My personal experience of the Phishing attack

In this post I want to research and investigate the case when I personally experienced phishing attack and lost my password and the whole account for 3 hours.

Vkontakte – vk.com – is one of the most popular social networks in Russian-speaking countries such as Belarus – where I am from, Ukraine, Russia. It is the analogue to Facebook for Russian-speaking community. All my friends from my home country have accounts on vk. And this year I and a lot of my acquaintances experienced phishing attack on that social network which I want to describe and research in this post.

(Bullfrag, 2015)

What is a phishing attack?

Phishing attack – a kind of social engineering attack when attackers send messages disguised as messages from a trustworthy source to a victim in order to steal private data or install malicious software on the victim’s hardware (NCSC, 2018).

The world is now experiencing the uprising of the cyber-attacks due to the coronavirus pandemic and the rise of phishing attacks can also be observed (Kamal, Yen, Ping and Zahra, 2020).

The way I got attacked

One day I received a message in the group chat with my friends. I tried to find it and make screenshot but unfortunately vk.com delete all such messages after the user get control of the account back. The message was from my close friend and the text was: “Hey guys! Could you please vote for my girlfriend in the photo-battle?”. This text was complimented with a link. The most shocking fact is that this message had the real photo of his girlfriend attached. 

I am always suspicious with such links on social networks. However, I could not even imagine that phishing attack could be such well built. I clicked on the link without any hesitations. In fact, it was a huge mistake. I appeared on the website with close address, something like vk.login.com and I was asked to enter my details. Of course, it was a malicious website whose purpose was to steal my login and password details. I entered my details and received a message on the screen “Not correct password”. I tried to enter some of my other passwords just in case that I forget which I use for this social network.

Obviously, my account was stolen with a list of my passwords, login, email address and phone number. Fortunately, my accounted got banned in a few minutes and I had a chance to change password and login details. But the consequences of my mistake were much worse than you may think of at first glance. The way attack worked is described in next paragraph and I emphasized the most interesting and smartest ideas used to attack me in such an easy way.

 

How the attack worked?

Fishing attack involves three major phases (Hong, 2012).

• ·        Receiving a phish
• ·        Victim takes suggested action
• ·        Criminal monetizing of the stolen data

For the successful attack victim should receive the phishing link from the trustworthy or seemed as trustworthy source. In my case I received the link from my close friend whose account was attacked same way approximately 10-20 minutes in advance. The message consisted of the information which could be seem as the one that only my friend could know. It consisted of the photo of his girlfriend. The photo could be potentially stolen from her account and attached to the message due to relationships status that could be found on the account details of my friend. Although I suffered from that attack, I have to say that it was a clever move.

After the victim clicks on the phishing link it usually goes to a fake website or get some malicious malware installed (NCSC, 2018). In my case, I moved to a fake website which pursued me to log-in with my actual details. The address was vk.login.com and it seemed as the real one because it was interconnected with the actual action I needed to do – I had to log-in in my vk.com account. However, now it is obvious to me that this website was fake.

Next step is to steal as much private data from user as possible. In my case, I entered my email address and password and received a message “Login details or password are incorrect”. Then I tried to log-in with my mobile phone and my password. It did not work. Then I tried some other passwords I usually use. I did it in case I forgot the password. And I just have to admire that it was brilliant move by criminals. They pursued me to enter as much information as I could before my account was actually blocked and I received an email with instructions from vk.com.

What information was stolen and how it can be monetized is described in the next paragraph

 

What was stolen and how it can be monetized

The first things stolen were my log-in details and password, therefore, attackers got access to my account for approximately 5-10 minutes before t was blocked for suspicious activity. Also, criminals stole 3 of my other passwords and my email address. Furthermore, they got my mobile phone number. But how all that data can be monetized?

First way is to execute similar attacks on people from my friends list and steal their data same way. One of the most popular attacks on Facebook was done using Koobface warm which asked friends of victim to send some money to attackers’ accounts (Hong, 2012). To sum up, the phishing links can be spread in such way.

Nowadays, criminals can sell stolen data such as email address, phone number, list of passwords on the underground networks to other criminals (NCSC, 2018). This information may be sold to advertising companies in order to add victim to their lists.

However, the worst consequences were due to the stolen email and list of my other passwords. Using that information attackers can get access to a number of my social networks accounts and even banking account. Fortunately, I understood it really fast and changed my passwords on every service I could remember. But there are still some services that have I did not remember and they may be potentially accessed using the stolen credentials.

 

Conclusion

“It doesn’t matter how many firewalls, encryption software, certificates, or two-factor authentication mechanisms an organization has if the person behind the keyboard falls for a phish” (Hong, 2012).

In conclusion it is necessary to emphasize the importance of conscious behavior online. The service may have the best security, but it will fall if the user himself provides all the information to the frauds. Users should always think twice before clicking on any links online, especially ones found on social networks. The consequences of such mistake may be too essential.

 

Reference:

Hong, J., 2012. The State of Phishing Attacks, Communications of the ACM, [online] (Volume 5, issue 1). Available at: <https://cacm.acm.org/> [Accessed 20 October 2021].

Kamal, A., Yen, C., Ping, M. and Zahra, F., 2020. Cybersecurity Issues and Challenges during Covid-19 Pandemic. [online] preprints.org. Available at: <https://www.preprints.org/manuscript/202009.0249/v1> [Accessed 20 October 2021].

Bullfrag.com, 2015. How to create an account in VK – Easy and fast. [image] Available at: <https://www.bullfrag.com/how-to-create-an-account-in-vk-easy-and-fast/> [Accessed 20 October 2021].

NCSC, 2018. Phishing attacks: defending your organisation. [online] Ncsc.gov.uk. Available at: <https://www.ncsc.gov.uk/guidance/phishing> [Accessed 27 October 2021].