Skip to content

Page059

Phishers and Spear Phishers

A phisher (“fisher” spelled with the hacker spelling of “ph” instead of “f”) is a malicious attacker who attempts to trick users into divulging account credentials or PII. Many phishers attempt to steal online banking information, as the phishing attack in Fig. 2.12 shows.

Fig. 2.12 "PNC" bank phishing attempt.

This phishing attack triggered a warning from the email system, correctly warning, “This message may not be from whom it claims to be.” The attack is attempting to trick the user into clicking on the “demo” link, which is a malicious link pointing to a domain in Costa Rica (with no connection to PNC Bank); the relevant email plain text is highlighted in Fig. 2.13.

Fig. 2.13 Phishing email "DEMO" URL.

Phishing is a social engineering attack that sometimes includes other attacks, including client-side attacks. Users who click links in phishing emails may be subject to client-side attacks and theft of credentials. Simply visiting a phishing site is dangerous: the client may be automatically compromised.

Phishing attacks tend to be large scale: thousands or many more users may be targeted. The phishers are playing the odds: if they email 100,000 users and 1/10th of 1% of them click, the phisher will have 100 new victims. Spear phishing targets far fewer users: as little as a handful of users per organization. These targets are high value (often executives), and spear phishing attacks are more targeted, typically referring to the user by their full name, title, and other supporting information. Spear phishers target fewer users, but each potential victim is worth far more. Spear phishing is also called whaling or whale hunting (the executives are high-value “whales”).

Finally, vishing is voice phishing: attacks launched using the phone system. Attackers use automated voice scripts on voice over IP (VoIP) systems to automate calls to thousands of targets. Typical vishing attacks include telling the user that their bank account is locked, and the automated voice system will unlock it after verifying key information, such as account number and PIN.