Data breaches and identity theft caused by orchestrated phishing attacks have long been a notorious problem for the banking and financial services sector. But today, virtually any company that does business with customers through a website is at risk. Think about how many transactions we all conduct online, and it’s easy to see that the sky’s the limit for what adversaries can steal.
Understanding how phishing attacks work is the first step to creating a detection and mitigation strategy. Let’s review the stages of a typical phishing attack aimed at customers of well-known brands.
- Fraudster selects a target company. According to a recent report, the brands at the center of most customer-facing phishing scams are Microsoft, PayPal, Facebook, Netflix, Bank of America, and Apple. With millions of customers across the globe, the potential attack surface is huge. Attackers specifically target well-known brands with their schemes so they can capitalize on customer trust. If a highly convincing spoof website and a corresponding email to a customer carry the brand name of a company they trust, they’re more likely to click on a link and take an action. In fact, phishers are counting on it.
- The adversary chooses a phishing kit. In the past, cybercriminals needed a moderate level of technical knowledge to successfully mount a sophisticated phishing campaign. But that’s no longer the case. Attackers can choose from thousands of so-called “phishing-as-a-service” platforms easily available on the Dark Web. The phishing-as-a-service industry is making attack tools and even full campaigns available at cheap rates, varying from $50 to $80 per month. Realistic phishing web kits are available for download for as little as $50. Some of the more high-end kits such as Apache even allow attackers to choose a pre-built spoof website modeled after popular consumer brands such as Wal-Mart.
- Fraudster builds a spoof site. With a phishing kit, the spoof website only takes minutes to launch. Cybercriminals often build phony URLs based on known and trusted domains by design. They register lookalike domains with one small difference, such as the letter “m” being swapped out for the letters “r” and “n” to give the appearance of “m” at first glance. Today’s trend, however, is to hide a malicious web page inside another legitimate, well-reputed websites. This technique is designed to bypass the legacy domain monitoring solutions many firms have in place. These spoof sites can fool even trained security professionals.
- The bait message is sent. Next, the phisher sends out an email or text message or social media messages to the targeted brand’s customers. Many times, the hacker is guessing at email addresses based on conventional naming schemes, such as [email protected]. They can also buy lists of stolen email addresses on the Dark Web. The messages use images and language that have been stolen from real websites and include a link to the spoof site, urging the email recipient to update their credentials. Many times, the message will contain some urgent command using a current event that compels the victim to click.
- The trap snares a victim. If a phisher is persistent and has created a convincing enough spoof site and email, an unsuspecting customer will fall right into the trap. If an attack goes on long enough without being detected, it can yield thousands of victims who have given up their credentials to a cybercriminal.
- Data is collected. The victim visits the spoof site, never realizing they’ve been duped, and enters their real login credentials. That’s all it takes for the phisher to help themselves to that customer’s personal data. With the customer’s payment details sent straight to the threat actor’s database, including such details as the customer’s credit card CVV, the cybercriminal can even check the phishing kit’s back-office admin panel to verify the victim’s personal and financial information. Some attacks ask victims to directly enter their sensitive personal information into the attack site. Data requested often includes credit card numbers, social security numbers, email login info and more. Some phishing kits even offer back-office services to validate the data that’s been collected as genuine and usable for fraud.
These are the basic steps that phishers take to steal customer data, but there are others. Some attacks can bypass a website’s multifactor authentication mechanisms, which was the case in the YouTube phishing scam in 2019 that affected 23 million users of the site.
To prevent customer-facing phishing attacks from succeeding, businesses must improve the time-to-detection for spoof websites. But legacy domain monitoring solutions that many organizations have in place take days or longer to detect spoof sites, if they are able to detect them at all.
At Allure, our approach uses a combination of artificial intelligence in the cloud and a patented tracking technology that’s injected into our customer’s real website. When an attacker clones or recreates that site, Allure’s technology is able to instantly detect and locate the copy, alerting our clients and initiating our response and takedown processes. It’s invisible to the hacker, but not to the targeted organization’s security team. They get an alert from our platform as soon as the fake domain has been launched.
Having a smart, holistic strategy to protect customers from phishing attacks must be a top priority. Businesses now have a more proactive option that enables them to take control, protecting customers from targeted phishing attacks while also protecting their brand reputation from fraudsters.
To find out more about the Allure Security approach, get in touch with us today.
