What is Phishing, Vishing and SMShing

Nathan House
A free video tutorial from Nathan House
Leading Cyber Security Expert
4.6 instructor rating • 7 courses • 244,382 students

Learn more from the full course

The Complete Cyber Security Course : Hackers Exposed!

Volume 1 : Become a Cyber Security Specialist, Learn How to Stop Hackers, Prevent Hacking, Learn IT Security & INFOSEC

12:04:36 of on-demand video • Updated August 2020

  • An advanced practical skillset in defeating all online threats - advanced hackers, trackers, malware and all Internet nastiness including mitigating government spying and mass surveillance.
  • Start a career in cyber security. Become a cyber security specialist.
  • The very latest up-to-date information and methods.
  • We cover operating system security, privacy, and patching - On Windows 7, Windows 8, Windows 10, MacOS and Linux.
  • Explore the threat landscape - Darknets, dark markets, zero day vulnerabilities, exploit kits, malware, phishing and much more.
  • You will master encryption in an easy to follow crash course.
  • Go in-depth into security through physical and virtual isolation and compartmentalization. Covering sandboxes, application isolation, virtual machines, Whonix and Qubes OS.
  • You will learn about nation state secret tracking and hacking infrastructure.
  • A certificate of completion is available signed by the instructor Nathan House so CPE credits can be claimed. An off-site sign-up is required to provide your details for this optional certificate.
English [Auto] Fishing as a type of attack that typically attempts to trick the victim into clicking on a link or executing malware in some way it can be an attempt to compromise a device to steal sensitive information passwords usernames pins credit card numbers as well as try to gain access to online accounts pretty much all of the things you don't want to happen can happen through phishing attacks and phishing is one of the most successful and common types of attacks because it is easy to perform cheat to set up and it yields good returns for the attackers. So you really have to watch for it and working for big corporations even with repeated security trained to wind people up no matter what. The company I've consulted to about 30 percent or so of people continue to be fooled and click on things that they shouldn't. And funnily enough some countries are worse clickers and some are better clickers on a consistent basis. But no matter what people just seem to not be able to be trained out of not clicking on the things that they shouldn't click on. Phishing is typically carried out by sending fake e-mails or instant messages as well that direct the victim to a fake site that often resembles the legitimate site. It is a form of social engineering. Or in other words it's an attack against human weaknesses and it relies also on the lack of defenses that web technologies inherently have in order to do the attack. So for example e-mail does not authenticate or digitally sign the sender. So there's no guarantee of who it's come from if there was then this problem would be reduced because e-mails can be easily spoofed or they've come from a legitimate source. Phishing attacks take advantage of that trust that you believe it's come from that person or at least it can do. Generally phishing attacks are done on mass. They send out thousands or millions of e-mails and those e-mail addresses have been harvested from the internet or sometimes they've been harvested through hacking Web sites sometimes from the fact that people publicly disclose them on forums or other things like that. And even from guessing at what the address is. So if you for example had you know John at a domain name and don't John Hotmail or something or this would be an usable account because of the amount of spam and phishing emails that it would get because spammers target common names in combination with domain names you do also get mass e-mail attacks on certain businesses as well. But if it is a specific and targeted attack we call that spearfishing if you're targeted individually. Let's look at some techniques used to perform phishing attacks in order to try and convince people to click on them. So the big war that they use is what's called Link manipulation. This is a simple phishing e-mail that you can see here in front of you that put together. I've sent it to a ghost mail account to illustrate the technique that used the ghost mail service is no longer available actually but that's not important as it's serving here as an example only the examples our show can apply at all email services here I'm faking links to Google and to Microsoft. So if we just zoom in here so the first thing that they use is subdomains and misspelt the mains. And if you look at these three examples here so you can see here that this is the real domain. And this is the domain it's trying to convince you that it's actually from a slightly different technique being used here. So that is obviously the real domain and then this is used in some directories. In order to look like Google this one's using a subdomain. This one's use in subdirectories. And this one Microsoft can you notice what's wrong with that one. You probably can because we're zoomed in which is here you've got an all in and instead of an M let's have a look at some other examples. So these are live fishing links. That's all right now attempting to convince people to click on them so you can see here this is. This is actually an Australian bank and it's attempting to convince people that you know this is the domain when in actual fact we can see here that this is the real domain. Let's see if there's any other clever ones or. Well I'm not really that clever. But let's see if we can find any other examples. So you can see here here's another Pay-Pal the code. OK. So the real domain real of mine is this. So it may be tricky to understand as I've gone through this with which are the real domains. Depending on on your experience so the real domain is the one that is to the left of the high level domain that's the high level domain and has no sloshed to the left of it. High level domains are you know things like dot com dot net org. But in my example here that isn't the Gitmo because it has a slash to the left of it which means it is a directory real domain is the one to the left of the high level domain. And has no slash to the left so that has a slash to the left so it must be this in the next sort of technique of link manipulation is what's called the N home a graphic attack idea and it's the internationalized domain name standard. They can see a couple of obvious ones but again they're not always obvious. You can see here we've got some zeros instead of O's. We've gone L instead of a one. But let me tell you if the font is different these can be almost impossible to see the difference. Obviously this can be used in combination with subdomains and misspelling in order to create further confusion. And another one is hidden you Charles. So using Hastey IMAO tags to hide the real you RL So you can see hey we've got click here so you don't know what's behind it but if you look down there at the bottom you can see that it's going to Google dot com dot Station X dot net and this one we can see is actually going to Google dot com dot Station X dot net so not at all going to where alleges to go to click. You see don't go to Google at all. Obviously I could this could have been you know an attack site. So the way these were these hidden your rails is essentially it's just hatched him out. It's really really not complicated at all. And so you can see here these this is the rule haste here now here and that has created these links. I sent an e-mail. E-mail is a made up of hasty mail nowadays anyway. This is text in and hasty email and the email client rende the hasty e-mail just like browsers render hastier mail. So you can see here what I have is I've represented Google dot com as what you can see in the e-mail. But actually the real link is here. And of course if we you know use all of these in combination you know this is why people click on the links because they can be fooled. It's it's easy to see why people get fooled. I mean there's all sorts of nonsense in here that you're a lay person is just not going to understand them they are going to click on them and go back to the e-mail. If we hover over the mail we can right click and copy link location. Depending on your browser that may reveal the correct you R-AL but not always. Javascript could hide the link pending on your email client and also as I showed here you can hover over and you can see in the bottom left the real domain that isn't always going to be the case either. Depending on your email client and javascript that may also be faked as well. So it is pretty tricky. You can look at the hastier mail like here. So my email client will like to see the law hastier e-mail and then you can go through and see what's there. But some won't. I mean this goes for mail for example does not let me look at the wrong e-mail. So I have to hover over it to see where it is going to take me to. Good providers and this can be both a good and a bad thing will notice these types of things and will change them. So Thunderbird for example and these wouldn't come through like this and it would change them so that you can actually see where it's going to. But that defense mechanism could be bypassed as well. So you know it's not foolproof but go smell and this example was able to receive these and make them look like this without me going too much effort to try to bypass any phishing protection that it has. All the new RL manipulation is also covert. You are redirects that use lunar abilities such as cross-site scripting and cross-site request forgery. Now they can be using in combination with manipulation. So it is possible that you might get sent a link to a real site. And the real site is being manipulated to attack you in some way so that attacker can or possibly has found a flaw in the real site and is using a technique like open redirect or as I've just mentioned the cross-site scripting and the cross-site requests forgery vulnerabilities in order to attack you. So this has happened to pay. How many are there. So let me give you an example because this you know obviously won't be clear of a reflected cross-site scripting ability that could be used in a fishing attack. So I imagine you've been you know sent a link via whatever means. Now this was actually a cross-site scripting venerability F.A. for an application so I'm just using as an example so this is an example of the you are real. You then click on this you are el. This takes you to the Web site and then because I've inserted into that you are well a special script. When you enter your username and password I'm able to steal your username password. Now if you look here this is the crucial bit of code. So I've inserted my own little bit of code here. This is the reflected cross-site scripting vulnerability. That site should not let me put in my own scripts into Rails and process it because what that means is that I am then able to act as that Web site under the security context of that Web site. Which means I then have access to your cookies. And of course I can manipulate the web page so that you know that it's not the right log in screen and it's actually a fake log in screen that I've presented. And that's actually what I did with this particular vulnerability to demonstrate it to the people that own the application so they could fix it. So that was the actual You Arel vulnerability. And if you look here there inserting in a special what's called an eye frame in order to put up a fake log in screen and able to take the usernames and passwords. So that gives you an example where if there's vulnerabilities in the Web site these cross-site scripting vulnerabilities these open redirects then the phishing attacks can be even worse. And to finish upon phishing is a couple of variants of phishing and that is visioning and smashing. So wishing is phone or voice phishing and smooshing is SS phishing or sending text messages. So this is attempting to call or text you in an attempt to compromise your device in the same way as you do with phishing you know so steal sensitive information passwords usernames credit cards you know all the bad stuff. There are many examples. A common one being pretending to be from Microsoft telling you that you have a virus on your machine. Can they help please download and install this totally legitimate software which is then you know a trojan or something like that. Again my mother has had a couple of these calls from guys from India pretending to be from Microsoft. These calls do work on and off people. That's why they continue to do them. And actually if you look on YouTube you can actually see a lot of people pranking these people when they're being called by them. So those are quite funny to watch. So vision is phone based Condes smashing is text based Cohn's and that's phishing.