Christmas, Seafood and Phishing

Written by: CIBIS International, 23 Nov 2017

Well, only Christmas and Phishing are relevant to this article, the seafood just got me from one to the other!

How are these two things related (apart from the seafood)?

It has long been suspected, and the recent ransomware and data disclosure breaches seem to confirm it, that the weakest link in the IT security chain is often the human one.

Human psychology plays an important part in any vulnerability to phishing, and a number of factors come together around Christmas time that tends to make us humans a little more vulnerable than usual.

More than ever, we are conducting more of our shopping on-line and Christmas is expected to be a peak time for this activity. Online shoppers will have bought from a number of outlets, probably paid using a number of different methods, and arranged shipping and tracking through more than a single carrier.

It is not to be unexpected that you will get an occasional email confirming a purchase, despatch of goods, or similar correspondence from this activity.

As Christmas draws near, we may also get unsolicited Merry Xmas emails from real friends, Facebook friends, relatives, clients and customers.

On top of that, people tend to be focussed more on being sociable (replying to emails), preparing for the festive break, and just being a little more distracted than they might be at other times.

Into this mix arrives the phishing email.

When an email from (say) FedEx arrives with a message about your missed delivery (potentially throwing some Christmas plans into disarray), will you take the time to check it and confirm it is legitimate?

Too many will think it is related to a legitimate purchase they did make, which did use FedEx for shipping, etc.

Phishing is not confined to email, but can be found in near every form of public digital communication, including “traditional” social media platforms like Twitter and Facebook, as well as more specific environments and services such as LinkedIn and PayPal.

Generally, there are 5 or so categories of phishing, which in increasing order of sophistication can be described as follows:

Deceptive Phishing

Currently, probably the most common format where the fraud is conducted by impersonating another, legitimate, company. Typically, the message is generic and includes an implied threat and a sense of urgency that the reader “act now”. These are usually relatively easy to spot if you know what to look for, and generic in their content and language.

Spear Phishing

These are a more targeted and personalised variant of the simple deceptive phishing attempt. The communication will be personalised (addressing you by name) and often include some details which imply a legitimate connection with the reader, including phone numbers, employer, position/title, etc.

LinkedIn is one of the most commonly used platforms for these sorts of scams.

The end goal is much the same, the fraud is perpetrated in an attempt to get access to personal data, ideally logon and password details.

CEO Phishing (Whaling)

Taking the Spear Phishing approach one step further, this type of attack is targeted at senior executives of corporations (which includes owners and managers of an SME) with the purpose of getting access to not just the personal details so much as access to the corporation.

Executives typically do not engage in the same security awareness training as employees, and are targeted because of their high value – either direct access to corporate data or the ability for the fraudster to impersonate the executive and issue seemingly legitimate directives to make payments, change supplier accounts, etc.

Protection against this sort of fraud often extends to organisational policy/procedural changes, for example ensuring no single person can authorise financial transactions.


This type of attack relies on the attacker’s ability to compromise parts of the internet infrastructure itself, typically by what is known as “DNS cache poisoning”.

The short version is the attacker is able to compromise a DNS server such that when a request is made to look up a genuine URL (e.g. by your browser, the “poisoned” DNS server returns a different and fake IP address. Your browser goes to that computer and attempts to load the page, and what happens next depends very much on what the fraudster has put there. It might look sufficiently like the legitimate site that you end up providing your login details or worse, the page downloads some malware.

Protection includes ensuring you always and only enter login credentials on secure (https) links, and verify that the certificate supplied to your browser matches the company you think it belongs to.

DropBox Phishing

This is a specific example where the fraud does not rely on baiting the potential victim, but instead uses knowledge of a person or company behaviour and practices to leverage another service (or sometimes company).

The prevalence of DropBox for storing files and backups etc. made it a high value target for both harvesting login credentials, as well as tricking people into installing malware from what they thought were their own files or backups. One scam used a Dropbox like login page hosted on DropBox itself to steal people’s login details.

Google Docs was targeted in exactly the same way, with the fake login page not only hosted by Google, but also protected with a legitimate Google SSL certificate!

Two factor authentication (2FA) or two factor verification (2FV) are ways to protect yourself, so that simply knowing the username and password is not enough on its own to access the account.

If you need assistance, please contact us.