Reset

Hikvision Senior Director of Cybersecurity: Identifying Phishing Attacks, Three Advanced Phishing Tactics Explained

May 21, 2020

Hikvision HikWire blog article Chuck Davis cybersecurity Three Advanced Phishing Tactics

In recent blogs, Hikvision senior director of cybersecurity Chuck Davis discussed phishing hacks and malware related to the coronavirus, and tips to avoid them. In this blog, Hikvision’s Davis covers an overview of phishing attacks, what they are, how to identify them and avoid becoming a victim of them.

Phishing takes many forms and those forms evolve daily. It’s true, some phishing attacks are so good they can even dupe seasoned cybersecurity experts. On the contrary, common phishing attacks are easy to detect. And, the more you understand about phishing tactics, the better you get at recognizing when you need to be suspicious and take extra caution. Keep reading to learn more.

What Is Phishing?
Phishing is the attacker’s dependable, longtime friend. Around since at least 1995, phishing is used to trick people into providing credit card information, login IDs and passwords, and to gain access to your computer, protected systems and/or networks.

Phishing is the malicious use of social engineering to obtain sensitive information or access from an unsuspecting victim. This usually comes in the form of email, social media links, or other digital means that an attacker can use to trick a victim.

The United States Computer Emergency Readiness Team (US-CERT) defines phishing as follows:

Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing email is usually crafted to appear as if they have been sent from a legitimate organization or someone known to the recipient. They often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information such as account usernames and passwords that can further expose the victim to future compromises. Additionally, these fraudulent websites may contain malicious code. (http://www.us-cert.gov/nav/report_phishing.html)

History of Phishing
The practice of phishing, “originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later” according to phishing.org. The practice has become one of the main methods of attack and is increasing at a rapid pace.

Understanding the history of phishing can help you avoid falling prey to this type of scam. To learn more about the history of phishing, read this post on phishing.org.

Basic Phishing
Phishing attacks come in all shapes and sizes. Most of the basic phishing email have easy to spot characteristics, if you’re looking for them. The following example is from 2012. Even though it’s old, I think this email would still trick many recipients.

You can see in the following image, that the email appears to come from “Customer Central” and sent from an e-mail address using the domain name, “comcast.com.”

Gmail does not do us any favors by masking the full destination email address. You can see in the image below that it appears to be sent to “pllpt.” This is greyed out and in small text so it’s easy to overlook, but the fact that the recipient’s real email address is not in the “To:” field is our first clue that this may be a phish attack.

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing

The email indicates that the customer’s credit card information on file is declining the payment and the email requests that the recipient update his or her credit card information by clicking on the link.

A quick or casual review of this link may seem safe. The URL begins with http://account.comcast.com. But look at the rest of the URL: http://account.comcast.com.5he.biz/

Remember that the last two sections before the forward slash (/) indicate the domain name of the destination. In this case, the domain name is 5he.biz and account.comcast.com are all subdomains of 5he.biz.

Interestingly, the author of this phishing email did not try to mask the actual link, which is easy to do and might be a little more effective in tricking someone to click on the link.

After clicking the link, you can see below that the URL has changed to yet another domain name. This time it begins with “login.comcast.net” but again, notice the trailing forward slash does not come until much later in the URL, which means that the domain name for this page is actually o7b.name.

The next, very interesting thing to note here is that the rogue site looks exactly like the actual Comcast xfinity authentication page. Below, compare the screenshots of the rogue site and the actual Comcast xfinity page. They are nearly identical!

The rogue site:

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 2

The real site:

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 3

Three Advanced Phishing Tactics Explained
Many of you reading this have received phishing email and you likely know some tricks to identify a basic phish. In this section, you may learn some new tactics that attackers are using to trick us.

Tactic No. 1: URL Masking
This tactic is actually quite basic but it is the cornerstone of more advanced tactics. One of the main tips in finding a phishing email is to hover over links to see where they go before you click. That is a great tip, but there are phishing tricks that attackers use to mask a URL. Here are some examples of how easy it is to mask a URL. If you hover over the link below, you’ll notice that it does not link to yahoo.com, but rather, google.com.

https://www.yahoo.com/

Tactic No. 2: Advanced URL Masking
Hovering over is a good way to scrutinize a URL but it’s not 100 percent accurate. There are ways to “click-jack" URLs that will show one link when you hover over it but send the user to another link when you click.

One method of executing this is to write JavaScript that shows one domain when you hover over the link, and sends you to a different page when you actually click!  Hover over the following example. You’ll see that the link points to https:www.google.com. Now click on that link and see which page opens up.

Here is a link to Google

Tactic No. 3: Unicode Domains
Another tactic is to use character sets that look similar to English/Latin characters, but are not. In this example, apple.com was registered using Cyrillic characters instead of English/Latin characters.

https://apple.com/ - This is the REAL Apple URL with English/Latin characters.

https://аррӏе.com/ - This is a fake site using Cyrillic characters.

When you click on the second link in Firefox and some other browsers, the URL shows the Cyrillic characters. The good news is that most modern browsers now show the Punycode URL.

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 4

A security researcher registered the above domain. You can read his blog post here to learn more about this type of attack.

Read more about preventing phishing and other hacks Hikvision’s cybersecurity blog link.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).