Phishing Study Guide

📖 Core Concepts Phishing – a social‑engineering attack that tricks a victim into revealing confidential data or installing malware by masquerading as a trustworthy entity. Multi‑Factor Authentication (MFA) – requires ≥ 2 independent proof‑of‑identity (e.g., password + one‑time code). Reduces credential‑theft impact but can be bypassed by real‑time relay attacks. Man‑in‑the‑Middle (MitM) Phishing – attacker sits between victim and legitimate service, captures login tokens or session cookies (e.g., Evilginx) and re‑uses the live session. Homograph / Internationalized Domain Name (IDN) Spoofing – uses visually similar Unicode characters (e.g., Cyrillic “а”) to make a malicious domain appear legitimate. Social‑Engineering Tactics – urgency, fear, authority, curiosity, or “official” language that pushes the victim to act without verification. --- 📌 Must Remember Goal: steal credentials, financial data, or personal identifiers. Primary delivery channels: email, instant messaging, voice calls (vishing), SMS/text (smishing), QR codes (quishing). MFA effectiveness: > 80 % reduction in successful credential theft from phishing. Bulk vs. targeted: Email phishing = large‑scale, non‑targeted; Spear/Whaling = personalized, high‑value targets. Key technical defenses: Email authentication (SPF, DKIM, DMARC) Real‑time URL blacklists (Safe Browsing, SmartScreen) Machine‑learning spam filters User‑training impact: regular simulated campaigns cut click‑through rates measurably. --- 🔄 Key Processes Typical Phishing Attack Flow Delivery – attacker sends fraudulent message (email, SMS, voice, QR). Bait – message contains urgent request, fake news, or lure (e.g., “account will be closed”). Link/Attachment – victim clicks a manipulated link or opens a malicious attachment. Credential Capture – fake login page records username/password; may also capture OTP via real‑time relay. Session Hijack (MitM) – tools like Evilginx forward the legitimate login page, stealing session tokens. Post‑Compromise – attacker uses credentials or session to access accounts, exfiltrate data, or move laterally. Defense Cycle (User‑Centric) Awareness Training – teach URL‑mismatch, urgent‑ask detection, greeting anomalies. Simulated Phishing – send mock attacks, collect click data, give immediate feedback. Technical Filtering – ML classifiers inspect headers, URLs, attachments; block or quarantine. Browser/Client Alerts – real‑time blacklist warnings when navigating to suspect sites. MFA Prompt – even if password captured, OTP or WebAuthn challenge blocks access. Monitoring & Takedown – digital‑risk services report phishing URLs for rapid removal. --- 🔍 Key Comparisons Email Phishing vs. Spear Phishing Email: generic, bulk, no personal detail. Spear: tailored content, uses personal information, higher success rate on executives. Spear Phishing vs. Whaling Spear: targets any employee; may use role‑based lures. Whaling: specifically targets C‑suite/executives; often masquerades as board‑level communications. Vishing vs. Smishing Vishing: voice call (VoIP or landline), caller‑ID spoofing, verbal credential request. Smishing: text/SMS with bait link or short code, exploits truncated URLs on mobile. Homograph Attack vs. URL‑Shortener Trick Homograph: visually similar characters in domain name. URL‑shortener: hides true destination behind a short link, requiring hover or preview to detect. Standard Phishing vs. MitM Phishing Standard: steals password/OTP; attacker must reuse credentials. MitM: captures live session token, no need to replay password; works even with MFA. --- ⚠️ Common Misunderstandings “MFA completely stops phishing.” – Real‑time relay tools can capture OTPs and session cookies, bypassing MFA. “Hovering over a link always reveals the true URL.” – Some attacks use Unicode homographs that look identical even when hovered. “Only email can be phishing.” – Voice (vishing), SMS (smishing), QR codes (quishing), and compromised web pages (page hijacking) are equally common. “Spam filters catch all phishing.” – Sophisticated, personalized attacks often evade signature‑based filters; heuristic and ML analysis is needed. --- 🧠 Mental Models / Intuition Bait‑and‑Hook Model: The attacker’s bait (urgent request, fake news) is the hook; the hook works only if the victim reaches out (clicks, calls, scans). If you spot any bait, pause before pulling the hook. Trust Chain Break: Legitimate services rely on a chain of trust (browser → DNS → certificate). Phishing breaks the chain at the user level; restoring trust means verifying the source before any credential entry. --- 🚩 Exceptions & Edge Cases Real‑time Relay (OTP Capture): Even with MFA, attackers can capture the OTP as the victim types it during login. QR Code Phishing (Quishing): Mobile OS may automatically open the URL without displaying it; treat any unsolicited QR scan as suspicious. Cross‑Site Scripting (XSS) Page Hijacking: Legitimate sites compromised to inject malicious redirects; traditional URL checks may miss the injection. Session Lifetime: Captured session cookies may remain valid for minutes to hours; timely detection is critical. --- 📍 When to Use Which | Situation | Best Defense Choice | |-----------|---------------------| | Bulk email campaigns | Machine‑learning spam filter + SPF/DKIM/DMARC verification | | Targeted spear/whaling attempts | Interactive user training + simulated phishing + MFA (prefer WebAuthn) | | Voice or SMS attacks | Caller‑ID verification policies, do not disclose credentials over phone/SMS | | QR code exposures | Mobile security app that previews URLs before opening; educate users to verify QR source | | MitM phishing (Evilginx) | WebAuthn (public‑key credentials) + continuous session monitoring | | Domain‑spoofing (homograph) | Browser URL protection with Unicode safety checks; educate to copy‑paste URLs | --- 👀 Patterns to Recognize Urgent language (“your account will be closed”, “immediate action required”). Generic greetings (“Dear Customer”) vs. personalized but slightly off (“Dear John S.”). Mismatched display URL vs. actual href (hover reveals a different domain). Misspelled or extra‑character domains (e.g., paypa1.com). Use of IP address or unusual top‑level domain in link. Attachments with double extensions (invoice.pdf.exe) or macro‑enabled Office files. Unexpected requests for credentials, OTPs, or remote‑access tools. QR codes placed in public places without verifiable source. --- 🗂️ Exam Traps Distractor: “Phishing attacks only happen via email.” – Wrong; vishing, smishing, quishing, and page hijacking are also common. Distractor: “Implementing SPF eliminates phishing.” – SPF only validates sender IP; it does not stop credential‑theft pages. Distractor: “MFA guarantees safety.” – Real‑time relay attacks can still succeed against OTP‑based MFA. Distractor: “If a URL uses HTTPS, it’s safe.” – Phishers can obtain valid TLS certificates for malicious domains. Distractor: “Only large organizations are targeted by phishing.” – Mobile phishing (smishing, quishing) targets any user with a smartphone. ---