The Anatomy of a Phish Part 1

By now, almost everyone knows what phishing is. You get an email from “Facebook” urging you to reset your password with a convenient link included. You follow the link that looks semi-convincing and put in your password and that’s all she wrote. There is much more to it than that but let’s start at the beginning. Whether the target is a sweet old granny’s Facebook account or a CEO’s bank account, the first step in the attack is reconnaissance. Thanks to the ever-advancing Information Age, the reconnaissance phase is incredibly easy. Attackers start by gathering information about the target. One of the ways they can do this is by using software designed to crawl the web searching for certain domains. Software like TheHarvester can search various search engines and LinkedIn and report on any email addresses found based on the domain you input. Another way they can get a list of targets is the result of a data breach. Data breaches don’t always contain passwords or credit card information, they can also be simply a list of email addresses of the platform’s users. If you are curious if your email address has been exposed as a result of a breach, you can run it through https://haveibeenpwned.com/ to find out. Once the attacker has a list of targets, or a specific target, they craft their phish. If it is a generic phish, the attacker might use the data from the Zynga breach and craft the phishing email to prompt users to reset their password for that system. Targeted phishing is called spear phishing, and that is with the goal to target or impersonate a specific individual. An example of this would be if someone posed as a vendor and sent an email to a member of the accounting department that requests a change of payment information. In my next post, I will go deeper into the technical side of how it works.