How Do Threat Actors Carry Out Successful Phishing Attacks?
Intsights Cyber Intelligence
Phishing is the oldest trick in the cybercriminal playbook, but it can still be wildly effective at duping unsuspecting victims. Security teams are constantly under fire to defend against phishing attacks, but the truth of the matter is that the majority of cyberattacks that can be attributed to phishing are due to human error. Untrained employees can be tricked into clicking on a malicious email link, fall victim to a malicious redirect, or be fooled by a near-duplicate website run by hackers.
Attackers leverage a variety of tactics to execute phishing attacks against their targets including emails, fake social media pages and personas (known as "social engineering"), instant messaging, texts, and compromised websites. The following are some of the most common methods used to execute phishing attacks:
Link Spoofing or Domain Squatting
Hackers execute link spoofing by making malicious URLs appear to be legitimate, increasing the likelihood of users not noticing the slight difference(s) as they inadvertently click the malicious link. Some of these manipulated links can be easily identified by trained or savvy users who are accustomed to perform a check-before-click procedure. But many users still fall victim to homograph attacks, which take advantage of similar-looking characters, and reduce the efficacy of human-initiated visual inspection and detection.
Website Spoofing
Links are not the only items attackers can spoof. Website spoofing is the creation of a replica of a trusted site with the intention of misleading targeted users to a phishing website. Typically, such websites contain legitimate logos, fonts, colors, and similar functionality—making the replicas appear as realistic as possible.
Malicious Website Redirects
A malicious redirect is a piece of code that is inserted into a website with the intent of redirecting users to another website and, consequently, harvesting additional personal information in the process. Malicious redirects typically involve a website that is willfully visited by a targeted user, who is then forcibly redirected to an undesired, attacker-controlled website. Attackers accomplish this by compromising a website and inserting their own redirection code, or by discovering an existing bug on the target website that allows a forced redirect through specially crafted URLs, for example.
Social Media and Social Engineering Attacks
Phishing takes place across other channels, as well — like social media — adding to the complexity of protecting against phishing. Brand and executive impersonation are common methods cybercriminals use to carry out phishing attacks, oftentimes targeting customers who may lack the awareness and/or security protections that employees have. This type of attack is also known as "social engineering."
Phishing Kits
Hackers offer phishing kits for sale across dark web black markets. These are software programs that essentially templatize the entire process of building a phishing site. With these kits, hackers do not need to have technical skills to run intricate phishing campaigns, so the barrier to entry has been substantially lowered, and the process of weaponizing a phishing campaign is streamlined even for novice hackers.