Phishing Dark Waters. Fincher Michele

      Archer: What? No, I don't think it's a trap! Although I never do …and it very often is.

      Because we're going to be spending some time together, I feel I should start our relationship with an honest self-disclosure. Although I consider myself to be a reasonably smart person, I have made an inestimable number of stupid mistakes. Many of these started with me yelling, “Hey, watch this!” or thinking to myself, “I wonder what would happen if <insert dangerous/stupid situation here>.” But most often, my mistakes have come not from yelling challenges or thinking about possibilities but from not thinking at all. This absence of thinking typically has led to only one conclusion – taking an impulsive action. Scammers, criminals, and con men have clearly met me in a past life, because this is one of the key aspects that make them successful. Phishing in its various forms has become a high-profile attack vector used by these folks because it's a relatively easy way to reach others and get them to act without thinking.

      Phishing 101

      Let's start with some basic information. What is phishing? We define it as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information. That is a long way of saying that phishing involves sneaky e-mails from bad people. It combines both social engineering and technical trickery. It could involve an attachment within the e-mail that loads malware (malicious software) onto your computer. It could also be a link to an illegitimate website. These websites can trick you into downloading malware or handing over your personal information. Furthermore, spear phishing is a very targeted form of this activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phish can be very hard to detect and even harder to defend against.

      Anyone on this planet with an e-mail address has likely received a phish, and on the basis of the reported numbers, many have clicked. Let's be very clear about something. Clicking doesn't make you stupid. It's a mistake that happens when you don't take the time to think things through or simply don't have the information to make a good decision. (Me driving from Biloxi, MS, to Tucson, AZ, in one shot, now that was stupid.)

      It's probably safe to say that there are common targets and common attackers. Phishers' motives tend to be pretty typical: money or information (which usually leads to money). If you are one of the many who has received an e-mail urging you to assist a dethroned prince in moving his inheritance, you've been a part of the numbers game. Very few of us are fabulously wealthy. But when a phisher gets a bunch of regular people to help the prince by donating a small “transfer fee” to assist the flow of funds (often requested in these scams), it starts to add up. Or, if an e-mail from “your bank” gets you to hand over your personal information, it could have drastic financial consequences if your identity is stolen.

      Other probable targets are the worker bees at any company. Although they alone may not have much information, mistakenly handing over login information can get an attacker into the company network. This can be the endgame if the rewards are big enough, or it might just be a way to escalate an attack to other opportunities.

      Other than regular people, there are clearly high-value targets that include folks located somewhere in the direct food chain of large corporations and governments. The higher people are in the organization, the more likely they are to become targets of spear phish because of the time and effort it takes to get to them and the resultant payoff. This is when the consequences can become dire at the level of entire economies as opposed to individuals.

If you move beyond the common criminal and the common motive of quick money, the rationale and the attackers can get big and scary pretty quickly. At one end of that, there might be people interested in the public embarrassment of a large organization for political or personal beliefs. For example, the Syrian Electronic Army (SEA) has been cited in a number of recent cases in which phishing e-mails led to the compromise of several media organizations, including the Associated Press (AP),3 CNN,4 and Forbes,5 just to name a few. Clearly, there have been financial consequences; for instance, the hack of the AP Twitter account caused a 143-point drop in the Dow (see Figure 1.1). No small potatoes, but what about the public loss of reputation for a major media outlet? We could debate all day which consequence was actually more costly. On a positive note, however, it did make all of us reconsider whether social media is the best way to get reliable, breaking news.

Figure 1.1 Hacked AP tweet

      Going even deeper, we get into cyber espionage at the corporate and/or nation-state level. Now we're talking about trade secrets, global economies, and national security. At this point, the consequences and fallout become clear to even the most uninformed citizen. A current story rocking international news alleges that Chinese military attackers have breached five major U.S. companies and a labor union.6 The companies are part of the nuclear and solar power and steel manufacturing industries. For the first time in history, the United States has brought charges of cyber espionage against another country.7 All of this was initiated by some simple e-mails.

      I guess this is a long way of saying that phishing should matter to everyone, not just security nerds. Cyber espionage might not be something you think about every day, but I'll bet your bank account and credit score are something you do give thought to. My mother still hasn't figured out how to check her voicemail on her cell phone (true story!), but she's definitely aware that she should never open an e-mail from someone she doesn't know. Your mom should follow that rule, too.

      Now you know the what, the who, and the why; let's talk about the how.

      How People Phish

      Identifying a suspect e-mail would probably be pretty easy if the sender was “Gimme Your Money.” But one of the simplest ways that con men take advantage of us is by the use of e-mail spoofing, which is when the information in the “From” section of the e-mail is falsified, making it appear as if it is coming from someone you know or another legitimate source (such as your cable company). Chris and I outline some simple steps in Chapter 4 that might help you identify whether the sender is legitimate. In the meantime, it's simply good to know that thinking an e-mail is safe just because you know the sender isn't always a sure bet.

      Another technique that scammers use to add credibility to their story is the use of website cloning. In this technique, scammers copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials. These fake sites can also be used to directly attack your computer. An example that Chris personally experienced is the fake Amazon.com website. This is a great example for a couple of reasons. First, it's a very common scam because so many of us have ordered from Amazon.com. We've seen the company's website and e-mails so many times that we probably don't take a very close look at either. Second, it's good enough that even someone very experienced in the sneaky tactics used by scammers almost fell victim to it.

Chris has been phishing our clients for years (with their permission, of course). He's sent hundreds of thousands of phish and knows how they're put together and why they work. But last year, he received an e-mail informing