Phishing

Phishing is a social engineering attack where criminals try to lure the victim into unknowingly give away its credentials or to access a malicious website that will download malware into the system. While general phishing by definition is done via email, there are tons of variants exploiting different vectors. Usually all of them are called phishing for simplicity but we will see below that the details matter as different attacks require different defenses. It's by far the most popular cyber attack, easy to perform since you don't need much IT background and nevertheless its one of the most dangerous and effective, taking thousands of victims every day. Why? Because it exploits the biggest of the vulnerabilities, the human factor.

Spear Phishing

Unlike generic phishing, that tries to reach as many people as possible focusing on being effective by statistics rather than effort, spear phishing targets a particular victim. The attacker will use OSINT techniques to collect as many intel as possible from the victim, to make the attempts as tailored and convincing as possible, while the goal being the same, making the target click the link and share his credentials.

Whaling

A type of spear phishing focused on high-profile individuals within an organization, often managers, executives and the CEO. Whaling goes directly into the main target, skipping the escalation from easier low-profile victims.

Vishing

Voice phishing, attacker uses voice communication technologies to trick victims into revealing sensitive information, credentials or performing actions that will compromise their security and the company. During the attack the criminal will use various tactics, such as impersonation, to create a sense or urgency or fear, playing mind games and psychology tricks so the target is more likely to comply with the requests.

Smishing

SMS phishing, attacker sends SMS messages containing malicious links or directly asking for the credentials in a manipulative way, tricking the victim into thinking it's the legitimate website sending an SMS. Basically phishing via SMS instead of email.

Pharming

Involves the manipulation of a system DNS settings or the use of spoofing techniques to redirect victims to a fraudulent website without having to click on to a malicious link. It can exploit vulnerabilities in a DNS infrastructure compromising multiple victims or a whole network. When victims navigate to a legit website domain, they will get redirected to a fake version that will steal its credentials. It's very effective since the victim will not suspect as he didn't click any link and is using the system same as always.

Watering Hole Attack

Derived from the analogy of predators waiting near watering holes to attack their prey, is an attack where the actors compromise a website that they know the victim will visit. When the victims visits the website as usual, they get infected with a malicious payload covertly. Although its not phishing in the classic way of tricking the victim into clicking a malicious link, still its more insidious as its based upon a victim clicking a link that's not even manipulated, but the whole website as a collateral victim

Business Email Compromise (BEC)

BEC parts from an already compromised company email account, already from the inside, actors will easily impersonate the user of the account to escalate its way into high-profile accounts or directly steal data.

Last updated 7 months ago