Skip to content

Phishing: Outside the Inbox

“Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers…Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data. An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust.” IMPERVA

In many cases, evidence of direct e-mail phishing can be a sign of a threat that’s already been taking place, secretly and silently, waiting for a chance to strike – an Advanced Persistent Threat. It is often the case that an APT gained access not by spear-phishing through e-mail, but by mining data from deceptive targeted posts on social media, or by taking advantage of poor mobile device security.

Social Media Phishing

“It is well-known that email messages, texts and phone calls are methods commonly used by criminals to approach people with the aim of committing financial or identity fraud … or both. However, social media is also a favorite method used by criminals to deceive their victims, as it makes their work very simple. With over 1.3 billion people logging on to their favorite social media accounts every month, and the trust that many have in the wider community of users, social media phishing represents a rich source of income for fraudsters.” GETSAFEONLINE

Many social media platforms have a growing problem – scammers, stealing their users’ private information and using it to commit various cybercrimes. You’ve probably come across several of them just this last week alone, without realizing it. Many of the ads, posts, or shares you see that have provocative headlines or purposely divisive language could be attacks in disguise. They are attempts at social engineering, and the reader is the target. They want you to have an emotional, vitriolic reaction to the content, which will not only make you more likely to click on it, but will make you more likely to comment on it, share it, or otherwise give it traction and legitimacy.

Every action performed on posts like these adds to the danger they pose – they could lead more and more people to a deceptive site meant to mine their data, secretly give them malware, and even identify ransomware targets.

SMS Phishing & Vishing

“Vishing—or voice phishing—is the use of fraudulent phone calls to trick people into giving money or revealing personal information. It’s a new name for an old problem—telephone scams. Vishing frequently involves a criminal pretending to represent a trusted institution, company, or government agency. You may be asked to buy an extended warranty, offered a “free” vacation, told your computer is infected and you need anti-virus software, or asked to donate to charity.” SAFECOMPUTING

Either through innocent ignorance, or through sophisticated spoofing techniques, hundreds of thousands of people fall for voice phishing or text message phishing scams every day. Many of them don’t even know it – and often times, carry around that invasion in their device, letting it access every network they do, even at work. There are thousands of people in the US right now, walking around with an Advanced Persistent Threat in their pocket.

You can avoid most SMS or voice phishing attempts by ignoring unsolicited text messages, never clicking text message links, and hanging up on anyone calling you and asking for any of your personal information.

The concept of phishing is to trick a person through use of various social engineering techniques into releasing details and information that can have value to a cybercriminal. Sometimes, they’ll be happy enough to get away with your credit card details – but sometimes, they’re after your contact lists, your Facebook login, and even more frightening, your saved network connections. Cybercriminals are able to get this important information from you without ever sending you an e-mail – it’s up to you to be vigilant!

AUGUST 25 2020
Authored here @ hello internet.