Topics In Demand
Notification
New

No notification found.

319

1

WEB BASED ATTACK- PHISHING

What is phishing attack?

 

Phishing is a type of social engineering assault that is frequently used to obtain sensitive information from users, such as login credentials and credit card details. It happens when a hacker poses as a trustworthy entity and convinces a victim to open an email, instant message, or text message. The recipient is subsequently duped into clicking a malicious link, which can result in malware installation, system freeze as part of a ransomware assault, or the disclosure of sensitive information.

An attack has the potential to be devastating. Unauthorized purchases, money theft, and identity theft are examples of this for individuals.

Furthermore, phishing is frequently used as part of a bigger attack, such as an advanced persistent threat (APT) event, to build a foothold in business or governmental networks. Employees are compromised in this scenario in order to circumvent security perimeters, distribute malware inside a closed environment, or get privileged access to protected data.

An organization that falls victim to such an attack usually suffers significant financial losses as well as a loss of market share, reputation, and consumer trust. Depending on the extent, a phishing attempt could turn into a security disaster from which a company will struggle to recover.

Phishing attack examples

1. Google and Facebook

A multi-year phishing scheme defrauded Facebook and Google of $100 million. Because the attackers knew both organization’s used Quanta, a Taiwan-based corporation, the phisher sent a series of fake invoices to the company impersonating Quanta. The scheme was eventually exposed, and Facebook and Google were able to collect $49.7 million of the $100 million taken as a result of the legal processes.

2- Crelan bank

Crelan Bank in Belgium was the victim of a business email compromise (BEC) scam that cost the bank $75.8 million. During an internal audit, the Crelan Bank phishing attack was identified.

3. FACC (Federal Aviation Control Commission)

FACC, an Austrian aerospace parts firm, was also a victim of a BEC fraud and lost a large amount of money. The business disclosed the breach, after losing $61 million to an attacker-controlled bank account.

Due to their inability to adequately implement security controls, this organization elected to fire and pursue legal action against its CEO and CFO, seeking $11 million in damages from the two executives.

Techniques used in phishing

  • Phishing scams through email

Phishing via email is a numbers game. Even if only a tiny number of receivers fall for the scam, an attacker who sends out thousands of bogus communications can gain access to sensitive information and large quantities of money. As previously stated, attackers employ a variety of ways to improve their success rates.

For one thing, they will go to considerable pains to create phishing messages that seem exactly like emails from a fake company. The mails appear real because they use the same language, typefaces, logos, and signatures.

Furthermore, attackers will often try to compel users to act by instilling a sense of urgency. As an example, an email may threaten account expiration and set a countdown for the receiver, as stated previously. When pressure is applied, the user becomes less diligent and more prone to errors.

Finally, inside-message links resemble their legitimate counterparts but usually feature a misspelt domain name or additional subdomains.

  • Spear phishing

In contrast to random programme users, spear phishing targets a specific individual or company. It's a more advanced form of phishing that necessitates in-depth understanding of an organization's power structure.

An attack might play out as follows:

1-An offender conducts background checks on personnel in the marketing department of a company and acquires access to the most recent project bills.

2-Assuming the identity of the marketing director, the attacker sends an email to a departmental project manager (PM) with the subject line, Updated invoice for Q3 campaigns. The wording, style, and logo are all identical to the company's normal email template.

3-A link in the email takes you to a password-protected internal document that is actually a fake of a stolen invoice.

4-The PM is asked to log in in order to see the paper. The attacker obtains complete access to sensitive portions of the organization's network by stealing his credentials.

Spear phishing is a successful way for performing the first stage of an APT because it provides an attacker with valid login credentials.

Phishing statistics

  • 56% of IT decision makers say targeted phishing attacks are their top security threat.
  • 83% of global InfoSec respondents experienced phishing attacks in 2018, an increase from 76% in 2017.
  • Business email compromise (BEC) scams cost organizations $676 million in 2017.
  • CEO fraud is now a $12 billion scam.
  • 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
  • Only 3% of targeted users report malicious emails to management.
  • 53% of IT and security professionals say they have experienced a targeted phishing attack in 2017.
  • Credential compromise rose 70% over 2017, and they’ve soared 280% since 2016.
  • 50% of phishing sites now using HTTPS.
  • Fake invoices are the #1 disguise for distributing malware.
      • Bill / invoice 15.9%
      • Email delivery failure 15.3%
      • Legal / law enforcement 13.2%
      • Scanned document 11.5%
      • Package delivery 3.9%
  • The volume of email fraud that organizations receive has increased 8% year-over-year.
  • By the end of 2017, the average user was receiving 16 phishing emails per month.
  • 66% of malware is installed via malicious email attachments.
  • 49% of non-point-of-sale malware was installed via malicious email.
  • 21% of ransomware involved social actions, such as phishing.

Source-https://purplesec.us/resources/cyber-security-statistics/

How to prevent phishing

Both consumers and businesses must take precautions to protect themselves from phishing attacks.

Vigilance is essential for users. A spoof communication frequently contains inconsequential errors that reveal its genuine identity. These can include typographical errors or domain name modifications. Users should also consider why they are receiving such an email in the first place.

Enterprises can take a number of precautions to protect themselves from phishing and spear phishing attacks, including:

1-Two-factor authentication (2FA), which adds an extra layer of verification when entering in to critical applications, is the most effective way for preventing phishing attempts. Users need two things to use 2FA: something they know, like a password and user name, and something they have, like their smartphones. Even if an employee's credentials have been compromised, 2FA stops them from using them to obtain access since they are insufficient.

2-In addition to utilizing two-factor authentication, businesses should have strong password management practices in place. Employees should be compelled to update their passwords on a regular basis and should not be permitted to reuse the same password for different applications.

3-By enforcing security procedures, educational programmers can help reduce the threat of phishing attempts.

Phishing protection from MRC

With a wide range of solutions available, MRC's Cyber security solutions can be the ideal choice for your organization to improve security practices for your employees. Our security team understands your requirements and custom tailor solutions for your needs.

We ensure your organization incorporates the world's most secure, robust, and simple user/employee authentication system into your workflow. With features that include:

  • Push-based Authentication
  • Authenticator App
  • U2F FIDO Authentication
  • Biometric Verification-voice biometrics
  • Location-based Authentication
  • Text Message (SMS) Authentication
  • Email Authentication

​​​​​​​

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Business leader with 28 years of global business management experience and with deep exposure to IaaS, PaaS, SaaS, Business Analytics and Cyber Security practices.

© Copyright nasscom. All Rights Reserved.