The bad guys have found that the best place to obtain a user’s login credentials is directly from the user. In this video, you’ll learn about phishing and spear phishing techniques that have been used to obtain login information.
<< Previous Video: Wardriving Next: Ransomware >>
Phishing is a technique used by the bad guys to try to convince you to give up some personal information. This might be a username and a password. It might be some personal information like a credit card number or social security number. But it’s all a mixture of social engineering and a little bit of spoofing.
A good example of phishing is this PayPal login screen, except this really isn’t a login screen at PayPal. It’s one that the bad guys constructed to look exactly like a PayPal login page so that you would be enticed to provide your username and password. You usually end up on one of these pages by clicking on a link inside of an email or responding to a link that’s been sent to you over instant messaging.
This is something that when it is well done looks exactly like the legitimate page. So you have to be very careful about what sites you visit. One way to tell this is not the legitimate PayPal page is by looking at the URL. You can see that it starts with y-o-u, and then I blurred out the part in the middle so that you don’t accidentally visit this PayPal phishing site.
You know there’s something not quite right if you look at the site and the URL is incorrect. There might be graphics missing, and you can see at the bottom of this page, there is a graphic that is missing. You see the little message at the bottom. And sometimes there will be spelling or something not quite right with the page that might make you think that this is not the legitimate site.
A type of phishing that is done over the phone is vishing. It stands for voice phishing. And when somebody calls you up and says they’re from the bank or they’re from your credit card company, and they ask you for your credentials, you might want to think twice before handing over such important information.
When these pages are done well, they look identical to the sites. This PayPal login page was really well done. It might even entice me to log in with my PayPal credentials. This is why we tell people not to click links inside of email because this is what they might be faced with. You should always go to your browser, go to the address bar, type in paypal.com yourself to make sure that you’re logging in to the correct site.
If a Phisher is really good, they’re going to direct their efforts towards a very narrow group of people and try to customize the email or the messages that they present in front of them. And this is called spear phishing, and it’s a way to really focus in on a narrow group of people and try to construct a front-end and a message that seems very legitimate to the end user. If somebody is going after a CEO or somebody at a very high level within a company, that type of spear phishing is called whaling.
A good example of phishing occurred in April of 2011 at Epsilon. This was a very focused attack. Less than 3,000 email addresses were sent as a phishing attack to Epsilon. And 100% of the email operations staff received these messages. People did click on the links inside of the email and that downloaded an anti-virus disabler, it installed a keylogger, and it installed a remote administration tool.
If you really want to customize your phishing attack and make it seem legitimate, then you might want to make the emails appear that they come from the human resources department. That’s what happened in April of 2011 at the Oak Ridge National Laboratory. There were only 530 employees targeted, but 57 people clicked and ultimately two devices were infected during this phishing attack. Those two devices ended up having data downloaded from them and infected the servers with malware just from those two people clicking this very focused spear phishing attack.
Perhaps one of the most well-known phishing attacks in recent history occurred on March 19th of 2016. And this occurred with John Podesta, who was a former White House Chief of Staff and the former counselor to the President of the United States. At the time, he was serving as the chairman of the 2016 Hillary Clinton United States presidential campaign. So this would definitely be a whaling attack. Someone who was going after someone at a very high level with this phishing attack.
Mr. Podesta used a Gmail account to handle all of his email, like many of us do. This email account had information and messages in it ranging from the years 2007 up through current times of 2016. Here is the exact phishing email that John Podesta received. It says, someone just used your password to try to sign into a Google account, and it gave his email address, the details with the date and the time, the IP address, and the location of where that IP address is associated.
And it says that Google stopped this sign in attempt, you should change your password immediately, and it gives a change password link. Notice that the change password link is not a Google link, it’s a shortened bit.ly link. And it said, best, the Gmail team, et cetera, et cetera.
John Podesta’s administrative assistant, Sarah, reached out to the IT team and asked if this was something they should be concerned about. The response they got back was, Sarah, this is a legitimate email. John needs to change his password immediately and ensure that two-factor authentication is turned on in his account. He can go to this link, myaccount.google.com/security. That’s certainly a good link to do both. It is absolutely imperative this is done as soon as possible.
The person that wrote this said that this is a legitimate email. And it’s difficult to understand here if they meant that this is a legitimate problem that needs to be addressed or that the email that was received is a legitimate email. In either case, Mr. Podesta did not follow these instructions to change his email account information.
Instead, he went back to his original email. He clicked the bit.ly link that was in the email and provided the bad guys with his Google username and password immediately unlocking and making available 10 years of personal and business email correspondence. As we all know now, all of those email messages were made available on Wikileaks.
Everything during that time frame was read by anybody who would like to. This of course, was a successful phishing attempt that was made very public. It had significant political ramifications, but we, of course, need to think about the links that we’re clicking in our own emails. We store information on our own computers of personal financial information and data that’s specific to our organizations where we might work. We have to be very careful about protecting those from any of these phishing attempts.