Phishing attacks are really simple. The simplicity of phishing is one of the reasons it continues to be such a big problem. Phishing is really easy to pull off, even for the most novice attackers. Setting up a phishing website can take less than an hour and doesn’t require a ton of technical skill. It is actually really easy to find tutorials for setting up a phishing website just by googling. The costs to setup a phishing campaign are relatively low too. All a phisher needs is a domain and web hosting which can be purchased for under $20. Some phishers even use unauthorized access on hacked web servers to host phishing pages for free.
Low startup cost and minimal technical skill make phishing so popular. However, the main reason phishing continues to be so common is its effectiveness. Not only is a phishing attack easy to conduct, it just works. As the saying goes, ‘If it ain’t broke, don’t fix it’. Phishing has been working for a long time and continues to be effective despite all the advancements in security. There is no incentive for attackers to change their ways when the cheapest and easiest method continues to work.
Phishing is popular because it’s cheap, easy, and it just works.
Awareness is key to preventing phishing attacks and protecting yourself. Phishing has remained so common that most users experience it daily. The good news is that security education has come a long way. Internet users are more aware of phishing than ever before. However, so many people still don’t understand what phishing is or how it works. Understanding how phishing attacks work enables users to spot phishing before it’s too late. Spotting phishing attacks before you hand over your information is the best way to stay safe.
In this post, we are going to break down the basic elements of a phishing attack, how a phishing attack is executed and, how phishers profit from an attack.
Phishing Attack Delivery
The delivery method of a phishing attack is where a user will first encounter the attack. This is how an attacker will try to get a user to visit a phishing webpage or share their information. There a lot of different ways that phishers deliver their attacks. However, the two primary methods are email and text. Understanding each method of attack will make you better at spotting these attacks on the platform where they happen.
Email is the place where phishing all started. As the main method for delivering phishing attacks, this is where users will see the most attacks. Users need to be most aware of email based phishing attacks because of their popularity. The good news is that a lot of users are already aware of email phishing attacks! This gives them a better chance of catching the attack before they are a victim.
We know that most phishing attacks start with an email but, here are a couple phishing strategies that users are most likely to see. Let’s take a look at a couple examples of what that might look like.
Password Reset
The first phishing strategy we are going to look at is targeting your password. In this attack, you are likely to receive an email prompting you to log into your account. The email will look like it is from a real company such as: Apple, PayPal, Google, Netflix, Microsoft, or Amazon. The email will be complete with professional looking company logos, it may even address you by your full name. Phishers copy the design of real company emails to make them look as legit as possible. Every part of this email is designed to look real and raise no concerns in order for the attack to be successful.
Then, there is usually a message informing you that there is an error in your account and you need to login. Sometimes you will be told that you need to reset your password or verify your account. The body of this email will have a link that looks like it will take you to the company website. The link in the email is not real and leads to the second stage of a phishing attack.
The image above shows what a basic phishing email might look like. At the top of the email we can see that there is an Amazon logo to make the email look official. Next, the message in the email tells the user that they need to login and verify their account. The button at the bottom contains a link that will take the user to the phishing webpage that will steal their password when they login.
Credit Card Information
The second type of phishing attack will attempt to steal your credit card information. This attack is very simple and similar to the previous example. The email will inform a user that there is an issue with their billing info and they need to login and update it. The email will also look like a real email with logos and a link to the company website. Just like the last example, the link is to a fake webpage that will steal your credit card info as a part of the next phase of a phishing attack.
This example has a similar approach as the last example. However, this attempt is targeting your payment information instead of your account password. Again, we can see the use of an official Netflix logo to boost the credibility of this email. The reader is then told they need to update their payment information at the link below. This link will take the user to a fake website that will steal their credit card info.
Text Messages
Text based phishing also known as smishing (short for SMS phishing) is a new development in phishing strategies. Mobile devices open up a world of opportunity for phishers. Phishers are no long limited to only sending messages over email, now they use text messages to steal login details. The purpose of text based phishing is similar to email based but the messaging can be different. Attackers are more creative with their text based phishing tactics compared to what we see in traditional email phishing.
Text message phishing is a new strategy that phishers are using. It can be more effective because users are not used to seeing this kind of attack. There also also fewer ways to spot a scam message over text compared to email. For instance, in an email you can look at the sender’s address to see if it is the company’s real email address. In a text, you most likely wouldn’t know the company’s phone number, so an unknown phone number is not that suspicious.
In this phishing text message, attackers target a PayPal user. The content of this message is simple and asks the receiver to login and verify their information. The link in this message will take the user to a fake PayPal webpage that will try to steal their PayPal account login info.
Phishing Attack Landing Pages
Phishing emails and text messages have one goal: get the user to click on the link in their message. After clicking the link the user is taken to a phishing webpage. This is the second stage of a phishing attack.
Phishing webpages can be hard to differentiate from the websites that they imitate. Phishers create webpages that look identical to the sites they target by cloning the login page from a website. It isn’t hard to copy a webpage in order to recreate the page on a different website. In a browser, right click on a page and choose ‘View Page Source’ from the menu. You will then see a copy of the HTML code that makes up the webpage. A phisher can copy the HTML to their website and create a webpage that looks exactly like the login page on a company’s website.
A couple tweaks to the original page source will have the page up and running. After adding a couple lines of code to connect the form fields, the attacker can save the credentials that victims enter to a file. That’s really all that the phisher has to do to recreate a login page for a phishing attack. It’s really that easy. In a few clicks they can launch a phishing website with fake login pages that look identical to real companies' websites.
This is an example of a phishing page that followed these steps to create a login page that matches the official Google page. If we take a look at the address bar at the top, we can see that it is not the official google.com.
Turning Phishing Attacks into Cash
Once the attacker publishes their phishing page on their website, they are ready to begin their attack. Phishers will share links to their webpages through emails and texts hoping unsuspecting users will take the bait. Crafty phishing messages make it easy for unaware users to fall victim to phishing attacks. A successful phish will result in the victim entering their username and password into the phishing page and handing over login details to the attacker.
The intent of the average phisher is to turn a profit from their phishing campaign. Once they have gathered a considerable amount of credentials they need a way to make money from those logins. There are a few ways that they can make money from the stolen logins.
Using Credit Cards
The first money making method is using stolen the credit card numbers. This is the easiest way for phishers to profit from phishing. They take the credit card info they stole in attacks and will make unauthorized purchases online or sell the credit card information to other criminal buyers.
Selling Your Data
A second method for profiting from phishing attacks is by selling credentials to the highest bidder. Phishers will sell the usernames and passwords they gathered in their attacks to other criminals. A more advanced attacker may be looking to steal business data or documents. Selling data the was stolen in a phishing attack or access to accounts with business data can be a way to profit for some criminals.
Credential Stuffing
Finally, phishers can turn a profit by credential stuffing. This is the process of trying to log into many different accounts using the same username and password combo stolen in phishing attacks. This strategy becomes very effective if a user is reusing passwords across multiple accounts. This technique can be profitable if a phisher can get access to an account with a credit card attached. Then, the attacker will follow the steps from the first method to make money. Another alternative is gaining access to a bank account using a stolen password. With this kind of access, a criminal can steal even more money by draining your account.
These are a few short ways that phishers try to profit from their attacks. There are a lot more and creative criminals are always finding new ways to exploit users.
Wrapping Things Up
Phishing is an extremely easy attack to conduct but, there is still good news. It is an easy attack to protect yourself from. Staying vigilant and being cautious with every unexpected message is your first defense. Verify the sender of the message and stop to think before clicking links or opening files. Avoid being a victim to a phishing attack by never clicking on links in texts and emails. This is a surefire way to stay safe from pesky phishers.