Phishing Dark Waters. Fincher Michele
Чтение книги онлайн.
Читать онлайн книгу Phishing Dark Waters - Fincher Michele страница 3
Note
Notes indicate notes, tips, hints, tricks, or asides to the current discussion.
Summary
The idea behind this book is to dissect what a phish is, why it works, and the principles behind it. We want to fully expose all the flaws of phishing so you can understand how to defend against it.
In my last book, Unmasking the Social Engineer, I told a story about a friend who is a master swordsman. He learned his skill by learning all about swords – how to use them and how they work – and then choosing the best partner to help him learn how to fight with them. That story applies here, too. After you learn all about identifying phish, become familiar with the available tools, and learn how to choose a good sparring partner, you can then begin to create a program that will hone your skills and help you and your employees, family, and friends stay secure.
Before we can get that deep into the ring, we need to start with some light weights, including learning some key elements such as “What is phishing?” and “What are some examples of it?”
Read on to find out the answers to these questions.
Chapter 1
An Introduction to the Wild World of Phishing
Lana: Do you think this is some kind of a trap?
Archer: What? No, I don't think it's a trap! Although I never do …and it very often is.
Because we're going to be spending some time together, I feel I should start our relationship with an honest self-disclosure. Although I consider myself to be a reasonably smart person, I have made an inestimable number of stupid mistakes. Many of these started with me yelling, “Hey, watch this!” or thinking to myself, “I wonder what would happen if <insert dangerous/stupid situation here>.” But most often, my mistakes have come not from yelling challenges or thinking about possibilities but from not thinking at all. This absence of thinking typically has led to only one conclusion – taking an impulsive action. Scammers, criminals, and con men have clearly met me in a past life, because this is one of the key aspects that make them successful. Phishing in its various forms has become a high-profile attack vector used by these folks because it's a relatively easy way to reach others and get them to act without thinking.
NOTE
One more thing before this train really gets rolling. You may notice that when I refer to the bad guy, I use the pronoun “he.” (See? I even said bad “guy.”) I'm not sexist, nor am I saying all scammers are male. It's just simpler than improperly using “they” or saying “he or she” just to be inoffensive to someone, and it avoids adding a layer of complexity that's off the point. So “he” does bad stuff. But a bad guy can be anyone.
Phishing 101
Let's start with some basic information. What is phishing? We define it as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information. That is a long way of saying that phishing involves sneaky e-mails from bad people. It combines both social engineering and technical trickery. It could involve an attachment within the e-mail that loads malware (malicious software) onto your computer. It could also be a link to an illegitimate website. These websites can trick you into downloading malware or handing over your personal information. Furthermore, spear phishing is a very targeted form of this activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phish can be very hard to detect and even harder to defend against.
Anyone on this planet with an e-mail address has likely received a phish, and on the basis of the reported numbers, many have clicked. Let's be very clear about something. Clicking doesn't make you stupid. It's a mistake that happens when you don't take the time to think things through or simply don't have the information to make a good decision. (Me driving from Biloxi, MS, to Tucson, AZ, in one shot, now that was stupid.)
It's probably safe to say that there are common targets and common attackers. Phishers' motives tend to be pretty typical: money or information (which usually leads to money). If you are one of the many who has received an e-mail urging you to assist a dethroned prince in moving his inheritance, you've been a part of the numbers game. Very few of us are fabulously wealthy. But when a phisher gets a bunch of regular people to help the prince by donating a small “transfer fee” to assist the flow of funds (often requested in these scams), it starts to add up. Or, if an e-mail from “your bank” gets you to hand over your personal information, it could have drastic financial consequences if your identity is stolen.
Other probable targets are the worker bees at any company. Although they alone may not have much information, mistakenly handing over login information can get an attacker into the company network. This can be the endgame if the rewards are big enough, or it might just be a way to escalate an attack to other opportunities.
Other than regular people, there are clearly high-value targets that include folks located somewhere in the direct food chain of large corporations and governments. The higher people are in the organization, the more likely they are to become targets of spear phish because of the time and effort it takes to get to them and the resultant payoff. This is when the consequences can become dire at the level of entire economies as opposed to individuals.
If you move beyond the common criminal and the common motive of quick money, the rationale and the attackers can get big and scary pretty quickly. At one end of that, there might be people interested in the public embarrassment of a large organization for political or personal beliefs. For example, the Syrian Electronic Army (SEA) has been cited in a number of recent cases in which phishing e-mails led to the compromise of several media organizations, including the Associated Press (AP),3 CNN,4 and Forbes,5 just to name a few. Clearly, there have been financial consequences; for instance, the hack of the AP Twitter account caused a 143-point drop in the Dow (see Figure 1.1). No small potatoes, but what about the public loss of reputation for a major media outlet? We could debate all day which consequence was actually more costly. On a positive note, however, it did make all of us reconsider whether social media is the best way to get reliable, breaking news.
Figure 1.1 Hacked AP tweet
Going even deeper, we get into cyber espionage at the corporate and/or nation-state level. Now we're talking about trade secrets, global economies, and national security. At this point, the consequences and fallout become clear to even the most uninformed citizen. A current story rocking international news alleges that Chinese military attackers have breached five major U.S. companies and a labor union.6 The companies are part of the nuclear and solar power and steel manufacturing industries. For the first time in history, the United States has brought charges of cyber espionage against another country.7 All of this was initiated by some simple e-mails.
I guess this is a long way of saying that phishing should matter to everyone, not just security nerds. Cyber espionage might not be something you think about every day, but I'll bet your bank account and credit score are something you do
4
Tim Wilson, “Report: Phishing Attacks Enabled SEA to Crack CNSS's Social Media,” January 1, 2014, http://www.darkreading.com/attacks-breaches/report-phishing-attacks-enabled-sea-to-crack-cnns-social-media/d/d-id/1141215?.
5
Andy Greenberg, “How the Syrian Electronic Army Hacked Us: A Detailed Timeline,” February 20, 2014, http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/.
7
Brett Logiurato, “The US Government Indicts 5 Chinese Military Hackers on Cyberspying Charges,” May 19, 2014, http://www.businessinsider.com/us-china-spying-charges-2014-5.