8 cyber attacks you’ve never heard of before
Sep 23, 2020
Would you agree to get electrocuted? It could be good for you. Results of a 2016 study on stress management revealed that people feel less stressed when they know for sure they're going to get electrocuted, as opposed to only knowing that they might be. It's the uncertainty that stresses us out.
This is also true in cybersecurity. Understanding what cybercriminals are capable of and how they penetrate networks can make cybersecurity efforts less stressful. That's why today we'll cover multiple attacks instead of focusing on one specific threat. Think of it as a lightning round teaching you about the most frequent but lesser-known cyberattack techniques.
Everyone gets scam emails. We don’t fall for them because they avoid details and sound out of place. Spearphishing is on the other end of the attack spectrum: it includes a custom written message mentioning details about your personal life or work. That’s what makes such attacks dangerous.
Spearphishing attacks are similar to whaling, as in both cases the target is a specific person. But victims of whaling attacks are always high-sitting members of a company, whereas spearphishing targets anyone.
Spearphishing attacks are often directed towards investigative journalists, whistleblowers, and activists. For example, the Financial Times journalist Dan McCrum received a lot of targeted attacks during his Wirecard investigation.
Smishing involves phishing attacks that use SMS messaging. In most cases, the aim of these attacks is to get money from the victim. For example, attackers may pretend to be a close friend in distress and in urgent need of money.
Scammers may also impersonate a bank representative who needs login information to check your account. That’s what recently happened in Ireland. Attackers acquired a bank’s list of customers and sent them messages, pretending to be the real institution. The message directed the bank’s clients to a phishing site, where they were asked to enter their credentials, banking information, and even PIN numbers. Around 300 fell for the scam and collectively lost 800,000 Euros. The Bank of Ireland later agreed to reimburse the customers, although it had every right not to, as customers gave away all of their information willingly. That’s why we have to be extra careful about disclosing any personal information.
Vishing is a phishing attack that uses voice calls. What separates it from emails and messages is that a call catches the victim off guard, especially if it’s in the middle of the night. Using persuasion techniques, the attacker convinces the victim to stay on the line and makes them believe whatever they hear without even confirming the identity of the caller.
Vishing attacks often target both individuals and companies. One of the most recent examples is criminals taking over 130 Twitter accounts, including those of high-profile celebrities and politicians, to spread their Bitcoin scam. The message offered to double the amount of Bitcoin sent to a specific wallet in the next 30 minutes. In that short period of time, over $300,000 in Bitcoin was sent to the criminals' account. This Twitter hack started with a vishing attack that targeted Twitter employees who had access to the internal systems of the social media platform.
Most people recognize that President Obama offering to send you Bitcoin is a clear scam. But not all attacks are so blatantly fake. In a clone phishing attack, scammers build copies of pages to make you believe that you're on the real website. As a result, many more people fall for these scams. What makes matters worse is that clone phishing can be applied to anything: apps, newsletters, text messages, sign-in forms, webpages — you name it.
Clone phishing is often used to steal users’ credentials and was recently executed against Netflix viewers. Scammers sent out phishing emails urging users to log in to their Netflix accounts. The message directed them to a fake website that looked exactly like Netflix.com, where users unknowingly gave away their login information.
As you can see, attacks often use a combination of phishing techniques.
You can spoof anything you want. You take a legitimate message or web page and make a copy of it. This may sound similar to a clone phishing attack we have just discussed, but spoofing goes way beyond that. Spoofing is not just about impersonating someone else, but about using someone else’s assets, like their email account or IP address, to increase the success rate of the attack against a specific target.
There are many types of spoofing:
- ARP spoofing — fake MAC address of a computer
- IP spoofing — fake IP address
- TCP spoofing — fake TCP Connection
- Web spoofing — fake web pages
- Email spoofing — fake email message
Let's take the last one as an example. In an email spoofing attack, attackers could get access to your email and use your account to spread malware. Your friends would see you as the sender and be less likely to suspect anything.
Pretexting is not an attack, but rather a reason why so many scams work. It’s the practice of creating a backstory for the person the scammer is impersonating. Instead of saying “I’m John from the Amazing Bank”, criminals will research and gather as many details as possible about the person they will be posing as. Pretexting could also mean that an attacker creates a whole new persona for themselves instead of posing as a real person.
Pretexting is used in many scams, especially smishing and vishing, which both require direct contact with the target. The Twitter scam we covered above is a great example of this technique, as the scammers managed to trick multiple Twitter employees simply by creating believable stories.
Search engine phishing
Search engine phishing attacks require criminals to build a website and get it ranking high in search engines. If it sounds like a lot of work, that's because it is. But in return, malicious links provided by a reputable source can be a goldmine for cybercriminals. Even Google can be tricked into ranking these harmful sites high, especially when criminals use Google's ad network.
One of such scams involves Uniswap, an exchange platform for Ethereum cryptocurrency. The real platform has a .org domain (uniswap.org), so scammers bought Uniswipe.com, Unispwipe.site, and unispawdex.org, built copies of the genuine site, and then bought Google Ads to place these sites in the top 3 positions for the 'uniswap' search query. Users who clicked on the ads gave away their private keys without suspecting a thing.
Clickjacking may be the most dangerous of the attacks we've covered. Most scams have signs you can look out for, but this one is different. By exploiting HTML iframes, criminals can change the destination of the button on the page.
Do you take the bus to work? Imagine taking the same route for months until one day your bus takes you to another city instead of work. That's what happens with clickjacking. The attackers build a malicious site and mask it with an innocent-looking frame like a Facebook page, an in-browser game, or a survey.
Staying out of harm’s way is hard regardless of whether you’re concerned about your personal security or that of your business. Every day, criminals come up with new ways to attack. But in all these ways, two key elements persist: phishing and social engineering. In most attacks, hackers will either try to make you click on something or will pretend to be someone they’re not. Look out for these patterns when you encounter someone you don’t know and double-check any links or attachments you receive.
To ensure you stay safe, you’ll often have to rely on your cybersecurity awareness, but there are external tools that can also help. If you found this article useful, please share it by clicking on the social media buttons below.
John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.