Phishing Without E-mail? There are More Attack Vectors to be Aware of

Even though e-mail is used as the top attack vector for phishing, do not forget to prepare your colleagues for phishing attacks through different channels, which they might be unaware of or are ignoring.

May 03, 2021

Phishing techniques involve methods that can be used to trick an employee into divulging personal or company confidential information or take insecure actions. E-mails are often used to carry out phishing attacks and hence sophisticated e-mail filters are deployed by organizations to thwart these threats. But cybercriminals are always on the lookout to get around these filters.

In this article we list a few alternative “non-e-mail phishing techniques” which are being widely used to carry out attacks.

An old fashioned phone

1. Social networking sites

Lately, using social media is as common as breathing. With so many platforms catering to so many diverse needs, it is hardly possible to not have a presence on networking platforms. This opens up an avenue for attackers to carry out phishing attacks using the platform’s services as it is not necessarily monitored by company e-mail filters.

Every employee irrespective of department and hierarchy can be a target of such an attack. Recently Google’s Threat Analysis group investigated and published their findings on how security researchers were targeted by state-sponsored attacks . The attackers even created accounts on multiple platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase to create a sense of credibility to trick the researchers. It is worth noting that when even security researchers themselves are targeted, common employees can also be misled.

An employee might get a connection request from an attacker posing as a colleague in a different department. Once credibility is established and trust is gained, the impersonator can claim to be seeking inter-departmental information or coax the target to click on malicious links/divulge personal information. Furthermore, attackers can pose as interested job candidates for an open position and send out attachments via messaging services which when downloaded might include malware and bypass e-mail filters.

Specific user groups can also be targeted using the “Targeted Advertising” service available on many social media platforms. Targeted advertising allows marketeers to narrow down their ad audience by very specific criteria sometimes leaving only a very small group of recipients. The targeted group can now be lured to very attractive fake promotions or interest groups that they deem fit. The target group believes that they found the advertised service/promotion by themselves and hence don’t feel targeted. This can then be exploited by the attackers.

2. Calling and messaging platforms

Voice phishing (also known as vishing) is a form of phishing where cybercriminals employ social engineering either via conventional phone systems or Voice over Internet Protocol (VoIP) systems to gain access to personal or financial information. The callers usually pose as fellow employees, working for the government, or (distant) family members to get potential victims to share personal and financial information or even confidential information about the company they work for.

Vishing can have far-reaching consequences as seen in the case of the Twitter Bitcoin Hack on July 15th, 2020. It was revealed that the precedence to the hack was laid the day before when the attackers “called several Twitter employees and claimed to be calling from the Help Desk in Twitter’s IT department”. They further succeeded in convincing some employees to enter their login credentials into a phishing website and were able to gain control of internal Twitter tools.

SMS phishing (also known as smishing) is a form of phishing that uses SMSes or other messaging platforms to coax people into divulging their personal information. This involves sending messages containing malicious links, which lead to spoofed websites or trigger malware to be downloaded onto the phone. Cybercriminals may also send out messages with a pretext asking to call back, to provide personal information or to gain access to banking details to commit fraud.

3. Spoofed websites

Using the above or other methods, cybercriminals can coax the target to click on URLs that might take them to spoofed websites. Website spoofing (also known as website forgery) is another phishing technique where fraudulent websites are designed to closely resemble the sites that they are mimicking including copied logos, content, login pages, and other visual features. The target might then unknowingly enter their login credentials and other information without authenticating the credibility of the website. Victims might not become suspicious if they found the link themselves vs. receiving it in an e-mail.

It might be hard for cybercriminals to just host spoofed websites and hope that someone will discover them. Thus they use e-mails, social media, other messaging platforms or even payed advertisement to spread these links. Once they have gained the trust of their target, they would then use this credibility to coax the employee to enter confidential information or login credentials into the spoofed website without double-checking it for its authenticity.

4. Unsecured Wi-Fi networks

Evil twin (also known as Bad twin) is a type of man in the middle attack that uses fake Wi-Fi hotspots to steal confidential information from users. The actual wireless network name i.e the Service Set Identifier (SSID) is cloned and the user is tricked into believing it to be the real local hotspot. Cybercriminals can set up these evil twin access points in public places or hotels which can then be used by victims to login into the company’s secure network or other platforms. Cybercriminals can now eavesdrop and monitor all (unencrypted) internet traffic to harvest personal information or login credentials.

Since public Wi-Fi Hotspots can sometimes be compromised, using a Virtual Private Network (VPN) at least makes sure that the user’s identity is safe and makes it harder to intercept and view data.

5.Physical phishing

Physical devices such as charging cables, USB devices, CDs, or any electronic hardware can be crafted by attackers and pose a threat to the systems/networks. These devices can either be used as snooping devices, deploy malware, or can even cause power surges in the USB port. Employees can receive these devices via postal delivery, discover them as lost items eg. in the parking lot or other easily accessible locations where they have been left deliberately.

Cybercriminals can also attack an organization’s work equipment (computers/servers) via unauthorized access and compromise it by installing malicious devices. They can trick employees into helping them gain unauthorized access to the company premises or follow authorized personnel into a restricted area. Attackers can also pose as external IT personnel/guests/customers/audit representatives etc. to gain access to the working area. Once inside the attacker can try to compromise employee workstations, server rooms, etc. to deploy attacks. Unattended laptops in public places are also easy targets for attackers to install malicious devices on them.

Conclusion

The list of techniques above just gives a general idea of the many possibilities how attackers can trick/manipulate employees. We recommend educating your employees on these possible attack scenarios and not only those based on e-mails. Since there are innumerable ways of phishing, creating relevant training can be a challenge.

If you want to create your own training please keep the topics above in your mind. On the other hand, if you are thinking about hiring experts to do it, or you just have a question, we are looking forward to hearing from you .

Click here to learn more about our service for web-based awareness trainings, (mStorm-AT) .