In Times of COVID
- 19, when people started work from home, so the hackers have started more
phishing attacks.
In common terms,
Phishing attacks can be defined as --in which
carefully targeted digital messages are transmitted to fool people into clicking
on a link that can then install malware or expose sensitive data, are becoming
more sophisticated.
 |
Photo by Saksham Choudhary from Pexels
|
Since the use of
computers, the technologies have changed for both – good and bad. The good side
of the technology is that it made life easy and long while the destructive
minds which are also inevitable in nature use these technologies for their
selfish motives and to harm the society.
Also Read
Coronavirus-was-manufactured-in-lab?
hydrogen-fuel-of-future
What-is-lidar-technology?
Earlier there were wars between kings, which later
shifted to national boundaries and now the new era of war has taken place-
“Cyber Attacks”.
Why are Phishing attacks cause of concern?
As per, 2019
Phishing Trends and Intelligence Report, PhishLabs found that
total phishing volume rose 40.9 percent over the course of 2018.
In recent news, it is also evident that cyber
attacks have grown.
These attacks targeted a range of organizations,
especially financial service companies, email and online service providers
and cloud/file
hosting firms.
The growth of phishing attacks poses a significant
threat to all organizations. However, financial firms have been the worst
victim of it.
How to Spot Phishing?
It’s important that all individuals as well as
organisations know how to spot some of the most common phishing scams if they
are to protect their corporate information.
There can be an email from recognised sender, but
steals information. There are categories of Phishing, which are defined
below-----
1. DECEPTIVE PHISHING
Deceptive phishing is by far the most common type
of phishing scam.
In this type of ploy, fraudsters impersonate a
legitimate company to steal people’s personal data or login credentials.
For example.- if you receive an email from a
recognised brand/company which shows, threat and urgency
to login, that can be Phishing.
When you do not have anything related, company
never approaches you. Second, there must be grammatical error, and spelling
differenced when such sort of links are sent to Users.
2. SPEAR PHISHING
In this type of ploy, fraudsters customize their
attack emails with the target’s name, position, company, work phone number and
other information in an attempt to trick the recipient into believing
that they have a connection with the sender.
The goal is
the same as deceptive phishing, even so: trick the victim into clicking on a
malicious URL or email attachment so that they will hand over their personal
data.
Given the amount of information needed to craft a
convincing attack attempt, it’s no surprise that spear-phishing is commonplace
on social media sites as LinkedIn where
attackers can use multiple data sources to craft a targeted attack email.
To protect against this type of scam, organizations
should conduct ongoing employee security awareness training that, among
other things, discourages users from publishing sensitive personal or corporate
information on social media.
Companies
should also invest in solutions that analyse inbound emails for known malicious
links/email attachments. This solution should be
capable of picking up on indicators for both known malware and zero-day
threats.
3. CEO FRAUD or whaling
attack
Spear phishers can target anyone in an
organization, even executives. That’s the logic behind a “whaling” attack. In these
scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful,
fraudsters can choose to conduct CEO fraud.
As the second phase of a business email compromise (BEC)
scam, CEO fraud is when attackers abuse the compromised email account of a CEO
or other high-ranking executive to authorize fraudulent wire transfers to a
financial institution of their choice.
The other way can be that same email account to conduct W-2
phishing in which they request W-2 information for all employees so that they
can file fake tax returns on their behalf or post that data on
the dark web.
4. VISHING
Vishing is a type of fraud over a phone call. An
attacker can target by setting up VoIP (Voice over Internet Protocol) server to
copy various entities in order to steal sensitive data- for example people may
get a call, that there ATM or Debit card has been stopped working, and ask for
details of ATM card.
While Bank never calls that ATM has stopped
working, people have to approach banks. It can be similarly connected to the Id’s
issued by the governments, and other financial institutions.
- As noted by Comparitech, an attacker can perpetrate
this type of attack by setting up a Voice over Internet Protocol (VoIP) server
to mimic various entities in order to steal sensitive data and/or funds.
- In
September 2019, for instance, Infosecurity Magazine reported that
digital attackers launched a vishing campaign to try to steal the passwords of
UK MPs and parliamentary staffers.
- Not long
thereafter, The Next Web covered an
attack where vishers masqueraded as the boss of a German parent company to scam
a UK subsidiary firm out of $243,000.
5. SMISHING
The similar method of steal
continues but in form of SMS and texts, therefore it is called as Smishing,
which is also a type of Phishing. In SMS, there can be some links which can ask
for personal information threatening users that their ID’s can be blocked or ATM
will stop working, or account will stop working.
Neither company sends this kind of
messages. However, general public is being targetting of smishing.
-
Back in February
2019, for instance, Nokia warned its users to be on the lookout for a smishing
campaign in which digital attackers posed as the Finnish multinational
telecommunications and sent out text messages informing users that they had won
a car or money. The bad actors then asked recipients to send over money as a
registration payment for their new car, reported Bleeping Computer.
The woman had cancer, and the scammers claimed that
she could receive a federal grant to assist her in paying for treatment. She
just needed to submit a down payment and pay taxes on the grant first, the
fraudsters told her.
That is why medical companies should abstain from
data leaking, there are people everywhere who are intending to make a fool of
people.
6. PHARMING
This is the method, where victims are not approached
directly. They infect divert people on
fake sites.
Pharming is a cyberattack intended to redirect
a website's traffic to another, fake site
Usually, pharming
is applied to online banking or other payment systems through which money
transactions are performed.
It is rather
difficult to be secured from pharming as the site substitution process goes
unnoticed.
Pharming software
can work both from the browser cache and directly as a virus on your PC.
Thus, to protect
yourself from pharming, you need not only to learn to recognize phishing
emails, but also be careful when installing the software.
It is necessary to be extremely cautious when
reading emails, and when downloading any software from the Internet.
How to prevent phishing
attacks?
1. users should inspect all URLs carefully to see if
they redirect to an unknown and/or suspicious website.
2. They should also look out for generic salutations,
grammar mistakes and spelling errors scattered throughout the email.
3. Organizations should also consider injecting
multi-factor authentication (MFA) channels into their financial authorization
processes so that no one can authorize payments via email alone.
4. To protect against vishing attacks, users should
avoid answering calls from unknown phone numbers, never give out personal
information over the phone and use a caller ID app.
5. Users can help defend against smishing attacks by
researching unknown phone numbers thoroughly and by calling the company named
in the messages if they have any doubts.
6. To protect against pharming attacks, organizations
should encourage employees to enter in login credentials only on
HTTPS-protected sites.
7. Companies should also implement anti-virus software
on all corporate devices and implement virus database updates on a regular
basis. Finally, they should make sure to stay on top of security upgrades
issued by a trusted Internet Service Provider (ISP).
8. Files attached to an unknown message that have
.exe, .msi, .bat, .pif, .com, .vbs, .reg, and .zip extensions can install
malicious software, there is no point to open them.
Other Types of
Attacks over internet-
The
Ransomware
The new kind of
crime where the computer of the individual is hacked and to access own computer
the user has to pay the ransom and these types of viruses are called
Ransomware. WannaCry has been on the hit list for troubling users.
India was one of
the worst-hit countries by the WannaCry Ransomware -malware
affecting sectors such as banking, finance and manufacturing last year.
The main Dilemma-
Don’t know who attacks!
Attacks are often
anonymous and difficult to attribute to specific actors, state
or non-state. Advanced Precision Threats (APTs) carried out by
anonymous hackers are often silent and go unnoticed for long periods.
Where does India
Stand?
The government is
stepping up authority around cybersecurity to check the rising menace
of financial frauds.
Global
Conference on Cyberspace was conducted in India for the
first time with a view to establishing internationally agreed ‘rules of the
road’ for behaviour in cyberspace and create a more focused and inclusive
dialogue between all stakeholders on how to implement them.
To combat the cyber
threat, the government is coming up with more cybersecurity labs.
1. Digital Investigation Training and Analysis Centre (DITAC)
The government has
earlier launched the Digital Investigation Training and Analysis Centre
(DITAC) to tackle these crimes.
DITACs will monitor
and police cyber-crimes committed through different platforms such as mobile,
email, computer and social media platforms like Twitter and Facebook.
2. National
Cyber Coordination Centre
Apart from DITACs,
the government also established the National Cyber Coordination Centre,
an operational cybersecurity and e-surveillance agency in India.
NCC, set up in 2015
as a part of the National Security Council Secretariat, should be strengthened
to bring about a much-needed synergy among various
institutions and to work out a coordinated approach to cybersecurity,
including cyber deterrence.
Has the plan worked?
India emerged as
the third most vulnerable country in terms of risk of cyber threats, such as
malware, spam and Ransomware, in 2017, moving up one place over the previous
year, according to a report by Symantec.
As per the report,
India continues to be the second most impacted by spam and bots,
third most impacted by network attacks, and fourth most impacted by Ransomware.
India faces the
highest number of Cyber Security Threats
India faces the
highest number of cyber security threats in the Asia-Pacific region with over
500,000 alerts daily, according to cybersecurity report, Cisco 2018
Asia-Pacific Security Capabilities Benchmark.
Union ministries
and elite security agencies, apart from government bodies, have been victims of
a wide range of cyber-attacks, from website defacement to Ransomware.
The Indian Computer
Emergency Response Team (CERT-In), the governmental nodal agency for dealing
with and handling of cybersecurity threats, had less than 1% of the reported
number of incidents come from security researchers.
With the growing
adoption of the Internet and smart-phones, India has emerged as one of the
favourite countries among cybercriminals. There is a growing threat from online radicalization. Lack of coordination among different government agencies may
increase the risk of cyber-attacks. India is not a signatory to the
Budapest convention which is the only multilateral convention on cybersecurity.
A team of Ethical
hackers
Need for efficient
information security systems: - With more and more companies entering the e-commerce ecosystem and
adopting new technologies like cloud computing, the threat from imminent
security breaches is clearly demanding the need for efficient information
security systems.
Cybercrimes are
becoming more common and attackers more sophisticated with rouge nation-states
and terrorist organisation funding criminals to breach security networks either
to extort hefty ransoms or compromise national security features.
Trained Manpower The rising threat from cyber-attacks has exposed the severe
shortage of talent in this sector. As per 2015 figures reported by
Nasscom, India needed more than 77,000 white hat hackers as against only a mere
15,000 certified professional ethical hackers in that year.
Who Are Ethical
Hackers?
These professionals
employ methods similar to that used by malicious hackers, but they are required
to be a step or two ahead of their vicious counterparts. Ethical or white hat hackers may be employed by the government,
banks, or private firms to prevent cybercrime.
They hack the
system with the permission from the client and present a maturity scorecard for
the network that highlights their overall risk. Ethical hacking firms with specially trained professionals come to
the rescue of businesses while ensuring the effectiveness of service and
confidentiality.
Businesses are faced with the challenge of dealing with complex
security requirements that need to be updated as per changing hacking tactics,
handling hidden vulnerabilities and evolving technologies.
While many new
businesses are better prepared in the case of cyber-attacks, traditional
businesses still lack the proactive understanding of the need for ethical
hacking. For example, in India, banks having faced the brunt many-a-times are
hiring professional help to secure their networks. Hotels and other service wings of the industry seem to be lagging
behind.
Using the guide above, organizations/governments
and individuals will be able to more quickly spot some of the most common types
of phishing attacks. Even so, that doesn’t mean they will be able to spot each
and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that
organizations conduct security awareness training on an ongoing basis so that
their employees and executives can stay on top of phishing’s evolution.
Much More to be
done
Coordination among
CERTs of different countries is going to be helpful. Nations must take responsibility to ensure that the digital space
does not become a playground for the dark forces of terrorism and
radicalization.
No comments:
Post a Comment