Phishing: Electronic Social Engineering
One particularly widespread form is phishing. Many individuals and organizations fall prey to these surreptitious, yet perilous attacks. In most cases, the victims of phishing are unaware of the attack. In a 2003 press release, Jana Monroe of the FBI rightfully called phishing “the hottest and most troubling scam on the Internet.”
So what is phishing? Phishing refers to the act of sending fake electronic communications — typically e-mails — that appear legitimate with the intent to steal sensitive information such as credit card numbers, usernames and passwords, and bank details. In simplest terms, it is electronic social engineering capitalizing on exploiting human trust.
Phishing is said to have been coined as an amalgam of two other words, “phreaking” and “fishing.” “Phreaking” is itself a composite term that derives from “phone” and “freak” and refers to the manipulation of the phone system for hacking purposes. Fishing recalls the idea of baiting people to submit sensitive information.
Although phishing attacks have evolved to use malicious software such as spyware and Trojans — known as malware — to harvest information, the most common kind of attack today involves e-mail. A phisher might send an e-mail that seems to be valid and trustworthy that requests the recipient to click on a malicious link. It might appear to be coming from the recipient’s bank or credit card company. This is a basic impersonation attack; the link forwards the user to a Web site that is set up to collect user-submitted information.
Another form of phishing attack is one in which a pop-up screen such as a log-in appears on the phisher’s Web site and is used to collect this information.
Intelligent phishing attacks take it one step further by using the phishing site as a man-in-the-middle (MITM) site — that is, once the user submits information on the fake site, he or she is forwarded to the legitimate site. This is referred to as a forwarding attack.
When it comes to phishing, ignorance is not bliss. Since the phisher is exploiting innate human sensibilities, technical solutions — such as firewalls and encryption — provide little to no defense. The most effective mechanism to address phishing attacks is user awareness. Educating users to protect and not divulge information and to verify the solicitor’s authenticity are the first steps toward eradicating this electronic social engineering technique.
For organizations, especially those in the banking and financial services industries that tend to be prone to phishing attacks, anti-phishing policies and education are critical.
Another defensive measure is to ensure the data transmitted from the browser uses secure sockets layer (SSL) or transport layer security (TLS) and has phishing filter plug-ins installed. In the event of a suspected phishing attack, organizations could take screenshots of the Web site, recording the Web address and notify internal incident management and external law enforcement as necessary.
Sometimes, the best defense is a good offense, and there are two offensive strategies to respond to a phishing attack. The first is known as dilution or “spoofback” and consists of sending bogus or faulty information back to the phisher, thereby diluting the real information that the phisher is after. The second is called “takedown,” which involves the bringing down of the phishing site as quickly as possible to contain the exposure.
With Voice over IP (VoIP) telephony on the rise, phishing attacks have a new variant – “vishing.” “Vishing” refers to the use of deceptive social engineering techniques on VoIP networks to steal sensitive information.
Phishing is here to stay in one form or another, and as long as people implicitly trust electronic solicitations, they are susceptible to it. The next time you are asked to click on a link in your e-mail, think twice and avoid it if you can. As former President Ronald Reagan famously once said, “Trust, but verify.”
Mano Paul, CISSP, MCAD, MCSD, Network+, ECSA (LPT), is a founder and president of Express Certifications, a professional training and certification company, and SecuRisk Solutions, a security consulting and product development company. He can be reached at email@example.com.
Viewed 9522 times.