Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are going to continue discussing Social Engineering by taking the plunge into the definitions/use cases around the “ishings”. The “ishings”? What the heck are the “ishings”? The “ishings” are phishing, vishing, smishing, and a couple of phishing variants like spear phishing, whaling, clone phishing, angler phishing, and snowshoeing. Yes, yes, I know those don’t all end in “ishing”; perhaps it sounded better in my head when I was writing this.

Some of those terms may be familiar to you, some are a bit more recent than the others. So, let us get right to the thick of it:

Phishing: “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” In other words, a method of social engineering that utilizes email to trick the target into providing information that the threat actor is looking for. This basic type of social engineering is usually somewhat random in nature, like a shotgun blast effect of malicious emails to a broad spectrum of targets.

Vishing: “the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.” This is one of the more original types of social engineering that is/was performed by threat actors to convince a target they are someone they are not, to gain trust, then gather or harvest as much information from the target as they can.

Remember crank phone calls? Pranking people over the phone? (I may be showing my age here). Usually those were for laughs, harmless (or thought to be harmless) jokes played on people back before the technologies we use now were available. The idea, however, may have been one of the many birthplaces of tactics like vishing. Ok, moving on.

Smishing: “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers”. Are we seeing a theme here? Each one of these types are using technologies we have grown accustomed to against us. Phishing typically hooks through email, vishing hooks through voice telephony, and smishing hooks through text communications.

Time to dig a bit deeper into phishing types; let’s start with clone phishing: “Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one.” Talk about some trickery. Oops, sorry about that, oh target-of-mine, I missed some details in that first email. Let me resend that to you. This is using trust that has been established against the target.

How about spear phishing? Spear phishing, like phishing, is attempting to gather information. This type, however, reduces the random factor, or the shotgun blast approach we listened to earlier. The targets are specifically selected by the threat actor and the attempts to convince the targets are harder to decipher. The threat actor here is looking for specific information to harvest and is making the emails look more and more legitimate. Spear phishing attempts typically lack some of the basic phishing errors that are easier to spot (misspellings, weird email addresses, obvious signs of trickery).

And that leads us into whaling. Where spear phishing turned up the complexity of the hook, whaling ratchets it up even farther. Whaling targets executives and the threat actors are typically looking for the payday with whaling attempts. The targets are high-value and the information they have is much more valuable than the information a lower-level employee may have. The threat actors spend a significant amount of time and effort on the whaling emails; they prey on executive level attentions (legal matters, customer service issues, business-related concerns) and the threat actors do their homework to make the attempts as convincing as possible.

So, what the heck is angler phishing? Angler phishing uses social media to gather the information the threat actor is searching for. Fake messages from the various platforms out there get disseminated to their user base in an effort to trick the targets to click/tap/etc. in order to achieve the threat actors’ goal. Doesn’t seem like that would be a real hard lift with all the information people post of their own volition.

And, finally, here is snowshoeing (and this has nothing to do with the wintertime hobby/pastime/sport, or whatever you may call it). Snowshoeing, or its other moniker, “hit-and-run” spam, is a term where attackers send messages via multiple domains and IP addresses. Each IP address sends out low volumes of messages, so reputation- or volume-based filtering technologies cannot recognize and block malicious messages right away.

Keep in mind that the content that is actually sent through the different “ishings” varies widely. Some links may be focused on harvesting information, while other links may result in malware/ransomware infection. The links and content depend solely on the threat actor and what they are trying to accomplish.

Ok, so that wraps up a very brief introduction to the “ishing’s” in an effort to better educate you, the listener, on what to be aware of and look out for. We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!