Phishing: Tactics And Tools Explained

Phishing (password harvesting fishing) is one of the most effective technique that hackers use to steal your credentials. Phishing is a mix of social engineering and computer skills that consists of pretending to be a reputable organization asking you to do a certain security procedure; this procedure involves changing your password or revealing your bank credentials. The innocent user is tricked because the email he receives or the website he visits, seems completely legitimate, thanks to the attacker’s’ computer skills. Phishing can be leveraged in several manners, in this article I will explain the different approaches and how to protect yourself when possible.

The Basics

The main vector of a phishing attack is usually a fake website. The hacker’s goal is to prepare a fake website identical to a legitimate website. This can be done through HTML, CSS and javascript capabilities and you may be surprised to know how easy can be setting up a fake site. After the mock site has been prepared, the next step for the hacker is convincing the user to visit it instead of visiting the real site. This is the difficult part and it can be done in different ways briefly explained in the following section of this article. The last step for the attacker is to make sure that the origin of the fake site will not be discovered by the real site or by the authorities. To avoid being discovered, and to reach the greatest audience, phishers mostly use spam emails. Spam emails are often sent through a botnet so it is highly unlikely for the attacker to be found by the authorities. Spammers also have databases containing millions of active emails, so they can target a great number of innocent users. The phisher needs also to know who are the customers for a known organization if he wants his lure to be effective.

Tools And Tactics

The attacker can use a great variety of techniques to make an innocent user believe he’s visiting a legitimate website. Let’s say a spam email is sent to a customer of a benign organization. The email contains an hyperlink apparently addressing the real website like www.innocentwebsite.com. Nonetheless, the hyperlink points to an IP address instead of a domain name. It is unlikely that a normal customer will control if the IP address in the hyperlink really points to the legitimate website, so there’s the trick. When the user clicks on www.innocentwebsite.com, his traffic is redirected to the malicious website that appears to be identical to the benign one.

Installing a malware is another option for the attacker. A malware could alter the hosts file of a victim’s machine assigning to a certain innocuous domain name a malicious ip address, or it could poison the victim’s browser leveraging vulnerabilities in it to make the victim connect to a malicious site. Anyway I don’t really see the utility in performing a phishing attack using a malware. In fact, once an attacker installs a malware on a victim’s pc, he could directly use it as a keylogger to harvest all the passwords and credentials typed by the user instead of stealing only one password. He could also take full control of the user’s machine, that is a far more dangerous attack than a simple one shot phishing trick.

The possibility exists that a black hat registers a domain name that sounds like the legitimate one, hoping the innocent user mistypes the original name. For example the malicious website could be registered at www.inn0centwebsite.com instead of www.innocentwebsite.com. Once the user mistypes the domain name in the first way, he is redirected to the fake site. An attacker can also decide to encode the fake URL in several ways, so it will appear identical to the benign one. The user will not control or understand the encoding process so his traffic will be redirected to the malicious site.

A very common phishing procedure is scanning for vulnerable web servers, compromising them, installing rootkits and downloading the phishing site and the mass spam tools. From this point the attacker automates the procedure of sending spam emails that seem legitimate from the benign server itself and a lot of traffic begins to arrive to the phishing site. This technique is usually used by organized groups of hackers targeting a large variety of well known organizations, not by individuals.

Port redirection is a very efficient option for attackers who don’t want to install rootkits on the compromised web servers. Having exploited a vulnerability on the server, the hacker can install a port redirection tool that will transparently redirect all the traffic to a malicious server in a foreign country. The hacker starts to send spam emails, the users click on the site and that’s it.

Avoiding Phishing

Avoiding phishing is a matter of common sense. A legitimate corporation like your bank will never email you asking you to change your password or share your credentials and if you’re in doubt, it’s better calling them at their official phone number. Never click on links in emails and you will be safe. Distrust emails that promote gifts or ask you to do a security check. Update your system and use a good antivirus to avoid being infected by malwares. If you really need to click that link, open it in a virtual machine.