Читать книгу Phishing Dark Waters - Fincher Michele - Страница 7

Identifying a suspect e-mail would probably be pretty easy if the sender was “Gimme Your Money.” But one of the simplest ways that con men take advantage of us is by the use of e-mail spoofing, which is when the information in the “From” section of the e-mail is falsified, making it appear as if it is coming from someone you know or another legitimate source (such as your cable company). Chris and I outline some simple steps in Chapter 4 that might help you identify whether the sender is legitimate. In the meantime, it's simply good to know that thinking an e-mail is safe just because you know the sender isn't always a sure bet.

Another technique that scammers use to add credibility to their story is the use of website cloning. In this technique, scammers copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials. These fake sites can also be used to directly attack your computer. An example that Chris personally experienced is the fake Amazon.com website. This is a great example for a couple of reasons. First, it's a very common scam because so many of us have ordered from Amazon.com. We've seen the company's website and e-mails so many times that we probably don't take a very close look at either. Second, it's good enough that even someone very experienced in the sneaky tactics used by scammers almost fell victim to it.

Chris has been phishing our clients for years (with their permission, of course). He's sent hundreds of thousands of phish and knows how they're put together and why they work. But last year, he received an e-mail informing him that access to his Amazon.com account was going to be blocked. This e-mail happened to coincide with preparations for our annual contest at DEF CON. Now, there's never a time that Chris isn't busy, but the month or so prior to DEF CON is basically all nine circles of Dante's Hell at the same time, in his office. I don't know what he actually thought or said at the time he received the fake Amazon.com e-mail, but you probably know where this story is going. Figure 1.2 shows the very e-mail he received.

Figure 1.2 The infamous Amazon.com phishing e-mail

If you read this e-mail closely, you will notice that the language isn't quite up to par, and there are anomalies, such as random capitalization. These characteristics are common hallmarks of phish, as many senders aren't native English speakers. The key here is that the quality of the e-mail is more than good enough to pass a quick inspection by a recipient with his hair on fire.

Chris clicked the link and ended up on what looked like the Amazon.com website, as shown in Figure 1.3. Even a close visual inspection wouldn't have been revealed it as fake because the site had been cloned.

Figure 1.3 Fake Amazon.com website

At this point, Chris's years of training kicked in. He looked at the website URL (address) and realized it wasn't legitimate. If he had entered his login credentials as he was asked to, his account containing his PII and his credit card information would have been hijacked. This almost worked because the website itself was an exact duplicate of the real thing, and the e-mail came at a time when Chris was busy, tired, and distracted – all things that can prevent critical thinking. (We'll talk more about this in Chapter 4.) The bottom line here is that website cloning is a very convincing way of getting people to believe the phish is real.

One final trick that scammers use is to follow up phishing e-mails with a phone call. This is also known as vishing (for voice phishing) or phone phishing. Vishing has many malicious goals, ranging from adding truthfulness and credibility to an e-mail all the way to directly requesting confidential information. This technique emphasizes the idea that you should be closely protecting your PII. I grew up in an era in which people regularly had their Social Security and telephone numbers printed on their checks, right under their addresses, which basically announced, “Please steal my identity, Mr. Criminal!” Imagine how convincing it would be if you received an e-mail directly followed by a phone call from “your bank” that urged you to click the link, go to a website, and update your account information.

A real example occurred recently at the corporate level. It was dubbed “Francophoning” because the targets were primarily companies based in France.8 The attack was well planned and executed. An administrative assistant received an e-mail regarding an invoice, which was followed by a phone call by someone claiming to be a vice president within the company. He asked the assistant to process the invoice immediately. She clicked the e-mail link, which led to a file that loaded malware. This malware enabled attackers to take over her computer and steal information. This example is interesting because so many factors are in play – for example, the use of authority and gender differences in compliance – but the main point here is that any story becomes more convincing if you hear it from more than one source.