What is Phishing, Vishing and SMShing

Phishing as a type of attack that typically attempts to trick the victim into clicking on a link or executing malware.

In some way, it can be an attempt to compromise a device to steal sensitive information, passwords, usernames, pins, credit card numbers, as well as try to gain access to online accounts.

Pretty much.

All of the things you don't want to happen can happen through phishing attacks.

And phishing is one of the most successful and common types of attacks because it is easy to perform cheap to setup, and it yields good returns for the attackers.

So you really have to watch for.

And working for big corporations, even with repeated security training to wise people up, no matter what the company I've consulted to about 30% or so of people continue to be fooled and click on things that they shouldn't.

And funnily enough, some countries.

Our worst clickers and some are better clickers on a consistent basis, but no matter what, people just seem to not be able to be trained out of, not clicking on the things that they shouldn't click on.

Phishing is typically carried out by sending fake emails or instant messages as well, that direct the victim to a fake site.

Um, that often resembles the legitimate site.

It is a form of social engineering, or in other words, it's an attack against human weaknesses and it relies also.

On the lack of defenses that web technologies inherently have, uh, in order to do the attack.

So for example, email does not authenticate or digitally sign the sender.

So there's no guarantee of who it's come from.

If there was, then this problem would be reduced because emails can be easily spoofed to look like they've come from a legitimate source.

Phishing attacks take advantage of that trust that you believe it's come from that person.

Or at least it can do genuinely phishing attacks are done on mass.

So they send out thousands or millions of emails.

And those email addresses have been harvested from the internet.

Or sometimes they've been harvested through hacking websites sometimes from the fact that people publicly disclose them on forums or other things like that.

And even from guessing at what the address is.

So if you, for example, had, you know, John at a domain name and .John@Hotmail or something like that, this would be an unusable account because of the amount of spam and phishing emails that it would get, because spam has target common names.

In combination with domain names, you do also get mass email attacks on certain businesses as well.

But if it is a specific and targeted attack, we call that spear Phishing.

Um, if you're targeted individually, let's look at some techniques used to perform Phishing attacks in order to try and convince people to click on them.

So the big warm that they use is what's called link manipulation.

This is a simple phishing email that you can see here in front of you that I put together.

Uh, I've sent it to a ghost mail account to illustrate the techniques that are used.

The ghost mail service is no longer available actually, but that's not important as it's serving here as an example only.

The examples I show can apply to all email services here.

I'm faking links to a Google and to Microsoft.

So if we just zoom in here, so the first technique that they use is sub-domains and misspelt the mains.

Now, if you look at these three examples here, so you can see here that this is the real domain, and this is the domain it's trying to convince you.

That it's actually from, and a slightly different technique being used here.

So that is obviously the real domain.

And then this is using sub-directories in order to look like Google, this one's using a sub domain, this one's using sub-directories and this one, Microsoft, can you notice what's wrong with that one?

You probably can because we're zoomed in, which is here.

We've got an R and an N instead of an M let's have a look at some other examples.

So these are live Phishing links that are right now attempting to convince people to click on them.

So you can see here. This is, um, this is actually an Australian bank, and it's attempting to convince people that, you know, this, uh, is the domain.

When in actual fact we can see.

This is the real domain.

Let's see if there's any other clever ones or, well, they're not really that clever, but let's see if we can find any other examples.

So you can see here, here's another paypal.co.uk.

So the real domain, the real domain is this.

So it may be tricky to understand as I've gone through this, which, which are the real domains, depending on your experience.

So the real domain is the one that is to the left of the high level domain.

That's the high level domain and has no slash to the left of it.

High level domains are, you know, things like.com.net.org.

If you look at my example here, that isn't legitimate because it has a slash to the left of it, which means it is a subdirectory real domain is the one to the left of the high-level domain.

And that has no slash to the left.

So that has a slash to the left.

So it must be this one.

The next sort of technique of link manipulation is what's called IDN Homographic attack.

IDN is the, um, internationalized, uh, domain name standard.

So you can see a couple of obvious ones, but again, they're not always obvious.

So you can see here, we've got some zeros instead of O's.

And we've got an L instead of a one, but let me tell you the F the font is different.

These can be almost impossible to see the difference.

And obviously this can be used in combination with sub-domains and misspelling in order to create further confusion.

And another one is hidden URLs.

So using HTML eight tags to hide the real URL.

So you can see here, we've got click here, so you don't know what's behind it, but if you look down there at the bottom, you can see that it's going to google.com stationx.net.

And this one.

We can see is actually going to google.com dot station x.net.

So not at all going to wear alleges to go to.

So I click there. You see, don't go to Google at all.

Obviously I could, this could have been, you know, an attack site.

So the way these work, these hidden URLs is essentially, it's just HTML.

It's, it's really, really not complicated at all.

Um, so you can see here, these, um, this is the raw HTML here, um, that has created these links that I sent in the email email is a made up of HTML nowadays.

Anyway, it's it's text and HTML and the.

Email clients render the HTML, just like browsers render HTML.

So you can see here.

What I have is I've represented google.com as what you can see in the email, but actually the real link is here.

And of course, if we, you know, use all of these in combination, You know, this is why people click on the links because they can be fooled.

It's, it's easy to see why people get fooled.

I mean, there's all sorts of nonsense in here that your lay person is just not going to understand them.

They are going to click on them.

If we go back to the email, if we hover over the email, we can right.

Click and copy link location.

Now, depending on your browser, that may reveal.

The correct URL, but not always JavaScript could hide the link pending on your email client.

And also, as I showed here, you can hover over and you can see in the bottom left the real domain that isn't always going to be the case either depending on your email client and JavaScript, that may also be faked as well.

So it is pretty tricky.

You can look at the HTML.

Like here, some email clients were alive to see the raw HTML, and then you can go through and see what's there.

But some won't, I mean, this ghost mail, for example, does not let me look at the raw email.

So I have to hover over it.

See where it is going to take me to good providers and this can be both a good and a bad thing.

We'll notice these types of things and we'll change them.

So Thunderbird, for example, um, these.

Uh, wouldn't come through like this, it would change them so that you can actually see where it's going to, but that defense mechanism could be bypassed as well.

So, you know, it's not foolproof.

Um, but ghost mail in this example was able to receive these and make them look like this without me going too much effort to try to bypass any phishing protection that it has.

Other than URL manipulation.

There's also covert URL redirects that use vulnerabilities such as cross site scripting and cross site request forgery hour.

They can be using in combination with URL manipulation.

So it is possible that you might get sent a link to a real site.

And the real site is being manipulated to attack you in some way.

So the attacker can, or possibly has found a floor in the real site and is using a technique like open redirect or as I've just mentioned, the cross site scripting and the cross site request, forgery vulnerabilities in order to attack you.

So this has happened to PayPal and many others.

So let me give you an example, cause this.

Obviously it won't be clear of a reflected cross site scripting vulnerability that could be used in phishing attack.

So imagine you've been, uh, you know, center link via whatever means.

Now this was actually a cross site scripting vulnerability that are found in a forum application.

So I'm just using it as an example.

So this is an example of the URL.

You then click on this URL.

This takes you to the website.

And then, because I have inserted into that URL, a special script.

When you enter your username and password, I'm able to steal your username and password.

Now, if you look here, this is the crucial bit of code.

So I've inserted.

My own little bit of code here.

This is the reflected cross site scripting vulnerability.

That site should not let me put in my own scripts into URLs and process it because.

What that means is that I am then able to act as that website onto the security context of that website, which means I then have access to your cookies.

And of course I can manipulate the webpage.

You know that it's not the right login screen and it's actually a fake login screen that I've presented.

And that's actually what I did with this particular vulnerability to demonstrate it to the, um, people that own the application so that they could fix it.

So that was the actual URL vulnerability.

And if you look here, There I'm inserting in a special, what's called an I-frame in order to put a, pay a fake login screen and able to take the usernames and passwords.

So that gives you an example there.

If there's vulnerabilities in the website, these cross site scripting vulnerabilities, these open redirects, then the phishing attacks can be even worse.

And to finish upon phishing as a couple of variants of phishing.

And that is a vishing and smshing.

So vishing is phone or voice phishing and smshing is SMS.

Phishing or sending text messages.

So this is attempting to call or text you in an attempt to compromise your device in the same way as you do with phishing, you know, sort of steal sensitive information, password, usernames, credit cards, you know, all of the bad stuff.

There are many examples of common, one being pretending to be from Microsoft, telling you that you have a virus on your machine.

Can they help please download and install this totally legitimate software, which is then, you know, a Trojan or something like that.

Again, my mother has had a couple of these calls from, uh, guys from India, pretending to be from Microsoft.

These calls do work on enough people.

That's why they continue to do them.

And actually, if you look on YouTube, you can actually see a lot of people, uh, pranking these people when they're being called by them.

Um, so those are quite funny to watch.

So vishing is phone-based cons smshing is text-based cons and that's phishing.