Home Tags Posts tagged with "¿Qué es el Phishing?"
Tag:

¿Qué es el Phishing?

¿Qué es el Phishing?

What is Phishing?

by cortesia

What is Phishing?

Have you ever been bitten by phishing?

 

Phishing is a very common method used by cybercriminals to kidnap and mislead confidential information. In general, victims tend to fall for this type of illegal act, giving the cybercriminal information related to their bank account, be it: passwords, credit card numbers or personal banking information.

This term also refers to the English word “fishing”, which means “to bite the hook”.

These cybercriminals are usually called Phisher, a term that translates to a person who impersonates the identity of another, be it: company, institution or another person. This Phisher uses emails, instant messaging, social media, malware, phone calls, or any method that aims to steal your personal information.

What information do these cybercriminals steal from us?

  • Personal information
  • Financial information
  • Account numbers
  • Credit card numbers
  • Access credentials
  • Location and contact information
  • Mail accounts
  • Social media accounts

What means does the Phisher use to steal confidential information?

  • Phone calls
  • Text messages
  • Use of e-mails
  • Use of social networks
  • Computer virus infection

How can we avoid being attacked by these types of cybercriminals?

  • Do not click on links that ask for personal information.
  • Verify that emails do not contain malicious links or misspellings.
  • When we enter a web page, we must make sure that the page has a security certificate, we can see this in the upper left, you will see a padlock, if we click, it will tell us that the connection is secure.
  • Many times these cybercriminals ask for personal information beyond what we are used to giving, therefore, we must be careful what type of personal information we are giving.

A classic example is; Banks will never ask you for your personal banking information via email, therefore, before doing so, call the bank or go to the nearest branch to validate this information.

We must be careful what type of information we are giving to companies or institutions via the internet, since this system works worldwide as a way to steal personal data.

0 comment
0 FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail
Creciente amenaza de “Vishing” advierten FBI y CISA

Growing threat of "Vishing" warn the FBI and CISA, as a result of the increase in remote work

 

How to avoid Phishing

According to the FBI and CISA (Cybersecurity and Infrastructure Security Agency), there is a new threat that is attracting the attention of important law enforcement agencies.

Said threat is aimed directly at remote workers, whose number has grown during the Covid-19 pandemic. Another reason for this increase in attacks is the use of VPN.

Well, Vishing or voice phishing, as it is also known, is a social engineering procedure or technique widely used by online scammers. Pretending to represent any support agent, service provider, etc; establish contact with companies. Some cybercriminals even have deep knowledge of its main structures.

One of the most notable events took place on the account of various celebrities, attacked with a Bitcoin scam. The experts of the aforementioned security entities state:

“In mid-July 2020, cybercriminals began a vishing campaign, gaining access to employee tools at various indiscriminately targeted companies, with the ultimate goal of monetizing access. By using vished credentials, cybercriminals mined the databases of the victim company for the personal information of their customers to exploit other attacks. The monetization method varied by company, but was very aggressive with a tight schedule between the initial breach and the disruptive recall scheme”.

What is Vishing and how does it work?

Vishing attacks occur when users (or victims) receive phone calls of fraudulent origin from hackers. These scammers pose as a person who provides a service, as a representative of a company or even as technical support for a service that the attack bank previously hired.

Our cybersecurity expert gives us a more detailed description of how Vishing works:

Phishing is a global threat that affects people and businesses every day. The purpose of this attack is to make people provide through calls and messages, all the possible information of their personal accounts, whether bank, social networks, etc. The cybercriminal seeks through these means, to make the victim believe that it is something they need in order to trap them”. Explains José Domingo Abogabir, CEO and General Director of Measured Security

“Threat actors register domains and create phishing pages that duplicate a company’s internal VPN login page, and also capture two-factor authentication (2FA) or one-time passwords (OTP)
”,
says the notice.

After this, the criminals compile files on employees of specific companies that are of interest to them using their social profiles, marketing and recruitment tools as massive backup; as well as verification services.

Using unattributed VoIP numbers, criminals personally communicate with their victims and embed fake numbers of other offices and employees in the target company.

Social engineering techniques are used and many times the personal data known about the employee of the attacked company is used to gain their trust. By impersonating a support engineer, the attacker persuades his victim, who then enters his username (including any 2FA or OTP) and that data is used to gain access to your company’s systems in real time.

In this regard, the FBI explains the following:

“In some cases, unsuspecting employees approved the 2FA or OTP message, either accidentally or believing it was the result of previous access granted to the help desk copycat.

In other cases, attackers have used a SIM-Swap2 attack on employees to bypass 2FA and OTP authentication. The actors then used employee access to conduct further investigations on the victims and / or to obtain funds fraudulently using various methods depending on the platform being accessed.”.

How can you prevent Vishing in your organization

These are some of the tips that the FBI and CISA experts have made public for companies to protect themselves from this type of cyberattacks:

  • Restrict VPN connections only to managed devices with mechanisms such as hardware checks and / or certificates installed, so that the user cannot log in to the corporate VPN alone with their credentials.
  • Restrict VPN access hours to permitted times
  • Employ domain monitoring to always be aware of the creation or changes of brand corporate domains
  • Monitor web applications for unauthorized access and / or unusual activities.
  • Monitor user access and use the principle of least privilege; implement software restriction policies.
  • Enhance 2FA and OTP messaging to reduce confusion about employee authentication attempts.
0 comment
0 FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail