer would be a different outcome.

As you see, some people when receiving a malicious e-mail addressed to their boss, by landing in their mailbox, they would be even more curious to see what the attachment contains.

Phishing comes in other forms too and the second most common would be a link attached to the e-mail. Again nothing new here, but attackers still use this technique by creating an emergency o such by writing something that victims would easily fall for. Some example could be:

• OMG! Check the link; there will be an earthquake!

• You were not going to believe it! Check What she did while she was naked!

The list could go on forever, and there are still people becoming a victim of Phishing attacks when they have a surprise.

Other forms of Phishing types that are more and more common is the ones would represent a known Authority. These would be fake e-mails look like from Banks, PayPal, eBay and such where the e-mails would contain something like:

, Hi, we have detected some unusual activities in your account. Can you please confirm your security details by clicking the following link.’’

I have received one like this before from a Bank that I have never account with, so it was easy to eliminate. However, you have to understand that these attackers are fishing and sending the same e-mail to millions of people all the time. So the way they would be trying to scam you is the link would probably another fake website, frequently very similar to the one official site, and there would be some of the questions that you should be providing answers. Reasonable questions that the real company would ask too, but this times once you would submit the information, you would send your details to the bad guys. Situations when receiving e-mails from your Bank or your PayPal or any known legitimate authority, instead of following the link they sent you, you should go ahead and type the actual web page link. Next try to log on and see if you have received an e-mail from the company in question, instead of making a terrible mistake. Even if the link you would receive might be very similar to the genuine one, still my advice is to be cautious and don’t become a victim of old style Phishing attack.

Vishing

Again another similar word to fishing and the reason for that is because the bad guys using similar method to phishing, however, this time they would do carry out over the phone. The word comes from Voice type phishing. Therefore, it’s known as Vishing. You might have encountered such situation, however in case you not familiar with Vishing, then let elaborate on it with further detail. At the end of the day, this is for those bad guys that are indeed good with their social engineering skill set, as once they call a possible victim their job is to convince you to trust them. What their goal is to make you believe that you can trust them. First, they would call and introduce themselves as they call from a known company or Bank, and so they would explain that your bank account might have been hacked, as there are some unusual online transactions have been taken place recently. Of course, some people already would get a heart attack, and because they would keep on insisting that they want to help you and make sure that your money has will be recovered, you should be helping them identify all the places that you have been shopping recently. However, before doing so, they would run a security check, making sure that they are indeed speaking to the right person, and not the thieves. Then they would begin asking you to provide some personal details. Such would be your security code in full. Then they would you’re your mother maiden name, you address, and once they would have enough information, they would tell you to relax now, and they will take care of everything, as now your bank card is secured, and they will call you back shortly. These type of people scamming their victims over the phone all they long, unfortunately, they have the nerve to do so, and anyone falls for their scamming speech might suffer further consequences. However once the bad guys have enough information to purchase with, they would begin doing that, or either they would sell your online information places like the dark web.

I would advise that you do not provide all your details to anyone over the phone, even some bad guys can be pretty convincing, for your good, please do not fall for scammers.

With most Banks, they are helpful and might recover some of the money if not all that online thieves might take away from your account, however it might take some time for them to investigate all that, and you could go through a great pain. The largest organization like Banks would have a set of questions. However, you could also ask for some proof that they are indeed who they claim to be. You might ask such thinks like, if you have access to my bank details, then please tell me what dates do I pay my mortgage or water bills. If a person were really calling from a Bank, for example, they would have access to your Bank details so that they wouldn’t ask for your Bank Card information, and even if they ask to provide your online security digits, they probably ask for your third and last security number instead of all.

Other types of Vishing, for example, someone would call you from your ISP – Internet Service Provider. They would explaining that your router settings will be changed due to a hardware upgrade that they recently implemented. Therefore you must provide remote access to the ISP’s engineer to set everything on your PC for continuous internet connection. Now again, if they say that they should be able to talk you through the process that would be your best option. However, I would recommend you do not follow everything they tell you as they would trick you into opening an individual page that could install a backdoor to your PC, or worse. You must make sure you have a full confirmation that they are really who they claim to be so that you wouldn’t get into any trouble.

Smishing

SMS phishing is another form of vishing; an example is by receiving an SMS stating that you would be entitled to claim 2437 dollars from your Bank. The other famous claim is a Car Insurance, but the point is that the message would contain a link to click on to proceed with the claim or even a number that you should call. Again please do not be greedy, by thinking that you will get 2437 dollars for no reason just out of the blue. This types of scammers also have the same goal mindset, and that is to steal your information so they could profit from it one way or another. Hackers often use a technique that instead of sending a TXT message from a Random number, they would make it look like very legit by renaming the caller ID, for example, they would name XYZ Bank. This would give new trust for the receiver, however, to be even more believable, they would explain in the TXT to call a specific number. If you would call that number that has been provided, what you might find is that a very professional answering machine would be explaining the following:

Thank you for contacting XYZ Bank, we appreciate your patience; someone will be with you shortly, however, if you like to speak to someone now, please choose the following options:

• To speak to the Marketing Team, press 1,

• To speak to the Sales team, press 2,

• To speak to the IT Department, press 3,

• To speak to the COE, press 4

• To listen to these options again, press 5

And these would be in the loop of course, and to be honest doesn’t matter what option you would choose, in the end, they would try to scam you one way or another. This is an IVR – Interactive Voice Response that would even provide additional credibility to the hackers by really doing their best faking a particular company.

Spear Phishing

The end goal nearly always the same when it comes to Phishing attacks, and that is your login details, such as usernames, passwords, Bank account details, so I can confidently say that the objective is some financial gain.

Using traditional Phishing methods, the bad guys have learned that using a broad net they may be able to catch some fishes, however, to be more successful, they should be more personalized, and go after one particular fish each time. When it comes to spearfishing, the e-mails are very similar to a Phishing attack. However the message would contain your first name, and the rest of the content would be very close to your occupation, somehow related to your daily life or might be to your recent online purchases. Using my example, I normally get emails like that once or twice a week, and they always try to invite me to some expensive Microsoft training that I could be a part for free of charge if I would register by clicking on some ridiculously long link. Some others try to sell me some servers that are currently at a discounted price, but I should check their brochure for my reference that is attached.

They are trying their best and coming very close as they can. However I do not specialize in Microsoft, neither my hobby to buy servers, so I only block these senders, but I have to say that the e-mail structure and grammar is excellent, sometimes nearly convincing that they wrote some of those e-mails specifically to me. Again this is anther type of social engineering, trying to influence me by a personalized e-mail related to my everyday. Still, this is called Spear Phishing, nothing more. Hackers try to succeed in convincing you by personalized e-mail, they may even reference another friend name who you would know so you would think less in regards to trusting the sender or not. To succeed as a Spear Phisher, there is some research would require, and by those few minutes of researchers they could learn about you and your friends or colleges and using those similar terms and friends names in the e-mail. Indeed they can be very convincing.

The reality is that you could be able to spot some of the differences within the e-mail address or attachments that would just look odd, or some of the links that you shouldn’t click on can be very long, and you wouldn’t see any real English words in it. These are so well written, that even Mailing security servers, such as Mail Marshal wouldn’t catch them. In your Gmail, they would turn up in your inbox rather than in a spam folder. Therefore I would highly recommend that you double-check everything in such emails and do not click on any link or attachment that the e-mail may contain.

Whaling

Now that you have understood the core of Phishing as well a Spear Phishing attack consider this: Whaling! If you think about what the bad guys have learned from all these types of attacks, is why should they proceed by traditional unsuccessful Phishing attacks.

Going after all those little fishes, with a small amount on their Bank account, if they could just go after one or two big fishes instead who would have probably more money on their Bank account, as well they would be more embarrassed if they would be hacked. In one sentence Whaling is Spear Phishing a big fish. Big fishes are like Company Directors, CEO-s CTO-s and so on, and going after someone who has potentially a higher authority is called Whaling. Again these type of people wouldn’t open e-mails like traditional Phishing materials, however whaling attacks have recently increased in volume, and many of them are indeed has had success. Whaling would not necessarily mean that the real CEO would be hacked. However CEO-s do have personal assistants who answer telephone calls, schedules meetings, answering e-mails, organizing companies purchases, therefore looking after quotes, and invoices and much more. So as you see, some bad guys would exploit this vulnerability, and try to hack into the PA’s (Personal Assistant) PC by implementing Vishing such as an ISP, or from an IT Helpdesk who want to check on the PC due to fixing of an earlier made a mistake or such like that. Once the bad guys would have access to the PA-s computer, it would be very easy to gain further information about the actual CEO, that could be used against him or her. In case the hackers would go after specifically the COE, or an Executive, they would have to provide specific details to convince a highly ranked company Manager. Therefore the bad guys must be preparing to whale for longer than an average Phishing attack. When you think about Company Executives, have access to more details than anyone else, and the Hackers know that too, therefore you must understand that for Executives should have many other layers when it comes to Security. However, CEO-s are busy with the Business. Therefore IT Security must be providing continuous training to the Executives making sure they wouldn’t make any mistake.