Phishing attacks were said to have started around the early to mid-1990s through America Online(AOL). During that time, a group of hackers known as warez community impersonated AOL employees and collected important information, such as login credentials and personal information from AOL users. Since then, phishing attacks have evolved into a lucrative business for hackers. An estimated 156 million phishing emails get delivered every day, resulting in more than 80,000 clicks from unknowing users.
So what is Phishing?
A phishing attack is part of the social engineering family where a malicious actor attempts to steal important information from the victim. Some examples of the important information include:
1. Login credentials
2. OTPs
3. Personal Information
4. Banking Information
5. Banking details
6. Debit card/ Credit Card Details, etcA phishing attack usually involves a malicious actor impersonating a trusted entity, such as a government body like the Singapore Police Force or financial institutes like banks and duping the victim to reveal important information to the malicious actor. Below are just some of the ways a phishing attack can be carried out:
1. The fake website method, in which a malicious actor creates a phony website to impersonate an actual website, like a bank, and capture information like login credentials. 2. Using Wireshark to perform man-in-the-middle attacks, in which important information sent as traffic from the victim to a legitimate website is captured by a malicious actor. 3. Impersonating a real person or an entity, via email or sms, to communicate with the victim, in which he/she is will be duped into giving important information to the malicious actor.
Phishing Attack Demonstration
A demonstration of a phishing attack is shown below. An evil twin attack was conducted whereby a malicious actor created a fake wifi access point mimicked a legitimate network to trick users into connecting to it.
Disclaimer: This article has been made available for informational and educational purposes only. N0H4TS is not responsible for any misuse of the information/knowledge.
Phishing Attack Demonstration video
As shown in the demonstration, the attacker created a fake Wireless@SG access point to trick users into connecting to it. The attacker will posed as the Singapore Police Force to obtain bank credit card details from the victims.
If you observe carefully, the url in no way represents the actual url of the official Singapore Police Force website. So, next time, if you feel that something is amiss, do look out for any discrepancies in the url of a website.
We have also included a second phishing attack demonstration as a bonus, in which a user’s DBS banking credentials are stolen by an attacker through a man in the middle attack as shown below. This is to advocate people to stay vigilant on websites you visit.
How to protect yourself against phishing attacks
As shown in the demonstrations, an attacker could carry out a phishing attack easily. Next time, when browsing through the internet, stay vigilant to keep yourself safe from phishing attacks. Here are some tips to protect yourself against phishing attacks:
1. Do check the URL of the website to ensure the URL is that of the actual entity (e.g., Singapore Police Force). 2. Ensure that the website is secured (e.g. HTTPS instead of HTTP). 3. Contact the relevant governing bodies to verify the legitimacy of what you received from them if you feel something is amiss. 4. Visit [ScamAlert](https://www.scamalert.sg/) for more information on scams.
Here’s a little shoutout to our N0H4TS members:
- Conan Zhang, for demonstrating the phishing attacks.
- Thura, for writing the blog post.
- Josh, for writing the blog post.
References
History of Phishing by Phishprotection
