BANKING OPERATIONS AND SERVICES

What is Phising?
Phishing is a method of trying to gather personal information using deceptive e-
mails and websites. 
Phishing is a cyber-attack that uses disguised email as a weapon. The goal is to
trick the email recipient into believing that the message is something they want
for instance, a request from their bank or a note from someone in their company
and to click a link or download an attachment.

Types of Phising Attacks:

1. DECEPTIVE PHISING

Deceptive phishing is the most common type of phishing scam. In this ploy,
fraudsters impersonate a legitimate company to steal people’s personal data or
login credentials. Those emails use threats and a sense of urgency to scare users
into doing what the attackers want.
Techniques used in Deceptive Phising:

 Legitimate links – Many attackers attempt to evade detection from email

filters by incorporating legitimate links into their deceptive phishing emails.
They could do this by including contact information for an organization that
they might be spoofing.
  Blend malicious and benign code – Those responsible for creating phishing
landing pages commonly blend malicious and benign code together to fool
Exchange Online Protection (EOP). This might take the form of replicating
the CSS and JavaScript of a tech giant’s login page to steal users’ account
credentials.
 Redirects and shortened links – Malicious actors don’t want to raise any
red flags with their victims. They therefore use shortened URLs to fool
Secure Email Gateways (SEGs). They also use “time bombing” to redirect
users to a phishing landing page only after the email has been delivered.
After victims have forfeited their credentials, the campaign then redirects
victims to a legitimate web page.
 Modify brand logos – Some email filters can spot when malicious actors
steal organizations’ logos and incorporate them into their attack emails or
onto their phishing landing pages. They do so by looking out for the logos’
HTML attributes. To fool these detection tools, malicious actors alter an
HTML attribute of the logo such as its color.
 Minimal email content – Digital attackers attempt to evade detection by
including minimal content in their attack emails. They might elect to do this
by including an image instead of text, for instance.

Example: Back in July 2021, for instance, Microsoft Security Intelligence warned

of an attack operation that used spoofing techniques to disguise their sender email
addresses so that they contained target usernames and domains. They also
displayed names to use legitimate services. Ultimately, the operation’s emails used
a SharePoint lure to trick recipients into navigating to an Office 365 phishing page.
How to defend against Deceptive Phising:
The success of a misleading phish is determined by how closely an attack email
resembles official correspondence from a fake company. Recognizing this fact,
users should carefully analyse all URLs to see if they redirect to an unknown
and/or questionable website. They should also be on the lookout for generic
salutations, grammatical problems, and spelling issues.

2. SPEAR PHISING
In this type of ploy, fraudsters customize their attack emails with the target’s
name, position, company, work phone number, and other information to trick
the recipient into believing that they have a connection with the sender. Yet the
goal is the same as deceptive phishing: get the victim into clicking on a
malicious URL or email attachment so that they’ll hand over their personal data.
Given the amount of information needed to craft a convincing attack attempt,
it’s no surprise that spear-phishing is commonplace on social media sites
like LinkedIn where attackers can use multiple data sources to craft a targeted
attack email.
Techniques used in Spear Phising:

 Housing malicious documents on cloud services: CSO reported that digital

attackers are increasingly housing malicious documents on Dropbox, Box,
Google Drive, and other cloud services. By default, IT is not likely to block
these services, which means the organization’s email filters won’t flag the
weaponized docs.
 Compromise tokens: CSO also noted that digital criminals are attempting
to compromise API tokens or session tokens. Success in this regard would
enable them to steal access to an email account, SharePoint site, or other
resource.
 Gather out-of-office notifications: Attackers need lots of intelligence to
send a convincing spear-phishing campaign. Per Trend Micro, one way they
can do this is by emailing employees en masse and gathering out-of-office
notifications to learn the format of the email addresses used by internal
employees.
  Explore social media: Malicious actors need to learn who’s working at a
targeted company. They can do this by using social media to investigate the
organization’s structure and decide whom they’d like to single out for their
targeted attacks.

Example:  Microsoft Threat Intelligence Center (MTIC) detected some attack

emails that appeared to have originated from the U.S. Agency for International
Development (USAID). The address arrived with an authentic sender email
address that matched the standard Constant Contact Service. Using election fraud
as a lure, the spear phishing emails tricked victims into clicking on a link that
eventually redirected them to infrastructure controlled by NOBELIUM. That
infrastructure then downloaded a malicious ISO file onto the victim’s machine.
How to defend against Spear Phising:
To protect against this type of scam, organizations should conduct ongoing
employee security awareness training that, among other things, discourages
users from publishing sensitive personal or corporate information on social
media. Companies should also invest in solutions that analyze inbound emails
for known malicious links/email attachments. This solution should be capable of
picking up on indicators for both known malware and zero-day threats.

3. WHALING

Spear phishers can target anyone in an organization, even executives. That’s the
logic behind a “whaling” attack. In the event their attack proves successful,
fraudsters can choose to conduct CEO fraud. As the second phase of a business
email compromise (BEC) scam, CEO fraud is when attackers abuse the
compromised email account of a CEO or other high-ranking executive to authorize
fraudulent wire transfers to a financial institution of their choice. Alternatively,
they can leverage that same email account to conduct W-2 phishing in which they
request W-2 information for all employees so that they can file fake tax returns on
their behalf or post that data on the dark web.
Techniques used in Whaling:
Whaling attacks commonly make use of the same techniques as spear phishing
campaigns. Here are a few additional tactics that malicious actors could use:

 Infiltrate the network: A compromised executive’s account is more

effective than a spoofed email account. As noted by Varonis, digital
attackers could therefore use malware and rootkits to infiltrate their target’s
network.
 Follow up with a phone call: The United Kingdom’s National Cyber
Security Centre (NCSC) learned of several instances where attackers
followed up a whaling email with a phone call confirming the email request.
This social engineering tactic helped to assuage the target’s fears that there
could be something suspicious afoot.
 Go after the supply chain: Additionally, the NCSC has witnessed a rise of
instances where malicious actors have used information from targets’
suppliers and vendors to make their whaling emails appear like they’re
coming from trusted partners.

Example: Back in May 2016, Infosecurity Magazine covered Austrian aerospace

manufacturer FACC’s decision to fire its CEO. The supervisory board of the
organization said that its decision was founded on the notion that the former CEO
had “severely violated his duties, in particular in relation to the ‘Fake President
Incident.’” That incident appeared to have been a whaling attack in which
malicious actors stole €50 million from the firm.
How to defend against Whaling:
Whaling attacks work because executives often don’t participate in security
awareness training with their employees. To counter the threats of CEO fraud
and W-2 phishing, organizations should mandate that all company personnel
including executives participate in security awareness training on an ongoing
basis.
Organizations should also consider injecting multi-factor authentication (MFA)
channels into their financial authorization processes so that no one can authorize
payments via email alone.

4. VISHING

This type of phishing attack dispenses with sending out an email and goes for
placing a phone call instead. As noted by Comparitech, an attacker can perpetrate a
vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to
mimic various entities in order to steal sensitive data and/or funds. Malicious
actors used those tactics to step up their vishing efforts and target remote workers
in 2020, found the FBI.
Techniques used in Vishing:

 “The mumble technique”: Digital attackers will oftentimes incorporate

unique tactics to go after specific targets. For instance, as reported by Social-
Engineer, LLC, when they attempt to target customer service representatives
or call center agents, malicious actors might use what’s known as “the
mumble technique” to mumble a response to a question in the hopes that
their “answer” will suffice.
 Technical jargon: If malicious actors are targeting a company’s employees,
Social-Engineer, LLC noted that they might impersonate in-house tech
support by using technical jargon and alluding to things like speed issues or
badging to convince an employee that it’s okay for them to hand over their
information.
  ID spoofing: Here, a malicious actor disguises their phone number to make
their call look like it’s coming from a legitimate phone number in the
target’s area code. Twinstate noted that this technique could lull targets into
a false sense of security.

Example: In June 2021, Threatpost reported on a vishing campaign that sent out

emails disguised as renewal notifications for an annual protection service provided
by Geek Squad. The emails leveraged branding stolen from Geek Squad to instruct
recipients to call a phone number. If they complied, recipients found themselves
connected to a “billing department” that then attempted to steal callers’ personal
information and payment card details.
How to defend against Vishing:
To protect against vishing attacks, users should avoid answering calls from
unknown phone numbers, never give out personal information over the phone, and
use a caller ID app.

5. SMISHING

Vishing isn’t the only type of phishing that digital fraudsters can perpetrate using a
phone. They can also conduct what’s known as smishing. This method leverages
malicious text messages to trick users into clicking on a malicious link or handing
over personal information.
Techniques used in Smishing:
  Trigger the download of a malicious app: Attackers can use malicious
links to trigger the automatic download of malicious apps on victims’
mobile devices. Those apps could then deploy ransomware or enable
nefarious actors to remotely control their devices.
 Link to data-stealing forms: Attackers could leverage a text message along
with deceptive phishing techniques to trick users into clicking a malicious
link. The campaign could then redirect them to a website designed to steal
their personal information.
 Instruct the user to contact tech support: With this type of attack tactic,
malicious actors send out text messages that instruct recipients to contact a
number for customer support. The scammer will then masquerade as a
legitimate customer service representative and attempt to trick the victim
into handing over their personal data.

Example: Security Boulevard warned in April 2021 that malicious actors were

using smishing messages disguised as United States Postal Service (USPS)
updates, FedEx shipment correspondence, and Amazon loyalty program rewards
notices. Those messages redirected recipients to a landing page designed to steal
their payment card information and other personal details.
How to defend against Smishing:
Users can help defend against smishing attacks by researching unknown phone
numbers and by calling the company named in suspicious SMS messages if they
have any doubts.

6. PHARMING
This method of phishing leverages cache poisoning against the domain name
system (DNS), a naming system which the Internet uses to convert alphabetical
website names, such as “www.microsoft.com,” to numerical IP addresses so that
it can locate and thereby direct visitors to computer services and devices.
In a DNS cache poisoning attack, a pharmer targets a DNS server and changes
the IP address associated with an alphabetical website name. That means an
attacker can redirect users to a malicious website of their choice. That’s the case
even if the victim enters the correct site name.
Techniques used in Pharming:

 Malicious email code: In this variant of a pharming attack, malicious actors

send out emails containing malicious code that modifies host files on the
recipient’s computer. Those host files then redirect all URLs to a website
under the attackers’ control so that they can install malware or steal a
victim’s information.
 Targeting the DNS server: Alternatively, malicious actors might opt to
skip targeting individual users’ computers and directly go after a DNS
server. This could potentially compromise millions of web users’ URL
requests.

Example:  In 2014, Team Cymru revealed that it had uncovered a pharming attack

in December 2013. The operation affected over 300,000 small business and home
office routers based in Europe and Asia. Ultimately, the campaign used man-in-
the-middle (MitM) attacks to overwrite victims’ DNS settings and redirect URL
requests to sites under the attackers’ control.
How to defend against Pharming:
To protect against pharming attacks, organizations should encourage employees to
enter in login credentials only on HTTPS-protected sites. Companies should also
deploy anti-virus software on all corporate devices and implement virus database
updates on a regular basis. Finally, they should stay on top of security upgrades
issued by a trusted Internet Service Provider (ISP).