Phishing , Spear Phishing , Whaling and Sri Lanka

Social engineers, or "human hackers," have been deceiving people from the early stages of history of cyber security. There are various types of attackers seeking different information, but when it comes to specific user targeted attacks, most of the criminals are usually trying to trick the victim into giving up their sensitive information such as username, passwords, or bank information.

In every information system, generally the weakest link is the human module where the whole system security depends on. Therefore, these attacks are critical in comparing to other techniques that normally we can address through technology. As the FINCSIRTs’ experience, Sri Lankan Finance sector has a huge threat of social engineering attacks such as Phishing Attacks.

When a person receives a message from a friend consisting a link or some attachments, people do not think twice to click or download the file. In that case, criminals will take advantage of that belief. If a criminal manages to penetrate one persons’ email password, they have access to that persons’ other user accounts because most people reuse one password throughout out his other accounts.

While there are plenty of these emails in our inbox (phishing), nowadays we are seeing increasingly targeted phishing attacks (spear phishing) and several cases where high value targets (C-level management) have been targeted with accurate information (whaling) in recent FINCSIRT incident lists. Some of these are serious cases, where legitimate information was used throughout the email conversation in to deceiving the user.

In these kind of attack, typically, a phisher sends an email that appears to come from a legitimate source, manly from within the organization such as a co-worker. The attacker may narrate that there is an immediate problem that requires the victim to reply immediately with some sensitive information. These messages may contain legitimate names (even in Sinhala) and legitimate information such as previously sent legitimate emails (obtained by that attacker via a compromised email account). And some time, they may be sent via a legitimate email account that was compromised. These attacks are extremely hard to identify and requires a behavioral change of the users perspective towards security.

Don’t be a victim

  1. Slow down. First think. Attackers want the victim to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics, be skeptical; never let their urgency influence your careful review.
  2. Delete any request for financial information or passwords. If you are asked to reply to a message with personal information.
  3. Don’t let the link take the control of where you land. Stay in control by finding the website yourself using a verified search engine to be sure where you land is where you intend to land.
  4. Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
  5. Set your spam filters to high. Every email program has spam filters.