Shostack + Friends Blog Archive

 

What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay is much improved.

First, lets look at what phishing is. There are many
technical answers, but the core of phishing is that people are drawn
to a website, mistakenly thinking it belongs to a company that they
trust. There are a couple of core elements here: The first is the
phishing email. These can be bulk or targeted. Criminals use exactly
the same mail merge technology companies use, and will insert any
details they can: Name, address, account number (or last 4 thereof),
SSN (or last 4), your logo or copyright statements, etc. All of this
is designed to convince the user that it’s ok to click on the link to
visit the bank. That’s crucial, because without that feeling that
it’s ok to click, the victim will not end up at the fraudster’s site.

So there is where we must concentrate our defense. We need to prevent
the victim from feeling that its ok to click on the link. But how?
SSL–the little padlock–doesn’t help. Anyone can buy a cert for
cb.pharmphr33.supersecure.com if they operate that domain. It’s easy.
Almost anything you can do in an email, the fraudster can duplicate.

And so there lies the key. Use the several established channels you
have in concert. Use the customer as an ally. Move them
away from clicking links to selecting bookmarks.

One comment on "What Is Phishing"

  • mario contestabile says:

    The First line of defense is to use anti-spam software. This helps in reducing the chance of getting the email in the first place.
    After that, I think we can agree that anything we can try (education of users, email validation, etc.) will probably get bypassed by fraudsters.
    So a form of url validation is a good second line of defense, as with IE7.
    I know of three ‘black list’ providers, WholeSecurity in texas (bought by Symantec), Anti Phishing Working Group (california I think) and fraudwatch international (Australia).
    Ultimately perhaps some fundamental Internet chnage in domain accountability will be required, perhaps pushed ahead by credit card companies themselves.

Comments are closed.