Phishing is a well-known technique, but it is still dangerous. Users do not stop opening emails "with surprises", and hackers do not stop using suitable information guides as a "bait". According to research, more than a quarter of employees of Russian companies. Why is phishing dangerous for companies and how to minimize the risks?
The main reason for the prevalence of phishing is that it is a simple from a technical point of view, but effective method of cyber attack. The main thing is to find a psychological key to the person's consciousness, and then, having trusted the fraudster, victims easily give thousands and hundreds of thousands of rubles. But fake emails not only allow you to get financial gain, they become the first stage of a multi-way attack: for example, they are used to "deliver" malware to the organization's IT infrastructure.
This story is not new: malefactors often use the news agenda to select a topic that concerns citizens. And so that the victim is more likely to open the attached files and click on the links – they use psychological techniques, for example, intimidation. However, progress does not stand still and something still changes. Cybercriminals are starting to use new tools and malware.
Recently, they have started using AI-based chatbots (for example, ChatGPT) to "work". They help improve the accuracy of texts and automate processes. In February 2023, a new malicious mailing list of the White Snake spy Trojan appeared-Malware as a service (Malware-as-a-Service). For $ 140, the Trojan helps implement a turnkey attack. It steals data on an infected computer through popular browsers (Chrome and FireFox), and can also collect passwords and accounts from client programs such as Outlook, Discord, Telegram, and others. One of the attacks in October of this year was recorded by BI.Zone. The newsletter was sent on behalf of the" Investigative Committee of the Russian Federation", with a topic about the investigation of a criminal case. A password-protected archive and a PDF file with a password in the name were added to the attachment. The archive contained a document with malware, when opened, the main body of the White Snake Trojan was launched.
In addition to files, attackers use links to phishing pages that sew them into various email elements. One of the most popular options today is links in QR codes. The link may lead to a form for filling in data or a fake website. For efficiency, emails can be compiled for a specific target audience – targeted attacks. So in early 2023, phishing mailings were directed at Microsoft users. They warned users that the password for their working email account would soon become invalid. To save access to your account, we recommended scanning the QR code that was sent to the fake login form.
If a person entered their data on the opened resource, the attackers got access to the account.
There is no one-size-fits-all solution to phishing.It is always a set of measures that include technical tools and employee training. Employee care is the foundation. This is always more difficult, as fraudulent emails mimic real ones very well. If the employee has basic knowledge, it will help them be more alert and detect phishing. Our company has its own memo, which we periodically send out to our staff. This helps to remind you once again which messages or links should not be opened in instant messengers.
The criteria used to distinguish phishing emails from real ones can be divided into basic ones, which are always present in emails, and secondary ones (optional).
Basic features:
Secondary features include those that don't necessarily appear all together in a phishing email: some messages may not contain them at all, or they will be well hidden. It is also possible that one of these signs is not a sign at all, but, for example, illiteracy, if we take the point about errors, which I will reveal later.
However, if you have already marked the basic signs in the email, then the presence of at least one of the secondary ones should be particularly alarming:
1. The company's address does not match the one listed on the official website or contains a meaningless set of letters. The sender's name is similar to a well-known company, but it contains extra letters (ngov.ru) or the email was sent not from corporate mail, but from regular mail (gmail.com, yandex.ru).
2. The email address contains an unknown recipient or the message was sent to a huge list of recipients.
3. The text contains big promises or threats. At the same time, it contains a lot of spelling and grammatical errors, indistinct logos, and so on.However, this point is not the most unambiguous, as many people may not notice errors, especially when the text was generated by a chatbot or passed through an online translator and at first glance looks correct.
4. Requests for confidential information (personal, financial data, etc.). You don't need to respond to unexpected emails that ask you to provide such information.
5. In most cases, only a few standard file types are sent via email as part of business correspondence. You should be wary if you are suddenly sent a password-protected archive or a file of unknown format that is not used in the company.
6. URLs can also be suspicious, because they are similar to the addresses of legitimate sites. If the URL is hidden in a text link, hover your mouse over it and see information about where the link leads (for example, in a web browser, this information appears in the lower-left corner of the screen). If they look strange on closer inspection, it's best not to open them. Let's take an example of what should alert you.
Correct one searchinform.ru (and an additional – roadshow.searchinform.ru) is modified using:
Training can include not only the topic of phishing, but also a detailed analysis of social engineering methods with practical examples. Classes should contain the most popular techniques used by cybercriminals. Training can be done on your own or by professional information security teams that specialize in such services. For example, this is the third year that our company has been conducting cybercrime courses for businesses, as well as state and municipal institutions.
This is not to say that phishing will soon disappear. According to the report of the Central Bank of the Russian Federation for the 1st quarter of 2023, the growth of phishing attacks was 10% compared to the previous period. With a little effort, cybercriminals manage to deceive both ordinary people and entire corporations. By taking a comprehensive approach, you can reduce the potential success of a fraudster to zero. It is more expensive to attack protected companies and it is easier for scammers to find easier prey if they constantly fail.
The main reason for the prevalence of phishing is that it is a simple from a technical point of view, but effective method of cyber attack. The main thing is to find a psychological key to the person's consciousness, and then, having trusted the fraudster, victims easily give thousands and hundreds of thousands of rubles. But fake emails not only allow you to get financial gain, they become the first stage of a multi-way attack: for example, they are used to "deliver" malware to the organization's IT infrastructure.
Current examples of phishing emails
In 2023, cybercriminals sent phishing emails to employees of companies on behalf of military enlistment offices, the Ministry of Emergency Situations, Roskomnadzor, law enforcement agencies and the Investigative Committee. So, in July, Russian companies were subjected to hacker mailing under the guise of letters from the Ministry of Emergency Situations. In the body of the letter was a request to see the list of employees of the company and indicate who can " sympathize with groups that destabilize the internal situation in Russia." The attachment contains a PDF file with a list of random people and malware embedded in it. The senders of the email threatened that if there was no response, legal action would be taken against the employees. Deceived, the victim "let" a malicious program into his computer that collected sensitive data and documents.This story is not new: malefactors often use the news agenda to select a topic that concerns citizens. And so that the victim is more likely to open the attached files and click on the links – they use psychological techniques, for example, intimidation. However, progress does not stand still and something still changes. Cybercriminals are starting to use new tools and malware.
Recently, they have started using AI-based chatbots (for example, ChatGPT) to "work". They help improve the accuracy of texts and automate processes. In February 2023, a new malicious mailing list of the White Snake spy Trojan appeared-Malware as a service (Malware-as-a-Service). For $ 140, the Trojan helps implement a turnkey attack. It steals data on an infected computer through popular browsers (Chrome and FireFox), and can also collect passwords and accounts from client programs such as Outlook, Discord, Telegram, and others. One of the attacks in October of this year was recorded by BI.Zone. The newsletter was sent on behalf of the" Investigative Committee of the Russian Federation", with a topic about the investigation of a criminal case. A password-protected archive and a PDF file with a password in the name were added to the attachment. The archive contained a document with malware, when opened, the main body of the White Snake Trojan was launched.
In addition to files, attackers use links to phishing pages that sew them into various email elements. One of the most popular options today is links in QR codes. The link may lead to a form for filling in data or a fake website. For efficiency, emails can be compiled for a specific target audience – targeted attacks. So in early 2023, phishing mailings were directed at Microsoft users. They warned users that the password for their working email account would soon become invalid. To save access to your account, we recommended scanning the QR code that was sent to the fake login form.
If a person entered their data on the opened resource, the attackers got access to the account.
From theory to practice: how to detect phishing and protect yourself and your company
We ourselves often encounter phishing mailings. In September of last year, I received an email from fake State Services. It offered to pick up a certain gift with a service. As an information security specialist, I understand that such emails should be skipped, but there may also be some employees who are interested and click on the embedded link.There is no one-size-fits-all solution to phishing.It is always a set of measures that include technical tools and employee training. Employee care is the foundation. This is always more difficult, as fraudulent emails mimic real ones very well. If the employee has basic knowledge, it will help them be more alert and detect phishing. Our company has its own memo, which we periodically send out to our staff. This helps to remind you once again which messages or links should not be opened in instant messengers.
The criteria used to distinguish phishing emails from real ones can be divided into basic ones, which are always present in emails, and secondary ones (optional).
Basic features:
- Suddenness – the email arrives unexpectedly.
- Prompt action – the email suggests changing your password immediately or paying an overdue fine as soon as possible. So that the victim opens a link, attachment, shares information, or enters a password without thinking.
Secondary features include those that don't necessarily appear all together in a phishing email: some messages may not contain them at all, or they will be well hidden. It is also possible that one of these signs is not a sign at all, but, for example, illiteracy, if we take the point about errors, which I will reveal later.
However, if you have already marked the basic signs in the email, then the presence of at least one of the secondary ones should be particularly alarming:
1. The company's address does not match the one listed on the official website or contains a meaningless set of letters. The sender's name is similar to a well-known company, but it contains extra letters (ngov.ru) or the email was sent not from corporate mail, but from regular mail (gmail.com, yandex.ru).
2. The email address contains an unknown recipient or the message was sent to a huge list of recipients.
3. The text contains big promises or threats. At the same time, it contains a lot of spelling and grammatical errors, indistinct logos, and so on.However, this point is not the most unambiguous, as many people may not notice errors, especially when the text was generated by a chatbot or passed through an online translator and at first glance looks correct.
4. Requests for confidential information (personal, financial data, etc.). You don't need to respond to unexpected emails that ask you to provide such information.
5. In most cases, only a few standard file types are sent via email as part of business correspondence. You should be wary if you are suddenly sent a password-protected archive or a file of unknown format that is not used in the company.
6. URLs can also be suspicious, because they are similar to the addresses of legitimate sites. If the URL is hidden in a text link, hover your mouse over it and see information about where the link leads (for example, in a web browser, this information appears in the lower-left corner of the screen). If they look strange on closer inspection, it's best not to open them. Let's take an example of what should alert you.
Correct one searchinform.ru (and an additional – roadshow.searchinform.ru) is modified using:
- Using homoglyphs, i.e. graphically similar characters: 0 instead of o, I (uppercase " ay "instead of l (lowercase "el"). Example: searchinf0rm.ru.
- Intentional typos – missing or mixed-up letters: sarchinform.ru; saerchinform.ru.
- Easy variations of the name when the spoof domain differs by one or two characters: searchimform.ru, search-inforn.ru
- Combined domain – the brand name is combined with other words: searchinform-russia.net, oao-searchinform.ru.
- Use of URL elements – a type of combined domain where recognizable elements of the site address are used as additional words, such as the protocol (http, https), top-level domain (. ru,. com), extension (html): searchinform-ru. site. http-searchinform.ru.
- "Stringing" domains – the company name can be used without distortion, but not as a second-level domain, but as a third, fourth-level domain, and so on: searchinform.msk.ru.
- Non-standard domain zones-instead of the usual. ru or .com uses .py (the national domain of Paraguay), .co (the national domain of Colombia), or something more exotic: searchinform.host; searchinform-road2021.monster.
- Using an address that is not related to the company is probably the easiest case to determine when attackers place a site that looks similar to the original on an arbitrary domain. For example, roadshow. cyou, roadshow.website. The company name can still occur, but behind a slash: whichoptimal.top/ searchinform /.
- Use of third-party services, such as blogging platforms (livejournal.com), site designers (ucoz.ru, tilda.cc) or surveys (mrqz.me, quizgo.ru) or quickly create web pages (telegra.ph).
Knowledge testing is an important component for phishing prevention
In addition to sending recommendations, the information security or IT department can send fake emails to users to check whether employees know what phishing mailings are. Test emails should be collected on topics that may be of interest: changes in wages, tax arrears," assistance " to the investigation, violations of laws, etc. After sending them, it will be useful to collect statistics on how many people deleted the email without reading it / opened it, but did nothing / clicked on links. Based on this data, you can select those employees who are most susceptible to such methods of attacks, and create a training program.Training can include not only the topic of phishing, but also a detailed analysis of social engineering methods with practical examples. Classes should contain the most popular techniques used by cybercriminals. Training can be done on your own or by professional information security teams that specialize in such services. For example, this is the third year that our company has been conducting cybercrime courses for businesses, as well as state and municipal institutions.
This is not to say that phishing will soon disappear. According to the report of the Central Bank of the Russian Federation for the 1st quarter of 2023, the growth of phishing attacks was 10% compared to the previous period. With a little effort, cybercriminals manage to deceive both ordinary people and entire corporations. By taking a comprehensive approach, you can reduce the potential success of a fraudster to zero. It is more expensive to attack protected companies and it is easier for scammers to find easier prey if they constantly fail.
