Phishing Dark WatersThe Offensive and Defensive Sides of Malicious Emails
An essential anti-phishing desk reference for anyone with an email address Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analyzed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program. Phishing is a social engineering technique through email that deceives users into taking an action that is not in their best interest, but usually with the goal of disclosing information or installing malware on the victim's computer. Phishing Dark Waters explains the phishing process and techniques, and the defenses available to keep scammers at bay. Learn what a phish is, and the deceptive ways they've been used Understand decision-making, and the sneaky ways phishers reel you in Recognize different types of phish, and know what to do when you catch one Use phishing as part of your security awareness program for heightened protection Attempts to deal with the growing number of phishing incidents include legislation, user training, public awareness, and technical security, but phishing still exploits the natural way humans respond to certain situations. Phishing Dark Waters is an indispensible guide to recognizing and blocking the phish, keeping you, your organization, and your finances safe.
Foreword xxiii Introduction xxvii Chapter 1 An Introduction to the Wild World of Phishing 1 Phishing 101 2 How People Phish 4 Examples 7 High-Profi le Breaches 7 Phish in Their Natural Habitat 10 Phish with Bigger Teeth 22 Spear Phishing 27 Summary 29 Chapter 2 The Psychological Principles of Decision-Making 33 Decision-Making: Small Bits 34 Cognitive Bias 35 Physiological States 37 External Factors 38 The Bottom Line About Decision-Making 39 It Seemed Like a Good Idea at the Time 40 How Phishers Bait the Hook 41 Introducing the Amygdala 44 The Guild of Hijacked Amygdalas 45 Putting a Leash on the Amygdala 48 Wash, Rinse, Repeat 49 Summary 50 Chapter 3 Influence and Manipulation 53 Why the Difference Matters to Us 55 How Do I Tell the Difference? 56 How Will We Build Rapport with Our Targets? 56 How Will Our Targets Feel After They Discover They’ve Been Tested? 56 What Is Our Intent? 57 But the Bad Guys Will Use Manipulation . . . 57 Lies, All Lies 58 P Is for Punishment 59 Principles of Influence 61 Reciprocity 61 Obligation 62 Concession 63 Scarcity 63 Authority 64 Consistency and Commitment 65 Liking 66 Social Proof 67 More Fun with Influence 67 Our Social Nature 67 Physiological Response 68 Psychological Response 69 Things to Know About Manipulation 70 Summary 71 Chapter 4 Lessons in Protection 75 Lesson One: Critical Thinking 76 How Can Attackers Bypass This Method? 77 Lesson Two: Learn to Hover 77 What If I Already Clicked the Link and I Think It’s Dangerous? 80 How Can Attackers Bypass This Method? 81 Lesson Three: URL Deciphering 82 How Can Attackers Bypass This Method? 85 Lesson Four: Analyzing E-mail Headers 85 How Can Attackers Bypass This Method? 90 Lesson Five: Sandboxing 90 How Can Attackers Bypass This Method? 91 The “Wall of Sheep,” or a Net of Bad Ideas 92 Copy and Paste Your Troubles Away 92 Sharing Is Caring 93 My Mobile Is Secure 94 A Good Antivirus Program Will Save You 94 Summary 95 Chapter 5 Plan Your Phishing Trip: Creating the Enterprise Phishing Program 97 The Basic Recipe 99 Why? 99 What’s the Theme? 102 The Big, Fat, Not-So-Legal Section 105 Developing the Program 107 Setting a Baseline 108 Setting the Difficulty Level 109 Writing the Phish 121 Tracking and Statistics 122 Reporting 125 Phish, Educate, Repeat 127 Summary 128 Chapter 6 The Good, the Bad, and the Ugly: Policies and More 131 Oh, the Feels: Emotion and Policies 132 The Definition 132 The Bad 133 Making It “Good” 133 The Boss Is Exempt 133 The Definition 134 The Bad 134 Making It “Good” 134 I’ll Just Patch One of the Holes 135 The Definition 135 The Bad 136 Making It “Good” 136 Phish Just Enough to Hate It 136 The Definition 137 The Bad 137 Making It “Good” 138 If You Spot a Phish, Call This Number 138 The Definition 139 The Bad 139 Making It “Good” 140 The Bad Guys Take Mondays Off 140 The Definition 141 The Bad 141 Making It “Good” 141 If You Can’t See It, You Are Safe 142 The Definition 142 The Bad 143 Making It “Good” 143 The Lesson for Us All 143 Summary 144 Chapter 7 The Professional Phisher’s Tackle Bag 147 Commercial Applications 149 Rapid7 Metasploit Pro 149 ThreatSim 152 PhishMe 158 Wombat PhishGuru 161 PhishLine 165 Open Source Applications 168 SET: Social-Engineer Toolkit 168 Phishing Frenzy 171 Comparison Chart 174 Managed or Not 176 Summary 177 Chapter 8 Phish Like a Boss 179 Phishing the Deep End 180 Understand What You’re Dealing With 180 Set Realistic Goals for Your Organization 182 Plan Your Program 183 Understand the Stats 183 Respond Appropriately 184 Make the Choice: Build Inside or Outside 186 Summary 187 Index 189
CHRISTOPHER HADNAGY, author of Social Engineering: The Art of Human Hacking, specializes in the human aspects of technology. With more than 14 years of experience in technology, he is CEO of Social-Engineer, Inc. and a frequent speaker at major security conferences. MICHELE FINCHER possesses more than 20 years experience as a behavioral scientist, researcher, and information security professional. She is a senior penetration tester and Chief Influencing Officer at Social-Engineer, Inc.
Learn to catch a phish without becoming live bait. Phishing e-mails create daily havoc for both individuals and organizations. A social engineering technique that preys on our human nature, phishing remains remarkably successful for scammers and malicious social engineers despite increasingly sophisticated security programs and awareness campaigns. Christopher Hadnagy and Michele Fincher, practitioners and consultants in human-based security, have spent years working to understand how and why phishing works. In this book, they dissect what a phish is, why it succeeds, and the principles behind it, fully exposing all of its flaws and detailing innovative ways to defend against it. Focusing on the basics of the phish, the underlying psychology, the skillful use of influence, and a creative program to use the phisher's weapons against him, this highly readable guide provides tools for both individuals and corporations. Hadnagy and Fincher examine some of the most current and effective phish, show you how to spot a spoofed e-mail or cloned website, explore phishing education platforms that work, and demonstrate how to create your own phish to use in your security awareness program. Despite legislation, user training, public awareness, and technical security, phishing persists because it exploits our natural responses to e-mail requests. Phishing Dark Waters, The Offensive and Defensive Sides of Malicious E-mails arms you with a greater understanding of: The psychological principles that make phishing effective High-profile breaches, including Target, RSA, and Coca-Cola, that began with a phish Common scams, including those following natural disasters and other highly publicized events Different goals of attackers: financial, corporate espionage, national security, and identity theft threats How to protect your enterprise with a corporate phishing program and integrate it into company policies Ways to catch a phish Why most security awareness programs don't work