Phishing simulations in Singapore

Why Staff in Singapore Need phishing Simulations

June 25, 2020

ST logistics, a private vendor for Singapore Armed forces (SAF) responsible for providing third-party logistics such as equipping services and e-mart retailers, as well as HMI Institute of Health Science, have both reported recent cybercrime incidents. In December 2019, SAF confirmed that as a result of phishing activity, the personal data of 2,400 SAF employees could have been compromised, with projected data based on the total data present in the system possibly affected.

In an unrelated incident, HMI Institute of Health Science reported a probable compromise of 120,000 individuals’ records, which also included 98,000 records of SAF employees due to a ransomware attack on one of its servers. The SAF servicemen, whose personal information was affected, had attended cardiopulmonary resuscitation and automated external defibrillation courses conducted by the HMI.

Both HMI and ST Logistics carried out extensive forensic investigation probes into these activities with the assistance of both their own cybersecurity team and with the support of external cybersecurity experts. The affected data consisted of personal information such as name, email id, contact numbers, NRIC numbers, birth dates, and address. Though none of the organizations provided the exact details regarding the breaches, one common element in both the incidents was the occurrence of phishing.

What Is phishing?

phishing attacks are the foundation for a majority of advanced and potent malware attacks. Though follow-up attacks form the important part of any cyberattack, their ability to cause damage to a system depends upon the success of the phishing scam. Different types of phishing attacks exist.

10 Types of phishing Attacks

  • Spear phishing: Personalized phishing attempts created for a specific person or organization are called spear phishing. Unlike regular phishing, threat actors generally conduct reconnaissance, gathering information about their victim in order to look less suspicious and increase their probability of success.
  • Whaling: Whaling is the next step up in spear phishing attacks, targeting senior executives and other high-profile employees in an organization, such as managers or above.
  • Clone phishing: Clone phishing is a type of phishing attack involving extensive reconnaissance into previously delivered emails or attachments, and the phishing email is developed based on that. Once leaked, the email or documents are used to create an identical or cloned email. The attachment or link from the previous email is then replaced with a malicious URL or malware, and then sent from an email address similar to the original domain. It appears as a resend of the original or a follow-up.
  • Link manipulation: As mentioned above, the method of using technical deception to make a link appearing to belong to the legitimate organization is defined as link manipulation. Misspelling the URLs or using subdomains are the most common ways to administer malicious websites into the phishing process. Another common trick is to make the displayed text for any link as legitimate using hypertext markup language, i.e., when you scroll over to the link it displays the trusted website name.
  • Filter evasion: It is essential for phishing emails to evade mail filters that generally mark them as spam. The general evasion method involves clone phishing or use of images instead of text, hence making it harder for anti-phishing filters to detect them, as they commonly rely on the word in their repository classified for phishing and spams.
  • Website forgery: As the name suggests, when scammers create fake websites that look exactly like the original or sometimes using the JavaScript commands to alter the address bar of the malicious website to that of the original. Sometimes existing flaws in a trusted website's scripts are used against it by the attackers to hijack the webpage. These types of attacks are also known as cross-site scripting and prompt the user to sign in at the legitimate web page, where everything from the web address to the security certificates appears correct but in reality, the website is embedded with malicious software, making it very difficult to identify without professional knowledge.
  • Covert redirect: Covert redirect is a more sophisticated method of phishing attacks that makes use of a legitimate website, but eventually redirects the user to a malicious website. Sometimes malicious browser extensions are used to redirect users to phishing websites covertly.
  • Covert redirect: Unlike normal phishing websites, which are relatively easy to spot due to the anomalies present in the URL or the website itself, covert redirection involves an authentic website corrupted with nothing but a simple popup box that prompts the users to login, thus, stealing their login credentials and simultaneously redirecting them to the malicious website. Some of the more sophisticated techniques involve using flaws or the default behavior of a website towards a third-party link (which is fairly common and least suspicious), such as the prompt for simple authorization of a application or website. For example, if you click onto any malicious link embedded into a website page, the page asks you whether or not you would like to authorize that specific app or website related to that link. If the user does choose to authorize, a "token" will be sent to the attacker, which may contain the user's personal and sensitive information. Information such as email address, birth date, contacts, search history, name, username, and password could be compromised, and depending upon the privileged status of the “token” the threat actor may also be able to control the account access of the user.
  • Social engineering: Social engineering involves social reasons to prompt a person to click on malicious links or attachments. For example, the recent pandemic of COVID-19 has aroused the interest of many people in reading news and updates, related to healthcare, and in response, many threat actors have developed fake news, blogs, health updates or maps to lure people into clicking those links.
  • Voice phishing: Not all phishing attacks require a fake website or email. Calls or messages that claim to be from a bank or a legitimate organization prompting the users to reveal their account numbers, PIN, password, etc., could be termed as vishing or voice phishing.

How to Conduct Phishing Simulations Efficiently

The prevention of phishing for a non-technical person is improved with anti-phishing education and awareness provided by many reputable organizations, including EC-Council's Aware, providing education and training for an organization’s employees against phishing attacks. Only understanding phishing theoretically is not sufficient because, even if a person knows phishing is done via malicious/spam emails, one cannot possibly differentiate between a benign and malicious email. Thus, practical experience of phishing attacks and how to tackle them is very helpful. Aware offers virtual simulations for phishing attacks by sending employees phishing emails and monitoring their response to it, based on their result-tailored education and mitigation knowledge.

As the user her/himself is the first line of defense against any cyberattack, the know-how to tackle phishing attacks is highly important. Anti-phishing education organizations could not only help to educate the employees of any organization on ways to recognize and tackle phishing emails, but offer the advice and training of security experts along the way. training the of IT people regarding different types of phishing modes can be done as:

  • Precautions to follow for remote workers on cloud and VPN access.
  • Compilation of security policies and guidelines that help in educating the workers on phishing.
  • Educating IT security professionals on handling and mitigating phishing attacks.
  • Training for security responsibilities in the event of phishing attacks.
  • Training assistance through demo simulations for real-time phishing attacks.
  • Education and awareness regarding different types of phishing and its prevention methods for both technical and non-technical personnel.