May 25, 2020 / blog yazısı

Mishing and Deeshing Attacks

The Phishing jungle consists of plathora of genres: Phishing, Spear Phishing, Waling, Smishing, Vishing, etc.

We already know regular “phishing”; a fraudulent attempt such as a scam e-mail with the purpose of obtaining sensitive information belonging to the victim.

A phishing action targeting specific individual, organization or business is called “spear phishing”. If the target is C level senior manager, the attack has its own name: “whaling”.

There are some other means of phishing attacks: smishing, vishing and pharming:

“Smishing” uses cell phone text messages to lure the victim. If the attacker has strong social engineering skills she can convince the victim into anything just by talking on phone. Attacker uses her voice, hence “voice phishing” aka “vishing attack”.

Here we want to talk about two more species of phishing attacks which we believe deserve their own merits: “mishing” and “deeshing”.

For two years from late 2015, an individual or individuals impersonating France’s defence minister, Jean-Yves Le Drian, scammed an estimated €80m (£70m; $90m) from wealthy victims including the Aga Khan and the owner of Château Margaux wines. In meetings arranged on Skype, the fraudster wore a custom-made Le Drian “mask” and sat in a facsmile of Le Drian’s ministerial office, complete with flags and portrait of then-President François Hollande.

This was a very interesting and creative way of attack by using mask. It looked like reverberation from the movie Mission Impossible series. Phishing the victim by wearing a mask is called “mishing attack”.

Deeshing is more technology based, a hot topic of AI and Deep Learning: Deep Fake technologies. It is possible to train victim’s voice or speech to utter phrases the attack desires. Imagine receiving a voicemail from your CEO about retreating from a very important bid. Phishing the victim by using Deep Fake techniques is called “deeshing”.

I believe these two emerging attack types could be included in awareness trainings; for the employees who usually do not like awareness trainings at all.