Читать книгу Phishing Dark Waters - Fincher Michele - Страница 4

Introduction

Оглавление

“There was no such thing as a fair fight. All vulnerabilities must be exploited.”

– Cary Caffrey

Social engineering. Those two words have become a staple in most IT departments and, after the last couple years, in most of corporate America, too. One statistic states that more than 60 percent of all attacks had the “human factor” as either the crux of or a major piece of the attack. Analysis of almost all of the major hacking attacks from the past 12 months reveals that a large majority involved social engineering – a phishing e-mail, a spear phish, or a malicious phone call (vishing).

I have written two books analyzing and dissecting the psychology, physiology, and historical aspects of con men, scammers, and social engineers. And in doing so, I have found that one recent theme comes up, and that is e-mail. Since its beginning, e-mail has been used by scammers and social engineers to dupe people out of credentials, money, information, and much more.

In a recent report, the Radicati Group estimates that in 2014 there was an average of 191.4 billion e-mails sent each day. That equates to more than 69.8 trillion e-mails per year.1 Can you even imagine that number? That is 69,861,000,000,000 – staggering, isn't it? Now try to swallow that more than 90 percent of e-mails are spam, according to the information on the Social-Engineer Infographic.2

E-mail has become a part of life. We use it on our computers, our tablets, and our phones. In some groups of people that I've worked with, more than half the people have told me that they get 100, 150, or 200 e-mails per day!

In 2014, the Radicati Group stated that there are 4.1 billion e-mail addresses in the world. Using that figure and a calculator, I discovered that the average is almost 50 e-mails per person per day, every day of the year. Because we know that not every single person in the world gets that many messages, it is not inconceivable to think that many of us receive 100, 150, or even 250 e-mails per day.

As people get more stressed, as workloads increase, and as the use of technology reaches an all-time high, the scam artists, con men, and social engineers know that e-mail is a great vector into our businesses and homes. Mix that with how easy it is to create fake e-mail accounts, spoof legitimate accounts, and fool people into taking actions that may not be in their best interests, and we can see why e-mail is quickly becoming the number-one vector for malicious attackers.

When we are not running social-engineering competitions at major conferences like DEF CON, and Michele is not fighting with students (real story, I swear), we travel the globe to work with some of the biggest and best companies on their security programs. Even companies that know what they are doing and have robust programs for security awareness and protection are still falling victim to the threat of phishing.

We wrote the pages of this book with that experience in mind. We asked ourselves, “How can we take the years of experience in working with some of the world's largest companies and help every company put a plan into action to make the most of phishing education?”

Am I a Builder Yet?

Michele and I started to develop a program that we implemented in a few places. The program is simple but powerful. It involves using the very tools that are used against us to empower us. We know that this concept is not something we invented. After all, there are more than a handful of companies right now selling “phishing services” to legitimate organizations. Many users of those products – large companies – have come to us and said things like, “We have been using this tool for a year, but our click ratios are still super high. What can we do?”

Before I answer that, let me tell you a story. I remember when I was buying my first home. My wife and I were super excited as the closing approached. (We were going to own a home!) So I did what all men who own a home do: I bought some more tools. I went to Home Depot and bought a beautiful set of cordless tools, a saw, a drill, a jigsaw, and some other miscellaneous tools.

I brought them into my house the first day and found the perfect spot on the shelves in the basement for that toolbox. There it sat for a year. Then all of a sudden I had to cut something. I was so excited; I finally got to use my new tools! I got the toolbox and pulled out the circular saw. I read all the instructions, including something like, “Ensure you are using the proper blade for the material you are cutting.”

I looked at the blade, thought, “Yep, looks sharp,” and cut my board. It worked. I still had all my limbs and appendages, the board was cut, and the saw didn't blow up. This process continued for a couple hours when all of a sudden the saw started jamming; it stopped cutting. I charged the batteries and did the finger-touch test to the blade and thought, “Ouch, still sharp.” Frustrated, I determined the tool was at fault. “Stupid saw; must be defective.”

Then a friend came over to help me out. He took one look at the saw and said, “Um, dude, why are you cutting 2×4s with a fine-tooth blade?”

“A what-toothed what?” I replied.

My friend shook his head, and then he gave me an education on blades.

Why do I tell you this humiliating, emasculating story other than to point out my utter lack of manliness? To prove this point: Owning tools does not make you a builder!

Phishing tools are no different than construction tools. Just buying the tool doesn't make you secure, and it doesn't make you able to educate others on the phishing problem.

Teaching People to Phish

So, back to the program Michele and I were developing: We started to analyze phishing and security awareness programs and discovered – as many other serious security professionals have determined – that many of them were useless.

No, security awareness is not useless. I'm not so naïve and silly to say that we don't need awareness. But the style and method of awareness training just wasn't working. Seriously, raise your hand right now if you ever paid attention all the way through a 30- or 60-minute DVD presentation on security awareness. Okay – the one guy in the back – you can put your hand down. But as I suspected, barely a hand is raised.

People tune out training if it's not interactive and quick. Marketers know this; they tell us to make websites interesting, fun, interactive, and to the point. Why should education be anything less?

We started to come up with a plan to make the phishing portion of our clients' security awareness interactive, interesting, and, most of all, not too lengthy. That is why this book had to be written; we wanted to answer a few questions:

• How serious is phishing?

• What psychological principles play a part in phishing?

• Can phishing really be used as a successful part of your security awareness education?

• If so, how can a company implement that?

• Can any size business create a serious phishing education program?

We sat down and outlined a book on phishing, defined our program, and formalized our methodology. We then gave a lot of thought to whether we wanted to release this to the public; after all, it took us years of work to develop our method. After we started to see how it was helping so many of our clients, we decided to write the book. On first approach, though, it seemed like a phishing book wasn't of much interest to many – at least not until the events of 2014, when phishing dominated the front pages again and again during real hacking events. Phishing is being used in attacks every day; phishing service providers are popping up every month; and companies all over the globe are jumping on the bandwagon to start phishing education programs.

What You Can Expect

Michele and I hope that this book will help you on your quest to protect yourself and your company against malicious phishers. We want to take you on the journey we went through in getting ready to write this book.

Chapter 1 starts with the basics. It explains what phishing is and why it is used, and we included a lot of examples of the most current and effective phish.

Chapter 2 delves into the why of phishing. Why do those phish work? What is the psychology behind them that makes phishing so effective?

Chapter 3 takes a look at just one area – influence – and explains how that principle is used by malicious phishers.

Chapter 4 is all about protection. Now that the first three chapters have covered the bases of what phishing is, it's time to start discussing how you can protect yourself from it. We give tips for both civilians and corporations, as well as analyze some of the worst suggestions we have heard.

Chapter 5 gets into how you can create a corporate phishing program to help secure your folks.

But how do you tie all this information into corporate policies? I know, I know; the word policy is like a four-letter word in these books. But we have to discuss it, and the brief but important Chapter 6 is where we do that.

This book wouldn't be complete without looking at some of the most current tools on the market and how they work to complement the program being set up. Chapter 7 covers those tools.

Chapter 8 concludes the book by rounding off all the principles and discussion with some clear-cut rules of making this program work.

Conventions Used in This Book

To help you get the most from the text and keep track of what's happening, we used some conventions throughout the book.

Special formatting in the text represents the following things:

• We highlight new terms and important words when we introduce them.

• We show URLs within the text like so: www.social-engineer.org/.

Note

Notes indicate notes, tips, hints, tricks, or asides to the current discussion.

Summary

The idea behind this book is to dissect what a phish is, why it works, and the principles behind it. We want to fully expose all the flaws of phishing so you can understand how to defend against it.

In my last book, Unmasking the Social Engineer, I told a story about a friend who is a master swordsman. He learned his skill by learning all about swords – how to use them and how they work – and then choosing the best partner to help him learn how to fight with them. That story applies here, too. After you learn all about identifying phish, become familiar with the available tools, and learn how to choose a good sparring partner, you can then begin to create a program that will hone your skills and help you and your employees, family, and friends stay secure.

Before we can get that deep into the ring, we need to start with some light weights, including learning some key elements such as “What is phishing?” and “What are some examples of it?”

Read on to find out the answers to these questions.

1

Sara Radicati, PhD, “Email Statistics Report, 2014–2018,” April 2014, http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf.

Phishing Dark Waters

Подняться наверх