Real hackers plan every single step very carefully. What’s the trick, you’ll ask? Well, experience and common knowledge go hand in hand. And since hackers usually specialize at one area at a time, it’s really hard to know when one’s knowledge is sufficient enough and skills are technically advanced enough to conduct such an attack. Usually 95% of all spammers are just skids (script-kiddies are wannabe hackers with insuficient programming and systems knowledge). Yes, it may happen so that they catch a fish or two, but the really malicious actors are the one preparing months before a big hit. Such a preparation has a lot of prerequites.
Bore continuing on, have you checked out the article that goes about what phishing is and how to prevent it? Check it out if you have not. We’re not going to dive into some old cases of mine, as the technical details are overwhelming and this blogpost will be even hardly readable. I’d rather shed a light on what the Internet folks do. To be fair, there is a gazillion ways to launch a campaign - and often times it occurs as spontaneous as it sounds. Of course, the results of such a campaign will be close to zero and the - withough previous planning a campaign such as this will be a total failure. The fruit bearing way that hackers often times adhere to, is to launch a campaign whenever they have gained enough data like names, emails, phone numbers. But that’s all random data - a phishing campaign is nothing more than collecting some data or even buying it and then using it for malicious purposes. During those campaigns, mailcious actors have no real idea who they will compromise. That’s the main difference with wailing or spear phishing. So, whenever a phishing campaign is launched, it has the following goal:
Leaving the admin stuff to the side, when a user gets a new message guess what happens? The user opens the email message – correct. Now, if the user sees that there is an attached file, he does what? Correct once more, he clicks and downloads the attached file. My personal observation shows that more than 80% of all users that have been infected and/or scammed have clicked and downloaded an attached file. If the user, runs a Windows OS instance on his laptop or tower, the chances that a malicious actor could gain access to the user’s system skyrocket. Don’t get me wrong – the Windows 10 team has repaired some of their Office Macro critical flaws that enabled macro execution and could carry some really harmful powershell functions, that in a flick of the command prompt could turn your computer into another hacked node – part of a botnet. It’s just wee bit difficult to make a Linux or a Mac user execute a file with root permission.
To sum it up – I’ve always advised people to think first. If you receive an email address from an ‘official institution’ - whether it would be the IRS, your Email provider or someone from your company, make sure that the message you’re getting has the correct sender – if not, you are being a target of a phishing campaign. And remember – official institutions always, ALWAYS send a paper copy of the documents to your physical mail.