Читать книгу Phishing Dark Waters - Fincher Michele - Страница 6

Chapter 1
An Introduction to the Wild World of Phishing
Phishing 101

Оглавление

Let's start with some basic information. What is phishing? We define it as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information. That is a long way of saying that phishing involves sneaky e-mails from bad people. It combines both social engineering and technical trickery. It could involve an attachment within the e-mail that loads malware (malicious software) onto your computer. It could also be a link to an illegitimate website. These websites can trick you into downloading malware or handing over your personal information. Furthermore, spear phishing is a very targeted form of this activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phish can be very hard to detect and even harder to defend against.

Anyone on this planet with an e-mail address has likely received a phish, and on the basis of the reported numbers, many have clicked. Let's be very clear about something. Clicking doesn't make you stupid. It's a mistake that happens when you don't take the time to think things through or simply don't have the information to make a good decision. (Me driving from Biloxi, MS, to Tucson, AZ, in one shot, now that was stupid.)

It's probably safe to say that there are common targets and common attackers. Phishers' motives tend to be pretty typical: money or information (which usually leads to money). If you are one of the many who has received an e-mail urging you to assist a dethroned prince in moving his inheritance, you've been a part of the numbers game. Very few of us are fabulously wealthy. But when a phisher gets a bunch of regular people to help the prince by donating a small “transfer fee” to assist the flow of funds (often requested in these scams), it starts to add up. Or, if an e-mail from “your bank” gets you to hand over your personal information, it could have drastic financial consequences if your identity is stolen.

Other probable targets are the worker bees at any company. Although they alone may not have much information, mistakenly handing over login information can get an attacker into the company network. This can be the endgame if the rewards are big enough, or it might just be a way to escalate an attack to other opportunities.

Other than regular people, there are clearly high-value targets that include folks located somewhere in the direct food chain of large corporations and governments. The higher people are in the organization, the more likely they are to become targets of spear phish because of the time and effort it takes to get to them and the resultant payoff. This is when the consequences can become dire at the level of entire economies as opposed to individuals.

If you move beyond the common criminal and the common motive of quick money, the rationale and the attackers can get big and scary pretty quickly. At one end of that, there might be people interested in the public embarrassment of a large organization for political or personal beliefs. For example, the Syrian Electronic Army (SEA) has been cited in a number of recent cases in which phishing e-mails led to the compromise of several media organizations, including the Associated Press (AP),3 CNN,4 and Forbes,5 just to name a few. Clearly, there have been financial consequences; for instance, the hack of the AP Twitter account caused a 143-point drop in the Dow (see Figure 1.1). No small potatoes, but what about the public loss of reputation for a major media outlet? We could debate all day which consequence was actually more costly. On a positive note, however, it did make all of us reconsider whether social media is the best way to get reliable, breaking news.


Figure 1.1 Hacked AP tweet


Going even deeper, we get into cyber espionage at the corporate and/or nation-state level. Now we're talking about trade secrets, global economies, and national security. At this point, the consequences and fallout become clear to even the most uninformed citizen. A current story rocking international news alleges that Chinese military attackers have breached five major U.S. companies and a labor union.6 The companies are part of the nuclear and solar power and steel manufacturing industries. For the first time in history, the United States has brought charges of cyber espionage against another country.7 All of this was initiated by some simple e-mails.

I guess this is a long way of saying that phishing should matter to everyone, not just security nerds. Cyber espionage might not be something you think about every day, but I'll bet your bank account and credit score are something you do give thought to. My mother still hasn't figured out how to check her voicemail on her cell phone (true story!), but she's definitely aware that she should never open an e-mail from someone she doesn't know. Your mom should follow that rule, too.

Now you know the what, the who, and the why; let's talk about the how.

3

Geoffrey Ingersoll, “Inside the Clever Hack That Fooled the AP and Caused the DOW to Drop 150 Points,” November 22, 2013, http://www.businessinsider.com/inside-the-ingenious-hack-that-fooled-the-ap-and-caused-the-dow-to-drop-150-points-2013-11.

4

Tim Wilson, “Report: Phishing Attacks Enabled SEA to Crack CNSS's Social Media,” January 1, 2014, http://www.darkreading.com/attacks-breaches/report-phishing-attacks-enabled-sea-to-crack-cnns-social-media/d/d-id/1141215?.

5

Andy Greenberg, “How the Syrian Electronic Army Hacked Us: A Detailed Timeline,” February 20, 2014, http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/.

6

Danny Yadron, “Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam,” May 19, 2014, http://online.wsj.com/news/articles/SB10001424052702303468704579572423369998070.

7

Brett Logiurato, “The US Government Indicts 5 Chinese Military Hackers on Cyberspying Charges,” May 19, 2014, http://www.businessinsider.com/us-china-spying-charges-2014-5.

Phishing Dark Waters

Подняться наверх