Swimming in dark waters

By Panayota Smyrli, Cyber Security Analyst at CYNET-CSIRT and Stephanos Andreou, Security Analyst

Let’s explore the most common types of social engineering attacks and how to best protect your organisation against phishing, vishing or smishing.

Due to recent rapid developments, cyber criminals have adopted new types of fraud to obtain confidential data which they use for personal profit. The main criminal activities include phishing, smishing, vishing. However, to protect your personal data on the internet it’s enough to use elementary data protection rules and to know how to recognise the common threats and how to combat them. And this is exactly what will be discussed in this article.

Social engineering attacks pose a serious security threat to cyberspace

Social Engineering (SE) can be defined as a process by which attackers exploit human vulnerabilities by various means, such as influence, persuasion, deception and manipulation, so as to get classified information, hack computer systems and/or networks, obtain unauthorised access to restricted areas, bypass or break through security barriers, etc. Social Engineering attacks can be carried out in various steps as illustrated in the figure below.

What’s the difference between these attack methods, and how can you protect your organisation against them?

Phishing is a socially engineered attack aimed at enticing unsuspecting users with familiar websites spoofed and supposed to come from a legitimate organisation or source. It lures the user to furnish the assailant with the user’s access credentials, for which privileged access would be gained to harm the user. Figure 1.1 illustrates a phishing attack that mimics the Gmail login page. The attacker imitates every detail of the legitimate one, such as the logo, the favicon and even the external links, making it hard to be visually distinguished from the legitimate one.

(Left) Phishing attack that mimics the Gmail Login page                     (Right) Legitimate Gmail login page

Smishing is a phishing scam conducted via Short Message Service (SMS). Crafty phishers send text messages that appear from trusted senders, such as banks and/or online retailers. Such text messages typically contain URLs or links that trick recipients into visiting websites that download viruses and other forms of malware onto the victim’s mobile device. More specifically, there are two main processes for the Smishing scams.

1. Bait a victim via an SMS: Attackers lure the victim by sending them an SMS containing a false sense of urgency. For instance, the victims receive a text message which is purported to have originated from a known and trusted source, such as their bank or their system administrator or they receive a vital text message about their identity card having been stolen or an account number having been frozen. It then goes ahead to direct them to a website or a phone number for the verification of their account information.
2. Setting the hook: The hook is usually executed via the URL embedded in the actual text message. This entraps victims through solicitation, capture of sensitive information or download of malicious software unto their devices – that in turn installs a root kit or backdoor for the scammers to have access to everything (contacts, inbox messages, applications, etc.) on the victims’ phones and sometimes even have control over them.

The figure below illustrates two different cases of smishing attacks.

Vishing is a voice phishing attack, whereby a voice call received from an assailant lures the target into providing personal information with the intention to use that information to cause harm. With the abundance in smart phones, tablets and hotspots, these social engineering attacks on mobile devices are now prevalent too. This technique uses a spoofed caller ID that can make attacks look like they originate from a known number that might compel someone to answer the phone. Use of VoIP technology is fairly common in vishing attacks including services like Skype and Zoom. Potential consequences of vishing attacks include eavesdropping, unauthorised access to billing or credit card information, voicemail overloading (or junk voicemails), and phone number harvesting (method to collect valid phone numbers). More specifically, there are two main processes for the vishing scams:

1. Lure the victims via a call: Scammers start by spoofing their caller ID, so they appear to be calling from a local area code or a trusted business. Emotional appeals and sense of urgency work exactly the same way as other forms of phishing.
2. Setting the hook: Attackers may use call-back numbers and automated recordings as the hook. Victims take the bait, dial the call-back number, listen to the recording, and reveal/divulge sensitive or personal information.

The figure below illustrates an example of a sophisticated vishing attack.

What are the common indicators of phishing, vishing and smishing attempts?

• Suspicious sender’s address. The sender’s address may imitate a legitimate business by altering or omitting a few characters.
• Greetings and signature block. Both a generic greeting—such as “Dear Valued Customer”, ‘’Dear Respected Member’’ or “Sir/Madam”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organisation will normally address you by name and provide their contact information.
• Spoofed hyperlinks and websites. If you hover your mouse cursor over any links in the main body of the email, and the links do not match the text that is popping up when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs .net) or a URL shortening service to hide the true destination of the link.
• Grammatical and spelling errors. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify and proofread correspondence.
• Suspicious attachments. An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to fluctuate the recipient to respond quickly without thinking too much about the request.

How you can stay protected

• Use common sense: Stop and think before taking action. Limit your online profile and do not share sensitive or financial information like phone numbers on public platforms before checking a website’s security.
  • Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https”—an indication that sites are secure—rather than “http.”
  • Look for a closed padlock icon—a sign your information will be encrypted.
• Trust no one: Do not click, call back or download from any SMS links. Don’t fill out forms or provide credit card numbers without proper validation.
• Don’t call unknown phone numbers: Calling back gives attackers your phone number. Once a scammer has your number, you could end up getting several rogue SMS messages and malicious voice phone calls.
• Ignore and flag suspicious texts and calls: Any unexpected text or call requesting an action should be regarded as suspicious unless proven legitimate. Remember that caller IDs can be faked. Always pay attention to the sender and subject of the message. If they look suspicious, just delete these emails or SMS.
• Raise security awareness in your organisation: Using phishing simulation exercises, train your staff to recognise scams and help protect your business, employees, partners and customers from fraud.
• Ignore suspicious attachments: Files attached to an unknown message that have .exe, .msi, .bat, .pif, .com, .vbs, .reg, and .zip extensions can install malicious software, there is no point in opening them.
• Watc hout for misstakes in the text: If you find them, most likely the letter is a hoax.
• Enforce multifactor authentication: If all your accounts are additionally protected with one-time passwords, this will complicate the lives of intruders. The lifetime of the one-time password is limited to not more than 60 seconds for accessing the user account, thus the phisher needs to be more inventive and faster.
• Take advantage of any anti-phishing features offered by your email client and web browser: The most popular browsers such as Mozilla Firefox, Google Chrome, Microsoft Edge, Safari, have anti-phishing systems with a list of malicious sites and this system warns the user about the visit to a malicious site. Similar anti-phishing systems are used on many other resources such as social networks, etc.
• Install and maintain anti-virus software, firewalls and email filters in order to reduce some of this traffic: Antivirus software provides quite a reliable protection. It is only necessary to install updates on time. These updates allow preventing the virus infiltration on the device and alert users when they follow malicious links. Various spam filters that are used by email services automatically shift messages received from phishers.
• Avoid storing sensitive or banking information on a mobile device: Should an attacker install malware on the smartphone, this information could be compromised.

Authors

Panayiota Smyrli

Panayiota is a PhD candidate in Post-Quantum Cryptography and a Cyber Security Analyst at CYNET-CSIRT. Her research interests focus on cognitive areas of Cryptography and Network Security, as well as their applications in Computer Science and Telecommunications. Panayiota is one of the few scholarship winners of the State Scholarships Foundation (I.K.Y.), she has also been awarded with a sponsorship of the National Bank of Greece as a distinguished graduate student.

Stephanos Andreou

Stephanos is an experienced Security Analyst with a demonstrated history as a CYBER-Security Analyst. Furthermore, has strong educational studies, including a Master of Information Sciences, specialized in Security in Organisations, Architectural System Design, Cyber Security and Business Rules Spec. & Application.

Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber ​​Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://connect.geant.org/csm2021