Dodging digital deception: The full impact of clicking on phishing links

I recently had a discussion with a family member who encountered one of the most common security threats in the digital age - a phishing email. During our conversation, she shared her experience of receiving an email that urged her to visit a specific website and take certain actions while also requesting her personal information. She proudly mentioned that she had visited the website, and explored some of its features, but wisely refrained from submitting her real information. While her initial response demonstrated the right level of caution for this scenario, it led us to delve into a deeper conversation about the evolving dangers associated with modern phishing and social engineering techniques.

It's crucial for users to understand that the objective of phishing and social engineering extends beyond passwords; it often involves harvesting various forms of valuable information that can be exploited. In this article, I will try to demonstrate these techniques with practical examples, assuming that the user has already taken the step of clicking on a link from a phishing email. 

While these scenarios are fictional, they’re based on real-world attacks used by hackers. By shedding light on these tactics, we can better equip individuals with the knowledge needed to recognize and protect themselves against the multifaceted threats posed by phishing attacks.

If hackers know that you’re a member of this site and the site is vulnerable to clickjacking, then you can be targeted to take malicious actions without your knowledge. 

Of course, the email will have some kind of offer that’s too good to resist (who wouldn’t want 95% off?) and all you have to do is click the link. Now if you visit the attacker-controlled phishing site through a link in your email, they place a large, invisible frame around your favorite site. Why? Because when you try to interact with the phishing site from the email link (which is masked to look like a completely harmless site), then you’re actually using your favorite shopping site in the background.

Unfortunately, you can't see the frame, so you think that you’re taking a harmless action on your favorite shopping site, but you're not. The danger in this mix is that victims believe they're on a safe website or using a trusted app, making them more likely to do things they shouldn't. It's really hard for people to see through this deception, and the result can be losing money, having their identity stolen, or giving hackers access to sensitive accounts such as your credit card information, contact information, account logins, etc.

The concept becomes clearer when you witness how another website is hidden in action. Watch the demo of how these overlays work. 

Each time you reduce your screen opacity, you can slowly start to see the hidden content. By placing the ‘Transfer Balance’ button on top of the hidden attacker link, users end up clicking the link thinking they are transferring their balance when in reality, they are clicking the malicious link. 

The target will think that they’re clicking the ‘Take Action’ Button while they actually unknowingly click the transfer balance button.

Email applications have evolved a lot over the last decade and with the rise of cloud technology that means that users expect a certain level of integration that can make their workday easier and more secure. Unfortunately, if an organization is not protecting itself against malicious 3rd party integrations, this can lead to negative consequences.

Hackers can make use of phishing techniques that are specifically designed to gain application permissions from a user, especially when targeting individuals who may not fully understand the implications of granting these permissions. Gaining application permissions can provide attackers with a level of access and control over a user's digital environment, which can be exploited for various malicious purposes.

These permissions can range from access to personal information, device functions, or even account credentials. Users, in their belief that they are interacting with a trustworthy application, might unknowingly grant these permissions, thinking they are complying with a legitimate request from their IT/security team. Additionally, these types of attacks are often launched in an environment where users already have a level of established trust. Below is an example of a permission phishing application that was used in Office 365 environments to gain access to sensitive information. 

Once these permissions are granted, hackers can abuse them in several ways. For instance, they may gain access to a user's email, contacts, or other sensitive data stored in an application. Even worse, they can now access your account and send emails to your co-workers and contacts in an attempt to spread across the network.

Hackers frequently use phishing techniques to deliver malicious files to users, but the techniques have evolved over the few last decades. This method is known as "malware delivery through phishing," and it's a common way for attackers to compromise systems, steal data, or gain unauthorized access to a user's device.

In a phishing attack aimed at delivering malicious files, hackers often craft deceptive emails, messages, or links that appear harmless or even enticing to the recipient.

These messages may masquerade as invoices, receipts, job offers, or other seemingly legitimate documents, enticing users to open the attached files or click on download links. Unfortunately for the victim, these files can contain various types of malware, such as viruses, Trojans, ransomware, or spyware. Fortunately, many modern security teams are aware of this technique and typically scan all inbound attachments to prevent malicious files.

Unfortunately, these types of attacks are not limited to email file attachments anymore. Advanced threat groups have been found to utilize techniques like HTML smuggling to create drive-by download sites that will force your browser to automatically download files. 

Additionally, even if the site doesn’t automatically download the file, specifically crafted links can be used to launch applications from your browser in an attempt to present malicious files to your users or take other actions that will avoid virus filters. While modern browsers attempt to interrupt this attack with a confirmation prompt, the message does not include any security warnings or indications, which can be used to trick users. 

Once the user interacts with the malicious file, the malware can execute and compromise the user's device. The consequences can range from data theft and unauthorized access to system vulnerabilities being exploited, leading to further attacks. This method of malware delivery is particularly effective because it leverages social engineering tactics to manipulate users into taking actions that they believe to be safe or beneficial, ultimately leading to a compromise of their system's security.

A recent example of this technique evolving is the release of domain extensions that can assist attackers with creating a more believable page for their attack. This came to light again with the recent arrival of .ZIP domains. 

As an example, we’ve built out a demo at ConfidentialDocuments.Zip The site has been designed to look like a file archive similar to what a user would see when opening a ZIP or RAR file archive. This presents an interesting phishing/social engineering opportunity, because the ConfidentialDocuments.ZIP URL won’t be flagged by email filters like a malicious zip file would be (as long as the domain category and reputation remain trusted). Additionally, the user will be presented with a similarly familiar screen that they usually see when opening these types of files.

If the user then attempts to open the file from the browser, then they’re actually starting a new application on their machine (in this case file explorer), which can be used to retrieve malicious files and potentially evade intrusion detection systems.

 

Have you ever received a survey from management asking you to provide your input regarding workplace improvements? How about questions about returning to the office or any other HR-related surveys? The questions may have a deeper meaning, instead of HR just attempting to figure out if chocolate cake is more popular than vanilla.

Hackers often use methods like phishing and social engineering to deceive individuals into sharing their important info. Why? Because developers have become more security-oriented and crucial website features may require additional information for verification before they allow the action. For hackers that means that they may already have your password from a database leak or other attacks, but they can’t actually move forward on their action without this crucial piece of information.

Due to this, one common phishing trick is making fake websites that look like surveys or questionnaires. These fake sites try to look harmless and real, often pretending to be from well-known companies or places. When people get lured into doing these fake surveys, they might get asked for answers to questions that seem harmless, like their favorite color or their pet's name. But these questions can actually help hackers get access to more important website features, like answers to security questions that help reset passwords.

In summary, clicking on a bad link can lead to more than just stolen information – it can cause a range of problems and headaches. Hackers are using people’s trust against them, and we can’t always rely on technology to keep us safe, however, being aware and staying cautious helps a lot. Also learning about sneaky tactics like clickjacking or manipulating app permissions takes away a lot of the attacker’s power.

So, if you ever get an email with a link that doesn’t feel right, then just take a moment to think before you click. Always check who’s sending you emails, look at the web addresses closely and don’t click on any links that look fishy. Still not sure? Contact your friendly internal security team before taking any further action.

Stay informed, stay alert and stay safe as you navigate the modern online landscape.