Phishing - SY0-601 CompTIA Security+ : 1.1

00:02

If I look into my spam folder right now,

00:04

I bet I could find a number of emails that are pretending

00:07

to be from my internet service provider, my cable

00:10

company, my bank, and many places that are not

00:14

who they say they are.

00:16

This is called phishing.

00:17

They're trying to get me to click

00:18

a link so they can gather some type of personal information

00:22

from me.

00:22

This is generally a bit of social engineering combined

00:25

with spoofing.

00:26

So the email is going to pretend to be

00:28

from my email provider or my internet service provider,

00:32

but when I click the link, it's going

00:33

to bring up a page that looks almost exactly like the one

00:37

that I would receive if I was at my actual internet service

00:40

provider's website.

00:42

The one thing that the attacker can't

00:44

do though is make the address bar

00:46

show the actual URL of your internet service provider.

00:50

It's very often looking into your browser,

00:52

you can see that this really did not come from the Rackspace

00:56

website because the URL will not show Rackspace.com at the top.

01:01

And usually there's something that

01:02

is not quite right with the screen that's being presented.

01:06

In this example, it's trying to get

01:07

me to log in to my Rackspace email service,

01:10

and you could see, it does look like a legitimate login page.

01:13

Although you'll notice, they didn't quite

01:16

get the graphics right on the page.

01:18

There's usually something about the page that isn't quite right

01:22

or doesn't ring true.

01:23

But you do have to make sure and validate any link

01:27

that you see in an email.

01:28

That's why we often say, never click a link in an email.

01:32

You should instead type in the website

01:34

directly in the bar of the browser.

01:37

Here's a comparison of the actual Rackspace Webmail login

01:41

page and the one that I received on the left side

01:43

when I was phished to the Webmail login page.

01:47

If you weren't paying attention, you

01:49

might think that this is absolutely a legitimate page

01:52

and you could type in your email address and your password,

01:55

and when you click that Login button,

01:57

you've now sent your credentials directly

01:59

to the phishing attacker.

02:02

The attackers try to use many different tricks

02:04

to get us to click these links and input

02:06

our personal information into these pages

02:09

and making the pages look very common and similar to what

02:12

we would expect is only one of the things that they do.

02:15

They also try to present to us a domain name in the address bar

02:19

that looks very similar to what we are expecting.

02:22

For example, you might find a bad guy

02:24

using typosquatting, which is a type of URL hijacking.

02:28

For example, professormessor.com almost looks like

02:32

it's legitimate, except my last name is spelled M-E-S-S-E-R.

02:36

This one is spelled M-E-S-S-O-R. But if the bad guy wanted

02:39

to use that particular domain name and then have a website

02:43

that looked exactly like mine, they might be able to fool

02:46

a few people into typing in their email address

02:49

and their password.

02:50

Another example of something they might do

02:52

is to prepend to the address, which

02:54

means they add onto the beginning,

02:56

and you could see pprofessormesser.com.

02:58

It's all spelled correctly except for the additional text

03:01

at the beginning.

03:02

And if you aren't looking closely,

03:03

you might not even realize that text is there.

03:07

Very commonly, these messages have some type

03:10

of pretexting, which is a fancy way of saying that they're

03:12

going to lie to you.

03:14

They put some type of situation in place,

03:16

and they try to see if they can get you to act on it.

03:19

For example, they may have a message that they're

03:21

calling with or an email that says, hi, we're

03:23

calling from Visa regarding an automated payment

03:26

to your utility service.

03:28

And then they might have click on something or offer

03:31

to provide that particular payment over the phone.

03:34

Well, I definitely have an automated payment.

03:36

I do pay my utility service automatically,

03:39

and this might get me relaxed enough to think

03:41

that the person who's calling me really is from Visa,

03:44

and they really are trying to take

03:46

care of a financial problem.

03:48

But of course, this is an attacker

03:50

who's trying to gather my credit card information,

03:52

and I would simply be handing over

03:54

all of the details of that account

03:56

to whoever happened to be calling.

03:59

Of course, we often see these emails

04:00

being sent to individuals, and the attackers

04:03

are trying to gather this information one

04:05

person at a time until they have all

04:07

of the information they need.

04:09

But there are times when the attacker

04:10

might want to attack an entire group of people simultaneously.

04:14

This is called pharming, and it's usually

04:16

created when the attacker is able to take over

04:18

an entire domain name system server

04:20

or be able to take over an entire website

04:23

so that everybody who visited the DNS server

04:26

or visited the website will be automatically directed

04:29

to the attacker's website.

04:31

This means that you could be typing

04:33

in the correct address in your browser,

04:35

but because the DNS has been poisoned,

04:37

now you're at the attacker's website,

04:39

and you would simply put in your user credentials,

04:41

because to you, it looks like the normal website.

04:45

So now there are two different kinds of attacks in place.

04:47

The pharming is redirecting everybody

04:49

who visits that DNS server to the attacker's website,

04:52

and then the phishing takes place

04:54

once they arrive there, as they're

04:55

putting in their email address, username, password,

04:58

and other personal information.

05:01

In this particular scenario, it's

05:02

very difficult for the end user to even realize

05:05

they're being phished.

05:06

They've gone to what they thought was a legitimate DNS,

05:10

and they were able to go to a website that looks

05:12

like the legitimate website.

05:14

So of course, they're going to provide

05:15

their normal credentials.

05:17

And because everything looks normal,

05:19

it's even difficult for third party products,

05:21

like anti-malware or antivirus, to even recognize

05:25

that there's any type of problem happening at all.

05:27

These types of pharming situations

05:29

are thankfully relatively rare, but they do occur,

05:32

and it's something that you need to know

05:33

how to mitigate if you happen to find

05:35

this situation on your network.

05:38

The attackers have moved to the telephone as a way

05:40

to gather your personal information.

05:42

Performing this attack over a voice line

05:45

is called vishing, for voice phishing.

05:48

Very often, the attacker is spoofing the phone number

05:50

that's appearing on the incoming call

05:53

so it looks like it's a local phone number.

05:55

But in reality, they could be calling from anywhere.

05:58

The point of the phone call or the voicemail that they leave

06:01

ultimately leads to you giving up

06:03

some type of personal information

06:05

that they can use to gain access to your accounts.

06:08

Of course, they may not even need to talk to you.

06:10

They can do everything over SMS--

06:12

that's the Short Message Service, or what we commonly

06:15

refer to as text messages.

06:17

This is also referred to as smishing or SMS phishing,

06:22

where this phishing is all done over a text message

06:25

communication.

06:26

Often these text messages have a link,

06:29

and the attacker tries to entice you into clicking that link

06:32

and providing them with more information.

06:34

There are many, many different ways

06:36

that attackers try to entice you to give up

06:39

your information or your money.

06:41

Many of these scams can be found in a large list on Reddit.

06:45

You can find it at reddit.com/r/Scams.

06:49

With some of these attacks, the attacker

06:51

isn't after an email password.

06:53

They're instead trying to get large sums of money transferred

06:57

into their personal account.

06:59

To be able to do that, they need to gather as much information

07:02

as possible on the victim.

07:04

So they'll perform a number of different steps

07:06

of reconnaissance prior to performing the actual phishing

07:10

attack.

07:11

It's remarkable how much open source information

07:14

is available on the internet, and you

07:16

can gather information about individuals,

07:18

groups of individuals, or large organizations

07:21

by simply visiting third party websites, Facebook, LinkedIn,

07:25

and other locations.

07:27

Based on the information they gather,

07:28

they can create a very believable pretext.

07:31

They might be able to determine where you live, where you work,

07:34

who you work with, be able to use people's names,

07:37

be able to understand places that you shop,

07:39

and put all of that information into a very believable phishing

07:43

attack.

07:44

These types of very directed phishing attacks

07:47

are called spear phishing attacks.

07:50

They're going after a very specific person

07:52

or very specific group of people to be

07:55

able to gather the information that they need.

07:58

A spear phishing attack that goes

07:59

after a person who has control of a lot of money

08:02

or a lot of information is called whaling.

08:05

It's very common to go after the CEO or the head

08:08

of the accounting department because they have access

08:10

to the entire corporate bank account.

08:13

All you need is one very well-crafted

08:15

phishing attack to be able to convince somebody

08:18

to log into a fake user account that would then provide

08:22

the attacker with all of the banking

08:24

information for the organization.

08:26

These types of whaling attacks happen all too often.

08:30

And if you're in an organization that

08:31

has people who are in charge of these particular accounts,

08:35

then you need to make sure that they

08:36

are very familiar with the type of phishing attacks

08:39

that they might run into.