At its most basic, phishing targets a common vulnerability in machines, devices and people – not a person or group specifically (see spearphishing for targeted attacks).

The attacker will use an email, sms, social media or physical mailing list that is bought, scraped from corporate websites, social media, and/or stolen from other companies’ databases in other phishing or hacking attacks.

Likely using a botnet for resources and to cover their tracks, at the click of a mouse the attacker emails – or it could also come in the form of a letter, sms, or social media system message – a virus enclosed in an attachment or website link to this list. Any machine or device that is vulnerable to the type of virus may be infected if the malicious attachment is opened or link clicked on. Any of the machines, devices and servers connected to the infected machines could then catch the infection if they are vulnerable. In the case of clicking through on a link, credentials may also be provided to a bogus site that are then stolen by the attacker.

The email may look legitimate and we may just open it because we think it really is from someone, or about something, we care about. There is, however, likely something in the malicious email that doesn’t ‘look and feel’ right from logos and branding to grammar, expression and spelling.

The sender of a malicious email or communication may make it look like a common trusted-organisation such LinkedIn, government agency, or bank. The problem here is two-fold: the attackers are affecting a legitimate company by closing down a communications channel when IT departments tell people to delete emails from that brand. The other problem is that by not giving this advice IT departments risk people clicking on malicious links and attachments that are being sent imitating those brands.

Whenever there is a high profile media event, from celebrity weddings and funerals to bombing attacks to tsunami appeals, malware will follow. People often pass around false and malicious emails based on these events, instead of going direct to trusted sources. This propagates the malware through machines, devices and organisations.

– Go direct to trusted sources without clicking on links or attachments

– Call or communicate with the sender via another means (ie don’t respond to the email, instead make a call otherwise you will just be corresponding with the attacker if it is a malicious communication) to verify it is from someone you trust.

see also Spearphishing

Leave a Reply

Your email address will not be published. Required fields are marked *