Phishing for Awareness: Clone, Man-in-the-Middle & Search Engine Phishing Attacks

Clone, Man-in-the-Middle & Search Engine Phishing Attacks

Week 8 of the Phishing for Awareness blog: Clone, Man-in-the-Middle, and Search Engine Phishing Attacks, where CIT has emphasized on the many different types of phishing attacks that exist. As a company, we want to ensure your knowledge on cyber security and the many risks that you can avoid.

Through this blog each week, we have focused on several phishing attacks including Malware Infections, Spear-Phishing, and BEC Schemes. We hope the information taken from these blogs can enforce a new perspective on cyber security for you and your company. Join us now for more information on Clone, Man-in-the-Middle, and Search Engine Phishing Attacks. 

68% of business leaders feel their cybersecurity risks are increasing

Clone Phishing Attack

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has or had its content and recipient address(es) taken and used to create an almost identical, or cloned email. Typically, it is a previously-sent email containing any link or attachment that is used as a true copy to create an almost identical or cloned email. 

An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.

How a clone phishing attack works is a previously-sent email is used as a true copy to make an almost identical or cloned one. A scammer will replace the link or attachment in the email with a malicious link or attachment.The cloned email is forwarded to the contacts from the victim’s inbox. The recipients of the cloned email will assume it to be a legitimate email and click on the malicious link.

Due to the fact that the victim will never suspect the email, this a very harmful attack. In order to prevent clone phishing make sure to check the sender’s email. Hover your mouse over any link in the email to see the landing page before clicking on it. Follow up with the email and the organization it appears to be coming from. Report emails to anti-phishing organizations if possible.

Man-in-the-Middle Phishing Attack

The Man-in-the-Middle → MITM, MitM, MiM, or MIM → Phishing Attack is a malicious actor that intercepts online interaction between two parties; either to secretly eavesdrop or modify traffic traveling between the two. Attackers might use MITM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data. Major targets of MITM are:

  1. Financial website: between login and authentication
  2. Public or private key-protected conversations/connections

Successful MITM execution has two distinct phases: interception and decryption. The most common way in creating interception is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.

A more active approach an attack may take to succeed interception is to launch one of the following attacks:

IP spoofing: This involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.

ARP (Address Resolution Protocol) spoofing: This is an attack in which a malicious actor sends a fake ARP message over a local area network; this links the attacker’s MAC (Machine address) address to the IP address of a legitimate computer or server on the network.

DNS (Domain Name System) spoofing/ DNS Cache: Involves  a form of hacking that corrupts the DNS data in the resolver cache, causing the name server to return incorrect result records.

“Attackers can change the DNS settings for a particular domain [known as DNS spoofing],” Ullrich continues. “So, if you’re going to a particular website, you’re actually connecting to the wrong IP address that the attacker provided, and again, the attacker can launch a man-in-the-middle attack.”

After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:

  • HTTPS Spoofing: Involves attacker sending a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
  • SSL BEAST (browser exploit against SSL/TLS):  targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
  • SSL hijacking: occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
  • SSL stripping: downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

The one and only way to prevent the Man-in-the-Middle attack is by encrypting your online data. Using S/MIME encryption can help you to secure data from misuse by cybercrooks, or you can use Third-party tools to encrypt your data.

Search Engine Phishing Attack

A Search Engine Phishing Attack is a well-crafted attack that looks completely legitimate; phishers run a paid campaign optimized for certain keywords to launch a phishing scam. While phishers create fake websites with “Exclusive offers” as bait, which look too good to be true, they can pay for these fake web pages to be shown as the top search result. Users stumble upon these fake sites, they are fooled into sharing their information to claim the offer. For instance, the following keywords for ads could be found deceiving: “Full Version & 100% Free!”, “Exclusive Offer”, “Official Site”.

Common signs of search engine phishing include free giveaways or ridiculous discounts, emergency warnings that require a download to fix, credit card offers from obscure banks, or job applications that ask for sensitive information even before scheduling an interview.

The best way in which to prevent a search engine attack  is to avoid the ads displayed in the paid results section. Look for the “ad” tag displayed next to the website link, which is usually found on the top-most results. Additionally, if you know the URL, then type it whenever possible.

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

Don’t Gamble With Your Security Contact Us