Phishing Attacks
1. Definition
Phishing is a type of social engineering attack where attackers disguise themselves as trustworthy entities to deceive victims into revealing sensitive information (credentials, financial data, personal information) or performing harmful actions (clicking malicious links, downloading malware).
Unlike technical exploits that target software vulnerabilities, phishing targets the human elementâexploiting trust, urgency, fear, or curiosity.
2. Technical Explanation
Phishing attacks typically involve several technical components:
Common Phishing Vectors:
- Email Phishing: Mass emails impersonating banks, tech companies, or employers.
- Spear Phishing: Targeted attacks using personal information about specific victims.
- Whaling: Spear phishing targeting high-value individuals (executives, celebrities).
- Smishing: Phishing via SMS text messages.
- Vishing: Phishing via voice calls.
Technical Deception Methods:
- Domain Spoofing: Using lookalike domains (
g00gle.com,microsoft-security.com). - Email Header Manipulation: Forging the âFromâ address to appear legitimate.
- Homograph Attacks: Using Unicode characters that look like ASCII (
Đ°pple.comusing Cyrillic âĐ°â). - URL Obfuscation: Hiding malicious URLs behind link shorteners or misleading anchor text.
- Credential Harvesting Pages: Pixel-perfect clones of legitimate login pages hosted on attacker-controlled domains.
3. Attack Flow
sequenceDiagram
participant Attacker
participant Victim
participant FakeSite as Fake Login Page
participant RealSite as Real Service
Attacker->>Victim: Sends phishing email<br/>Your account will be suspended
Note over Victim: Email appears to be from<br/>legitimate service
Victim->>FakeSite: Clicks link and enters credentials
FakeSite->>Attacker: Captures username and password
FakeSite-->>Victim: Redirects to real site<br/>Victim unaware of theft
Attacker->>RealSite: Logs in with stolen credentials
RealSite-->>Attacker: Access granted to victim account4. Real-World Case Study: Google Docs Phishing (2017)
Target: Gmail users worldwide. Vulnerability Class: OAuth Token Phishing / Third-Party App Abuse.
The Attack: In May 2017, a highly sophisticated phishing attack spread rapidly through Gmail. Unlike traditional phishing:
- Victims received an email that appeared to be a Google Docs share invitation from a known contact.
- Clicking âOpen in Docsâ redirected to a legitimate Google OAuth page.
- The OAuth prompt asked users to grant permissions to an app called âGoogle Docsâ (a fake third-party app).
- Once authorized, the malicious app gained access to the victimâs email and contacts.
- It immediately sent the same phishing email to all contacts, creating viral spread.
Why It Was Effective:
- Used legitimate Google infrastructure (OAuth).
- The malicious app was named âGoogle Docsâ to appear official.
- Came from known contacts (already compromised accounts).
- No traditional âfake login pageâ to detect.
Impact: Millions of users were targeted within an hour before Google disabled the malicious app. It forced Google to implement stricter OAuth app verification policies.
5. Detailed Defense Strategies
A. Email Authentication (SPF, DKIM, DMARC)
Prevent email spoofing at the protocol level.
- SPF (Sender Policy Framework): Specifies which servers can send email for your domain.
- DKIM (DomainKeys Identified Mail): Cryptographically signs emails to verify authenticity.
- DMARC (Domain-based Message Authentication): Tells receiving servers what to do with emails that fail SPF/DKIM.
# Example DNS Records
example.com. TXT "v=spf1 include:_spf.google.com -all"
example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"B. Multi-Factor Authentication (MFA)
Even if credentials are phished, attackers cannot access accounts without the second factor.
- Hardware Keys (FIDO2/WebAuthn): Phishing-resistant because they verify the origin domain.
- TOTP Apps: Better than SMS but still vulnerable to real-time phishing proxies.
- Push Notifications: Can be bypassed by âMFA fatigueâ attacks but still add friction.
C. Security Awareness Training
Technical controls cannot stop users from willingly entering credentials.
- Simulated Phishing: Regular fake phishing campaigns to test and educate employees.
- Reporting Mechanisms: Easy one-click âReport Phishingâ button in email clients.
- Just-in-Time Training: Immediate education when a user fails a simulation.
D. Email Filtering and Link Protection
- URL Rewriting: Proxy all clicked links through a security scanner.
- Attachment Sandboxing: Detonate suspicious files in isolated environments.
- Impersonation Detection: AI-based detection of emails pretending to be executives.
E. Browser and DNS Protection
- Safe Browsing APIs: Browsers warn users about known phishing sites (Google Safe Browsing).
- DNS Filtering: Block access to known malicious domains at the network level.
- Password Managers: Only autofill on legitimate domains, helping users detect fakes.