Scribd
Upload
38 views10 pages

ShibdasCyber

Phishing methods can be used to steal user data and credentials. Common phishing techniques include email phishing, spear phishing, whaling, smishing/vishing, angler phishing, and search engine phishing. Email phishing involves mass emails impersonating trusted entities to trick users into entering passwords or downloading malware. Spear phishing targets specific individuals, while whaling attacks target senior executives. Smishing uses SMS and vishing uses phone calls to phish users. Angler phishing uses fake social media accounts, and search engine phishing hijacks top search results to phish users. Attackers aim to deceive users into revealing sensitive information or infecting devices.

Uploaded by

shibdasc339
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views10 pages

ShibdasCyber

Phishing methods can be used to steal user data and credentials. Common phishing techniques include email phishing, spear phishing, whaling, smishing/vishing, angler phishing, and search engine phishing. Email phishing involves mass emails impersonating trusted entities to trick users into entering passwords or downloading malware. Spear phishing targets specific individuals, while whaling attacks target senior executives. Smishing uses SMS and vishing uses phone calls to phish users. Angler phishing uses fake social media accounts, and search engine phishing hijacks top search results to phish users. Attackers aim to deceive users into revealing sensitive information or infecting devices.

Uploaded by

shibdasc339
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

NSHM KNOWLEDGE CAMPUS, DURGAPUR-GOI

(College Code: 273)


CA1 Assessment

PHISHING METHODS

Presented By
Student Name: SHIBDAS CHAKRABORTY
University Roll No.: 27300119060
University Registration No.: 018069 OF 2019-20
Branch: Computer Science and Engineering
Year: 4th
Semester: 8th
Paper Name: CYBER LAWS AND ETHICS
Paper Code: OEC-CS801B
INTRODUCTION
• Phishing is a type of social engineering attack often used to steal user data, including login credentials and
credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening
an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can
lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of
sensitive information.
• An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of
funds, or identify theft.
• Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger
attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised
in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access
to secured data.
• An organization succumbing to such an attack typically sustains severe financial losses in addition to declining
market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a
security incident from which a business will have a difficult time recovering.
Phishing Attack Examples

• The following illustrates a common phishing


scam attempt:
• A spoofed email ostensibly
from myuniversity.edu is mass-distributed to as
many faculty members as possible.
• The email claims that the user’s password is
about to expire. Instructions are given to go
to myuniversity.edu/renewal to renew their
password within 24 hours.
• Several things can occur by clicking the link. For
example:
• The user is redirected
to myuniversity.edurenewal.com, a bogus page
appearing exactly like the real renewal page,
where both new and existing passwords are
requested. The attacker, monitoring the page,
hijacks the original password to gain access to
secured areas on the university network.
• The user is sent to the actual password renewal
page. However, while being redirected, a
malicious script activates in the background to
hijack the user’s session cookie. This results in
a reflected XSS attack, giving the perpetrator
privileged access to the university network.
Phishing Methods
Email phishing scams

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net
significant information and sums of money, even if only a small percentage of recipients fall for the scam.
As seen above, there are some techniques attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a
spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages
appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For
example, as previously shown, an email could threaten account expiration and place the recipient on a
timer. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled
domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was
changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of
a secure link, making the recipient less aware that an attack is taking place.
Spear phishing
Fishing with a pole may land you a
number of items below the waterline – a
flounder, bottom feeder, or piece of trash.
Fishing with a spear allows you to target
a specific fish. Hence the name.
Spear phishing targets a specific group or
type of individual such as a company’s
system administrator. Below is an
example of a spear phishing email. Note
the attention paid to the industry in which
the recipient works, the download link the
victim is asked to click, and the
immediate response the request requires.
Whaling

• Whaling attacks target senior management and other highly privileged roles. The
ultimate goal of whaling is the same as other types of phishing attacks, but the
technique is often very subtle. Senior employees commonly have a lot of information
in the public domain, and attackers can use this information to craft highly effective
attacks.
• Typically, these attacks do not use tricks like malicious URLs and fake links. Instead,
they leverage highly personalized messages using information they discover in their
research about the victim. For example, whaling attackers commonly use bogus tax
returns to discover sensitive data about the victim, and use it to craft their attack.
Smishing and Vishing

This is a phishing attack that uses a phone


instead of written communication. Smishing
involves sending fraudulent SMS messages,
while vishing involves phone conversations.
In a typical voice phishing scam, an attacker
pretends to be a scam investigator for a credit
card company or bank, informing victims that
their account has been breached. Criminals
then ask the victim to provide payment card
information, supposedly to verify their identity
or transfer money to a secure account (which is
really the attacker’s).
Vishing scams may also involve automated
phone calls pretending to be from a trusted
entity, asking the victim to type personal details
using their phone keypad.
Angler Phishing
These attacks use fake social media accounts
belonging to well known organizations. The
attacker uses an account handle that mimics a
legitimate organization (e.g.
“@pizzahutcustomercare”) and uses the same
profile picture as the real company account.

Attackers take advantage of consumers’


tendency to make complaints and request
assistance from brands using social media
channels. However, instead of contacting the
real brand, the consumer contacts the
attacker’s fake social account.

When attackers receive such a request, they


might ask the customer to provide personal
information so that they can identify the
problem and respond appropriately. In other
cases, the attacker provides a link to a fake
customer support page, which is actually a
malicious website.
Search Engine Phishing

Search engine phishing, also known as SEO


poisoning or SEO Trojans, is where hackers
work to become the top hit on a search using
a search engine. Clicking on their link
displayed within the search engine directs you
to the hacker’s website. From there, threat
actors can steal your information when you
interact with the site and/or enter sensitive
data. Hacker sites can pose as any type of
website, but the prime candidates are banks,
money transfer, social media, and shopping
sites.
CONCLUSION
Phishing campaigns can be difficult spot. Cyber criminals have become
experts at using sophisticated techniques to trick victims into sharing
personal or financial information.
But the best way to protect yourself is to learn how to spot a phishing scam
before you take the bait.

You might also like