The standard 3-step process common to all phishing attacks is known as the “phishing attack kill chain.” By understanding the phishing attack kill chain and its five most frequent effects, you will be better equipped to stay off the hook no matter what variety of phish lands in your inbox today. And in so doing, you'll break the chain against future attacks tomorrow.
Cybercriminals use all sorts of phishing attacks to hook all sorts of people into giving up all sorts of sensitive information with a single bad click. In this article, I am not focusing on recent phishing attacks nor the attack vectors themselves. Rather, I aim to reveal the common elements of the phishing attack process, which differs very little from one attack to the next.
The standard 3-step phishing attack process is known as the “attack kill chain,” and it breaks down to:
By understanding the three steps of the phishing attack kill chain and its five most frequent effects, you will be better equipped to stay off the hook no matter what scam lands in your inbox.
This is by far the most important part of a successful attack. The first link in the phishing attack kill chain begins with gathering information about the target in order to create a malicious email that’s relevant to the intended victim. Personal relevance increases the odds of opening a phishing email and taking action with a bad click.
It all begins with finding the victim's email address. Sometimes attackers test different addresses by just sending emails with a title like “test” or “hello” to see if an address is used and whether the recipient will respond. The same approach also works in real-life burglaries. Burglars rarely just break in to a house at random; they case the grounds first, looking for weaknesses and determining which house offers the most bang-for-buck in terms of risk and reward. Where can they steal the most loot with the lowest effort and smallest risk of getting caught?
The main tool for reconnaissance today is social media. Social media profiles are gold mines of personal information. People can be way too open about themselves in social media, with too few worries about how all those pics and updates and personal/professional information they’re releasing could be used as data in an attack against them.
The amount of data needed for an attack depends on its level of sophistication. When an attack is highly sophisticated (e.g. a spear phish, a business email compromise attack, or anything where a specific person is targeted) the attacker must first acquire details about the target. Spear phishing attacks often use earlier breaches in which a business email was compromised. Otherwise, they go after email addresses on specific services so they can hijack that service with an attack email referring to, or sent from, that service to convince the recipient of its authenticity.
A sense of urgency and personal responsibility to respond to an email advances a spear phishing attack. They don’t look like spam. The target must be so curious about the subject line that he or she opens the email. At that point they are already halfway reeled in.
Once the target’s personal information is gathered and analyzed, the attacker crafts an email too tempting, or triggering, for the recipient to resist opening. Phishing emails usually rely on triggering an intense emotional response, be it elation or fear. The sender could promise something valuable, like a lottery win, to the intended victim; or they could try to scare the victim into taking hasty action with things like false notifications of a compromised account, unknown payments, virus detection, etc..
A successful email is about form as well as messaging. It’s got to look convincing. So how do attackers make the phishing email look like the real deal?
With the email crafted, now it’s time for the attacker to send the phishing email to the targeted victim. The attacker delivers the malicious email containing the threat via URL or attachment to the target. After sending the email attack to one or to multiple recipients, the attacker waits until someone takes the bait.
Some unfortunate end users will feel the urge to take the action orchestrated by the attacker. Such action could be clicking on URLs, filling in fraudulent forms, downloading attachments and/or responding with sensitive information.
The attacker either capitalizes directly on the victim's actions (harvests credentials, steals money in a payment scam), or the attacker could sit in the victim's system anonymously, waiting and gathering data until the right moment presents itself to strike.
Five effects of the three-step phishing attack kill chain
Credential harvesting is the most usual outcome of a phishing attack. The victim has been lured into opening a link, which redirects them to a landing page that requests things like an account login and password, or sensitive personal details, etc.. This will actually be a spoofed website on the attacker’s web server. Engagement with it delivers the victim’s account name and password to the attacker on a silver platter.
Stolen credentials can be valuable to attackers in 5 ways.
No action taken breaks the phishing attack kill chain
Remember, cybercrime is an organized criminal industry. These criminals approach victims with a strategic business mindset similar to a sales and marketing campaign. Criminals want to channel their resources towards converting potential “customers” most likely to pay out. Therefore, the attacker will often leave an unengaged user alone with future attacks. But victims who open and act on phishing emails inadvertently sign up for even more phishing attacks as they become marked as a “high profile,” or easier, target in the criminal’s database.
By not opening or acting on a phishing email today, you’re less likely to be attacked tomorrow. The attacker gets nothing and the targeted user becomes categorized as a “low profile” target. Still, some attackers could try to hit their target with multiple emails; particularly if the target is high-value, e.g. a C-level executive, and the attacker is committed to a sophisticated spear phishing or whaling attack.
We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber war dimension. Fallout will seep into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.