Principles of Information

Security
- Group 5 -
 I. Fake attacks
1. Definition
Phishing is a form of cyber attack in which an attacker masquerades as a reputable unit to
trick users into providing them with personal information.
Usually, hackers will pretend to be banks, online transaction websites, e-wallets, credit card
companies to trick users into sharing sensitive information such as login accounts &
passwords, transaction passwords, credit cards and other valuable information.
This attack method is usually carried out by hackers via email and text messages. Users who
open the email and click on the fake link will be asked to log in. If you get hooked, hackers
will get the information immediately.
Phishing was first known in 1987. The origin of the word Phishing is a combination of two
words: fishing for information and phreaking (a scam using someone else's phone without
paying a fee. ). Due to the similarity between "fishing" and "fishing for user information", the
term Phishing was born.

2. Types of phishing attacks

● Email phishing:
Hackers will send emails to users in the name of a reputable unit/organization, luring users to
click on a link that leads to a fake website and "get hooked". The fake emails are often very
similar to the original email, with only a few small details, making many users confused and
become victims of the attack. One of the basic techniques in Phishing attacks is email
spoofing. Hackers will send emails to users in the name of a reputable unit/organization,
luring users to click on a link that leads to a fake website and "get hooked". The fake emails
are often very similar to the original email, with only a few small details, making many users
confused and become victims of the attack. To make the email content as real as possible,
attackers always try to "disguise" with many factors:
+ Sender's address (For example, if the correct address is [email protected], the
fake address can be can be [email protected])
+ Design pop-up windows exactly like the original (both in color, font, ...)
+ Using the technique of forging links (links) to trick users (eg: the text is
vietcombank.com.vn, but when clicked, it redirects to vietconbank.com.vn)
+Use brand images of organizations in fake emails to increase credibility.
● Spear phishing
Spear Phishing is a method by which cybercriminals use targeting techniques to trick you into
believing that you have received a legitimate email from a known audience, asking you for
your information. The email can be from a person or any organization you know In most
cases, cybercriminals will track your activities on the Internet, especially on social networks.
When they receive any information from you on any website, they will have a chance to
extract information from you.
For example: You post an update stating you bought the phone from Lazada on any social
networking site. You then receive an email from Lazada saying that your card is blocked and
that you need to verify your account before making any further purchases. Since the email ID
looks like Lazada, you are willing to provide the information the scammers ask for.
● Vishing
Vishing is short for "voice phishing," which involves defrauding people over the phone,
enticing them to divulge sensitive information. In this definition of vishing, the attacker
attempts to grab the victim's data and use it for their own benefit-typically, to gain a financial
advantage. The main reason why vishing attacks are done is to get sensitive financial
information or personal data of the person answering the phone. During a face-to-face
interaction, you can present visible, authentic evidence, such as an identification badge,
driver's license, or access card. Over the phone, methods of verifying a caller's identity are
limited to what they say.
For example: Fraudsters employ a variety of tactics to gain access to victims' phone numbers.
One method is to obtain sensitive information through massive data leaks, which are
frequently available on the dark web, as well as social media and employment sites. It is
much simpler to acquire people's confidence in these situations since the criminal will have
access to information such as the victim's name, title, and company. Sending text messages to
random numbers is another prevalent strategy. The messages frequently instruct the recipient
to contact the "business" or include a response choice, such as "send 'STOP' if you no longer
wish to receive this message." Once the individual answers, the criminal has proof that the
number is in use and is thus a prospective target.
● Smishing
Smishing is a form of phishing in which an attacker uses a compelling text message to trick
targeted recipients into clicking a link and sending the attacker private information or
downloading malicious programs to a smartphone. Most smishing attacks work like email
phishing. The attacker sends a message enticing the user to click a link or asks for a reply that
contains the targeted user’s private data. The information an attacker wants can be anything,
including:
+ Online account credentials.
+ Private information that could be used in identity theft.
+ Financial data that can be used to sell on darknet markets or for online fraud.
Smishers use a variety of ways to trick users into sending private information. They may use
basic information about the target (such as name and address) from public online tools to fool
the target into thinking the message is coming from a trusted source. The smisher may use
your name and location to address you directly. These details make the message more
compelling. The message then displays a link pointing to an attacker-controlled server. The
link may lead to a credential phishing site or malware designed to compromise the phone
itself. The malware can then be used to snoop the user’s smartphone data or send sensitive
data silently to an attacker-controlled server. For example: A more common smishing attack
uses brand names with links purported to be to the brand’s site. Usually, an attacker will tell
the user that they’ve won money or provide a malicious link purported to be for tracking
packages, as in the following example.
● Angler Phishing
A relatively new attack vector, social media offers several ways for criminals to trick people.
Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially
the same as smishing) can all be used to persuade people to divulge sensitive information or
download malware.
Alternatively, criminals can use the data that people willingly post on social media to create
highly targeted attacks.
As this example demonstrates, angler phishing is often made possible due to the number of
people containing organizations directly on social media with complaints.

Organizations often use these as an opportunity to mitigate the damage – usually by giving
the individual a refund.
However, scammers are adept at hijacking responses and asking the customer to provide their
personal details. They are seemingly doing this to facilitate some form of compensation, but
it is instead done to compromise their accounts.

● Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end
goal of whaling is the same as any other kind of phishing attack, the technique tends to be a
lot subtler.
Tricks such as fake links and malicious URLs aren’t helpful in this instance, as criminals are
attempting to imitate senior staff.
Whaling emails also commonly use the pretext of a busy CEO who wants an employee to do
them a favor.
Emails such as the above might not be as sophisticated as spear phishing emails, but they
play on employees’ willingness to follow instructions from their boss.
Recipients might suspect that something is amiss but are too afraid to confront the sender to
suggest that they are being unprofessional.
● Business email compromise (BEC)
Aside from mass-distributed general phishing campaigns, criminals target key individuals in
finance and accounting departments via business email compromise (BEC) scams and CEO
email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick
victims into initiating money transfers into unauthorized accounts.

Typically, attackers compromise the email account of a senior executive or financial officer
by exploiting an existing infection or via a spear phishing attack. The attacker lurks and
monitors the executive’s email activity for a period of time to learn about processes and
procedures within the company. The actual attack takes the form of a false email that looks
like it has come from the compromised executive’s account being sent to someone who is a
regular recipient. The email appears to be important and urgent, and it requests that the
recipient send a wire transfer to an external or unfamiliar bank account. The money
ultimately lands in the attacker’s bank account.

3. Affect
● For individuals, this includes unauthorized purchases, the stealing of funds, or
identify theft
 ● Moreover, phishing is often used to gain a foothold in corporate or governmental
networks as a part of a larger attack, such as an advanced persistent threat (APT)
event. In this latter scenario, employees are compromised in order to bypass security
perimeters, distribute malware inside a closed environment, or gain privileged access
to secured data.
● An organization succumbing to such an attack typically sustains severe financial
losses in addition to declining market share, reputation, and consumer trust.
Depending on scope, a phishing attempt might escalate into a security incident from
which a business will have a difficult time recovering

4. Example
The following illustrates a common phishing scam attempt:
● A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many
faculty members as possible.
● The email claims that the user’s password is about to expire. Instructions are given to
go to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
● The user is redirected to myuniversity.edurenewal.com, a bogus page appearing
exactly like the real renewal page, where both new and existing passwords are
requested. The attacker, monitoring the page, hijacks the original password to gain
access to secured areas on the university network.
● The user is sent to the actual password renewal page. However, while being
redirected, a malicious script activates in the background to hijack the user’s session
cookie. This results in a reflected XSS attack, giving the perpetrator privileged access
to the university network.

II. Prevention
1. For individuals
- Beware of emails that tend to urge you to enter sensitive information. No matter how
appealing the call-to-action is, it's still worth checking it out. For example, you just shop
online, suddenly there is an email from the bank to offer you a refund, just enter the card
information used to pay. Believe it ?!
- Do not click on any links sent via email if you are not 100% sure it is safe.
- Never send confidential information via email.
- Do not respond to scam emails. Fraudsters often send you a phone number for you to call
them for business purposes. They use Voice over Internet Protocol technology. With this
technology, their calls can never be traced.
- Use Firewall and anti-virus software. Remember to always update to the latest versions of
these software.
 2. For organizations and businesses
- Training for employees to increase their knowledge of safe internet use.
- Regularly organize training sessions, rehearse fake situations
- Use the G-suite service for business, do not use the free Gmail service because it is easy to
be spoofed.
- Implement SPAM filter to prevent spam, phishing
- Always update software and applications to avoid security holes that can be exploited by
attackers.
- Proactively secure sensitive and important information.
-Two-factor authentication (2FA) is the most effective method for countering phishing
attacks
 3. Useful tools to help prevent Phishing
- SpoofGuard: is a browser plugin compatible with Microsoft Internet Explorer. SpoofGuard
places an “alert” in the browser toolbar. It will turn from green to red if you accidentally go
to a phishing site. If you try to enter sensitive information into a form from a fake site,
SpoofGuard will save your data and warn you.
- Anti-phishing Domain Advisor: essentially a toolbar (toolbar) to help warn of phishing
websites, based on data from Panda Security company.
- Netcraft Anti-phishing Extension: Netcraft is a reputable unit that provides security services
including many services. Among them, Netcraft's anti-Phishing extension is highly
appreciated with many smart warning features.
III. REFERENCES
https://cystack.net/vi/blog/phishing-la-gi
https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack
 GROUP ALLOCATION BOARD

No. Student name ID Student Task

1 Nguyễn Thị Thắm 20070789 -Find information

(Leader) -Make slides
-Find images

2 Trần Thị Vân Anh 20070674 -Find information

(Vice Leader) -Make report

3 Trần Tuấn Minh 20070754 -Find information

-Find images

4 Đoàn Quang Huy 20070726 - Find information