Phishing attacks work because human instinctive behaviours are easily manipulated!

Posted by Geraldine Hunt on Wed, Aug 20th, 2014

Phishing attacks or scams are usually presented in the form of a fake spam email or pop-ups that can be difficult to detect. The word “phishing” comes from the slight variant of “fishing” and is pronounced in the same way. It is the act of pretending or impersonating a person or organization with the intention of tricking someone into giving out confidential information. Both use the same technique: to lure a person or a fish to danger by offering something that entices. My dad went fishing for marlin and mackerel almost every day of his life and won many amateur tournaments.  When he went fishing, he actually caught fish.  Often when people go “fishing,” they drop their line in the water and hope they catch something with low expectations of that.  My dad always caught something, so he was fishing in the traditional sense.

Email phishing attacks use a different fishing approach, one based on a slight possibility of success: the spammer tosses out their bait and hopes that someone “rises to the bait,” and falls for the trap.  This fatal attraction is what the word “lure” means: in the case of a fish, a lure is brightly colored plastic or something that wiggles or makes noise that is designed to look like a fish that has strayed from the pack, is injured, or is otherwise vulnerable. Phishing attacks on humans are designed to prey on instinct and use “lures” that humans respond instinctively to. 

Phishers manipulate human behaviours like  greed, curiosity, and a sense of duty.

The weakness here is human weakness and predictable behaviour.  In the case of males, this can be prurient interests: a pretty face or a bare breast is all it takes to get the average male to click on a link in an infected email or download an attachment, thus exposing the company to a hacker attack via a virus vector or infected website that exploits browser security vulnerabilities. The other human behaviours that are easily manipulated include greed, curiosity, and sense of duty of an employee has to respond to an email from their boss, their bank, or some civil authority.

The low-tech approach is to send bulk mail with subject lines that say things like “win €5,000.” Anti-spam software will filter practically all of that out.  Such mails often will have misspelled words or badly written English.  This is often not the organized and successful criminal hacker looking to earn real money or steal company data.

Attacks range from the simple to the complex.

The dedicated or more advanced phisher can improve their odds with a little research.  For example, they can find out who is the boss, gets a copy of the company logo and then send mail that it looks like it came from someone inside the company.  This is called spear phishing. Whoever receives that is likely to click on that, since it looks like something from someone they know and someone who has authority over them.

All of this is made possible because of a security weakness in the SMTP mail protocol that lets someone spoof the return address, meaning use a fake one that does not match the domain of the mail server that send it.  Fixing that would take a coordinate global effort and education campaign.

The danger posed by a phishing email is in the link in the mail or the attachment. A hyperlink is easy to disguise as something else. A hyperlink is an HTML <A href> tag link the one shown below:

 <a href="http://link/">Text to display</a>

Employees need to be trained to hover the mouse over the words “text to display” to see what website that link actually points to. It might look like mycompany.com, but it could be something completely different.

Lots of email clients block attachments to mitigate phishing attacks.  They usually block photos and offer the user the option to click to show images. The reason they do that is the email server that sent the mail can detect which of the spam emails they sent are valid emails, because if the image is downloaded that causes a HTTP GET to register in their web server.

The problem with attachment is the hacker can change the icon graphic of the attached file to make an .exe executable look like, for example, a PDF file.  If the users are not trained about that, they could click on the .exe and install malware.

Scenario planning for security - what can you do?

Of course, having up-to-date anti-spam and anti-virus protection is critical for any business. Big company thinking is often about maximising the IT security budget, whereas SMEs are much more frugal and need to think about the customer. SMEs require fast, cost-effective and easy to manage solutions. Small businesses are faced with many of the same risks as larger firms but without the same level of resources. In this scenario planning for security is essential.

The best assumption is to assume that you are vulnerable, deploy the tools that are available, and do some kind of monitoring to scan if your network has been compromised and do forensics after the attack to find how your defenses were defeated.  There’s an obvious problem where businesses are concerned: there are x number of employees, and not every employee is going to be equally vigilant. Holding educational meetings about security and keeping all employees informed, aware about the latest phishing exploits and part of company network security is one simplest things any business can do to protect itself. Tell me and I forget, teach me and I may remember, involve me and I learn.