Reset

Hikvision Senior Director of Cybersecurity: Identifying Phishing Attacks, Three Advanced Phishing Tactics Explained

May 21, 2020

Hikvision HikWire blog article Chuck Davis cybersecurity Three Advanced Phishing Tactics

In recent blogs, Hikvision senior director of cybersecurity Chuck Davis discussed phishing hacks and malware related to the coronavirus, and tips to avoid them. In this blog, Hikvision’s Davis covers an overview of phishing attacks, what they are, how to identify them and avoid becoming a victim of them.

Phishing takes many forms and those forms evolve daily. It’s true, some phishing attacks are so good they can even dupe seasoned cybersecurity experts. On the contrary, common phishing attacks are easy to detect. And, the more you understand about phishing tactics, the better you get at recognizing when you need to be suspicious and take extra caution. Keep reading to learn more.

What Is Phishing?
Phishing is the attacker’s dependable, longtime friend. Around since at least 1995, phishing is used to trick people into providing credit card information, login IDs and passwords, and to gain access to your computer, protected systems and/or networks.

Phishing is the malicious use of social engineering to obtain sensitive information or access from an unsuspecting victim. This usually comes in the form of email, social media links, or other digital means that an attacker can use to trick a victim.

The United States Computer Emergency Readiness Team (US-CERT) defines phishing as follows:

Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing email is usually crafted to appear as if they have been sent from a legitimate organization or someone known to the recipient. They often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information such as account usernames and passwords that can further expose the victim to future compromises. Additionally, these fraudulent websites may contain malicious code. (http://www.us-cert.gov/nav/report_phishing.html)

History of Phishing
The practice of phishing, “originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later” according to phishing.org. The practice has become one of the main methods of attack and is increasing at a rapid pace.

Understanding the history of phishing can help you avoid falling prey to this type of scam. To learn more about the history of phishing, read this post on phishing.org.

Basic Phishing
Phishing attacks come in all shapes and sizes. Most of the basic phishing email have easy to spot characteristics, if you’re looking for them. The following example is from 2012. Even though it’s old, I think this email would still trick many recipients.

You can see in the following image, that the email appears to come from “Customer Central” and sent from an e-mail address using the domain name, “comcast.com.”

Gmail does not do us any favors by masking the full destination email address. You can see in the image below that it appears to be sent to “pllpt.” This is greyed out and in small text so it’s easy to overlook, but the fact that the recipient’s real email address is not in the “To:” field is our first clue that this may be a phish attack.

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing

The email indicates that the customer’s credit card information on file is declining the payment and the email requests that the recipient update his or her credit card information by clicking on the link.

A quick or casual review of this link may seem safe. The URL begins with http://account.comcast.com. But look at the rest of the URL: http://account.comcast.com.5he.biz/

Remember that the last two sections before the forward slash (/) indicate the domain name of the destination. In this case, the domain name is 5he.biz and account.comcast.com are all subdomains of 5he.biz.

Interestingly, the author of this phishing email did not try to mask the actual link, which is easy to do and might be a little more effective in tricking someone to click on the link.

After clicking the link, you can see below that the URL has changed to yet another domain name. This time it begins with “login.comcast.net” but again, notice the trailing forward slash does not come until much later in the URL, which means that the domain name for this page is actually o7b.name.

The next, very interesting thing to note here is that the rogue site looks exactly like the actual Comcast xfinity authentication page. Below, compare the screenshots of the rogue site and the actual Comcast xfinity page. They are nearly identical!

The rogue site:

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 2

The real site:

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 3

Three Advanced Phishing Tactics Explained
Many of you reading this have received phishing email and you likely know some tricks to identify a basic phish. In this section, you may learn some new tactics that attackers are using to trick us.

Tactic No. 1: URL Masking
This tactic is actually quite basic but it is the cornerstone of more advanced tactics. One of the main tips in finding a phishing email is to hover over links to see where they go before you click. That is a great tip, but there are phishing tricks that attackers use to mask a URL. Here are some examples of how easy it is to mask a URL. If you hover over the link below, you’ll notice that it does not link to yahoo.com, but rather, google.com.

https://www.yahoo.com/

Tactic No. 2: Advanced URL Masking
Hovering over is a good way to scrutinize a URL but it’s not 100 percent accurate. There are ways to “click-jack" URLs that will show one link when you hover over it but send the user to another link when you click.

One method of executing this is to write JavaScript that shows one domain when you hover over the link, and sends you to a different page when you actually click!  Hover over the following example. You’ll see that the link points to https:www.google.com. Now click on that link and see which page opens up.

Here is a link to Google

Tactic No. 3: Unicode Domains
Another tactic is to use character sets that look similar to English/Latin characters, but are not. In this example, apple.com was registered using Cyrillic characters instead of English/Latin characters.

https://apple.com/ - This is the REAL Apple URL with English/Latin characters.

https://аррӏе.com/ - This is a fake site using Cyrillic characters.

When you click on the second link in Firefox and some other browsers, the URL shows the Cyrillic characters. The good news is that most modern browsers now show the Punycode URL.

Hikvision HikWire blog article Chuck Davis cybersecurity May 21 Phishing 4

A security researcher registered the above domain. You can read his blog post here to learn more about this type of attack.

Read more about preventing phishing and other hacks Hikvision’s cybersecurity blog link.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

View the most updated version of this document here:

https://techsupportca.freshdesk.com/en/support/solutions/articles/17000113531-i-series-nvr-firmware-upgrade-instructions

 

The I-series NVR (such as the DS-7716NI-I4) is one of Hikvision's most popular and feature-rich recorders. As such, many firmware revisions have been introduced over the years to continually ensure the product is compatible with the newest technology available. Due to the many revisions, we recommend that the user closely follows the instructions below in order to reduce the amount of time spent as well as the chance of failure.

 

Database Optimization and Repair

As more affordable IP cameras are introduced over time with greater video resolution and data sizes, more efficient database management also becomes necessary. The introduction of firmware v4.0 brought about a new database architecture in order to be futureproof.

 

After upgrading to v4.X, the recorder database will need to be converted and optimized. If you are experiencing issues where playback is expected but not found, make sure "Database Repair" is performed as indicated in the procedures and scenarios below.

 

Preparing the Upgrade

Before proceeding with upgrade, it is recommended that NVR configuration file is exported from the NVR over the network or on to a local USB drive.

 

Upgrading from v3.4.92 build 170518 or Older

  1. All recorders must reach v3.4.92 before proceeding further. Upgrading from versions before v3.4.92 directly to any version of v4.X will likely cause the recorder to fail.
  2. If the recorder is already at v3.4.92, a full factory default is highly recommended before upgrading to any version of v4.X. There is a high chance of unit failure (requiring RMA) if the unit is not defaulted before upgrade.
  3. After reaching v3.4.92 and performing a full factory default, an upgrade directly to v4.50.00 is acceptable.
  4. After the upgrade is completed and the recorder is reprogrammed, it may be beneficial to perform a Database Repair. For details, refer to the section "Database Optimization and Repair" above.
  5. To verify repair progress, you may refer to the HDD status, or search the recorder log for repair started and stopped entries. Note that while the HDD is repairing, new recordings are still being made, but some existing recordings may not be searchable until repair is complete.
  6. If you continue to observe playback issues after database repair, ensure there are no power, network, or motion detection issues. Should the problem persist, contact technical support.

 

Upgrading from Any v4.X Build to v4.50.00.

  1. Any v4.X build can be upgraded directly to v4.50.00.
  2. Export configuration is highly recommended before performing the upgrade.
  3. If upgrading from any v4.X version that was not v4.22.005, a Database Repair is recommended. Refer to Step 4 and onwards in the previous section.

 

Downgrading

Downgrading is not recommended. Due to new features and parameters constantly being added, downgrading may cause the NVR to factory default itself or require a manual default to operate properly.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).