TR-60 - Phishing - Effects and precautions

How do you define Phishing? What type of phishing exist?

Phishing is defined as an attempt to obtain sensitive information (like access credentials, financial information or credit card details) by establishing a trust relationship with the potential victim. The act of phishing is a social engineering attack and doesn’t require any technical exploitation of vulnerabilities. Instead it focuses on the human and their weaknesses, like inattentiveness, misinterpretation or mislead judgment caused by the influence of the attacker’s correspondence.

Compared to a key-logger malware, where credentials are stolen while typed into the keyboard, the victim is politely asking for them during a phishing attack. The attacked person always voluntarily gives the requested information to the criminals.

Phishing attacks are mostly being carried out by mail, instant messaging or even SMS. Other forms are less common, like physical letters or voice phishing.

Most common is a form of automated and opportunistic attack where emails are sent out in bulk, containing a link to a fake website. This website, when visiting the link, turns out to be a modified copy of the legitimate website. However, the graphical appearance is often good enough to not further investigate the legitimacy of the site.

Other forms (known as spear phishing or whaling) are targeting a group of people or specific people within an organisation. They are usually more sophisticated and are less easy to identify as phishing.

What they have in common is that they ask the victim to enter their private information into a form which is then sent to the criminals for their next steps.

Compared to other threats, how frequent is phishing?

The answer is biased by two main factors: First, we can only speak with confidence about what we at CIRCL see and what is reported to us. Secondly, we process a lot of phishing related material automatically (more about that topic later). This has an influence on the statistics and our view is not necessarily comparable to the view of other organisations creating statistics.

Taking into account the tickets CIRCL has processed during the last three months, we find a large distribution of phishing cases in our database, with an average share of two thirds, leaving one thirds for our other categories (e.g. malware, system compromise, information leak).

In actual number this looks even more impressive: in reporting period May we have processed approximately 14.000 phishing cases.

Now we have to say we are not only blindly looking at phishing websites hosted in Luxembourg. We know that phishing servers are most of the time compromised servers in the entire world which are abused to host phishing kits. Limiting our activities to URLs/servers in Luxembourg would not help the Luxembourgish users. Our take-down requests cover the entire world and we try to take-down all URLs we can find (and verify).

Are there geographical differences among the numbers of phishing attempts?

Classical opportunistic phishing is usually distributed by bulk email, very similar to Spam. The distribution is based on huge email lists that do not contain any qualified data like destination country. That means the attackers don’t know who they send the messages to. If you ever wondered why you have so many Spam and phishing mails in English language rather than in Luxembourgish/German/French, that’s the reason, the criminals often don’t have good information.

However, there are more targeted approaches to phishing were geographical considerations are taken into account by the attackers. We saw for instance a few cases of phishing in Luxembourgish language.

That means some attackers try to adapt to their localised conditions. However, we don’t know any European or worldwide study about a distribution of localised phishing. How hit is Luxembourg compared to other European countries?

We have no indication there are differences between countries. Which are the latest phishing threats? Phishing is a social engineering attack and therefore uses opportunities to establish a trust relationship with the victim. Fear is a good transport medium, stressing to lose access to the mail or bank account is usually a common way to perform an attack. Besides the more or less constant stream of mail and bank account phishing we see during the Covid-19 crisis an increase of Corona-themed phishing.

In general, any kind of important event can cause an increase of phishing using such a dedicated theme, for instance the Olympic games or environmental disasters.

How much damage does phishing cost globally and in Luxembourg? Can you compare the cost it caused with other cybercrimes?

These questions are difficult to answer. CIRCL is not involved in all cases of cybercrime and also not part of the law enforcement. So we only have a sampled view. Furthermore, not every phishing attempt leads to a direct financial loss, and even in cases of success it can be that the victim is reimbursed or the money transfer could be stopped in time. We know about successful cases in the regions of 100 Euro, thousands of Euros and hundred-thousands of Euros.

The financial sector has strengthened the security of the web banking and financial platforms. Is that efficient? Could they do more / better?

The technical part in web banking is not the weak point. It is the human who is attacked in a phishing attempt. We’ve seen elaborate and computer-literate people falling for phishing traps when having a bad day combined with a legitimately looking phishing mail. And all of us have a bad day now and then if we are honest.

How can I avoid phishing scams? Is there a mean to reduce the number of phishing circulating?

Technically it is nearly impossible to filter out all phishing (or other types of) scam due to the nature of email communication and the lack of authenticity of the senders. If we assume for a moment it could be solved easily, we still face the issue a sender’s email account might have been compromised and abused for the mass sending of scam mails.

Computer users should focus on the content of the suspected scam mail and analyse it thoroughly. Ask yourself questions like:

Did I receive this mail out of any context?

Does it make sense at all?

Does the text sound professional and is it without mistakes?

Did I ever receive information like this before?

Where does the link point to? Is it the website of the company?

Is it really the website of the company or does it just look like it?

Especially for the last part we at CIRCL can help analysing the legitimacy of a mail.

How can I stay informed about the phishing threats?

We help companies sharing threat information through our threat sharing platform MISP https://www.misp-project.org https://www.circl.lu/services/misp-malware-information-sharing-platform/

In critical situations we also inform via our Twitter account @circl_lu

What should we do when receiving a phishing mail in our mailbox? How to report phishing?

If you identified a phishing mail and you feel uncomfortable, please just delete it (or inform your corporate security team if this is the policy). However, if you want to contribute and help the society to know and get rid of the phishing you just received, you are invited to share the contained phishing link (URL) with CIRCL. We have an easy lookup and reporting service running at URL Abuse https://www.circl.lu/urlabuse/. Copy the link from the mail, paste it into the URL Abuse form, run a lookup and report it to CIRCL.

What’s happening when I report a phishing mail?

We are collecting URLs to phishing websites from various sources, including the aforementioned URL Abuse service. They are systematically registered, de-duplicated and pre-processed by our systems. Some of these input lists can be processed fully automatically, others need a review of an operator. Our tools allow the efficient processing and decision taking whether the reported URL is phishing or not.

Once a decision is taken, the address is investigated and the website owner and IP address contact are informed automatically about the phishing website. In this mail we request the take-down of the website, which means blocking, removing or otherwise making the website inaccessible to prevent further damage.

At the same time during this automated process we submit the phishing site to partners, in order to integrate the phishing address into filter lists like Google Safe Browsing which are integrated into various browsers, so that users are quickly protected.

We follow this dual approach of reporting to filter lists and take-down requests in order to not just scratching the surface but also informing the operators about malicious activities, which they are often unaware of.

Information about this document

A recent request from Securitymadein.lu interested in retrieving background information about Phishing triggered this interview.

For transparency reasons, we publish our original input as this document.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 26 June 2020