You're probably already familiar with spam. It's hard to open your email inbox without being bombarded with unwanted messages. Let's take a look at how spam, and its many cousins, can be used as weapons of social engineering through impersonation attacks. Spam, also known as unsolicited commercial email or UCE, consists of unwanted messages sent for a variety of marketing and scamming purposes. Most Spam is illegal under the CAN-SPAM Act, but it is difficult to prosecute offenders because it is often hard to identify them.
Phishing is a subcategory of spam. Phishing messages have the explicit purpose of gaining access to an account. They want to trick users into revealing passwords to sensitive accounts such as bank accounts or employer systems. For example, an attacker might send thousands of email messages to random recipients, warning them that their email accounts are running out of space and that they need to fill out a form to request more space. When users click the link to fill out the form, it first asks them for their username and password. Unfortunately, the page isn't legitimate and is part of a Phishing attack.
The form actually sends the username and password to the hacker, who can then take control of the account. Credential reuse is another real danger with Phishing attacks. Many people use the same username and password across many different sites. If they're tricked into providing their password during a Phishing attack against a low-risk site, the attacker may then turn around and try to use that same password on a much more sensitive site, such as an online banking account. Spear Phishing attacks are highly targeted Phishing exercises. These attacks specifically target a very small audience, such as employees at a small business.
They then use the jargon of that business, and possibly the names of business leaders, to add an air of legitimacy to the message. With this added authority, Spear Phishing attacks have higher success rates than generic Phishing attacks. Whaling is a subset of spear phishing. Like spear phishing attacks, whaling attacks are also highly targeted. Whaling attacks focus even more specifically on senior executives. Trying to obtain the money, power, influence, or authority of a senior leader.
One common Whaling tactic is to send fake court documents to senior business leaders, saying that the organization is being sued and that they must click a link to read the legal paperwork. They click that link, and boom, they're infected with malware or their account is in a hacker's hands. Pharming attacks often begin with a phishing message, but go to great lengths to make them successful. The attackers set up a fake website that looks like a legitimate site and send victims a link to the fake site.
They might use typosquatting to make the URL seem very similar to the real site and then copy the look and feel of that real site that is already familiar to users. When the user logs into the fake site, the attacker captures his or her credentials. Variations on the Pharming attack might skip the phishing messages and use DNS poisoning to redirect victims to the fake site. Vishing, or Voice phishing attacks, have been around forever, but now they have a fancy name. In these attacks, the hacker simply picks up the telephone and calls unsuspecting people using social engineering tactics to trick them into revealing sensitive information.
They might pose as a help desk and ask for a user's password to help correct an account issue that doesn't exist or they might ask someone to visit a website and install a file to improve security. Not all spam messages are sent by email. Spim, or Spam via IM attacks, use instant messaging services to send spam and phishing messages. These attacks began via AOL Instant Messenger years ago but have spread to SMS and iMessage in recent years.
They often use the tactic called Spoofing, which as the name implies, means Faking the identity of someone else when sending a message. It is easy to forge an email and hackers have software designed to do that, where they can simply type in the name of a random sender and generate a fake message. Similar technology exists for caller ID and SMS messages. Attackers are persistent and clever in their attempts to infiltrate an enterprise through fake messages. While many of their attempts may seem simple, some are sophisticated.
The important thing to remember is that they don't all need to be successful. A phishing attack succeeds if it nets a single victim. That's why education and awareness are the most critical tools for defending against social engineering attacks.