There has been a lot of press lately about different organizations, including many universities having spear phishing attacks. Today, I’m going to cover the origin of the word “phishing” and cover basic theory of social engineering attacks. More detailed information on phishing attacks and countermeasures will be in my next article.

What is a phishing attack?

It’s actually common for a victim of a phishing attack to have never even heard of the term “phishing”. A phishing attack is after all just a confidence scam which prays on the target’s ignorance of the scam. The criminal gains the target’s confidence by taking advantage of the target’s fear, compassion, or optimism in order to get something. If you’ve fallen victim to a scam, it doesn’t mean you’re gullible. To become a victim of a confidence scam only requires you to be human and lack simple knowledge that the type of scam exists and that you could be targeted.

The origin of the word “phishing” is rooted in other system security jargon. Before the Internet, telephone systems were some of the biggest widely used systems, and hobbiests that became interested in the system and started fiddling with it were often called “phone freaks”. Methods used to abuse the telephone system for ones own advantage became known as “phreaking”, a portmanteau of the words phone and freak.

In the Internet age, a common criminal use of e-mail involves forging e-mails from a financial institution to get account access information to steal money or social security numbers and other private information that can be used for identity theft. One way to do this is to send out millions of forged e-mails to as many people as possible, using the same method as spammers, pretending to be a financial institution and either asking the recipient to visit a forged copy of the company’s web site or reply directly by e-mail or telephone. The recipient believes that he is contacting the impersonated company, or logging into an actual online account with the company, but instead ends up providing account details to a criminal.

Many of the recipients won’t have an account with that financial institution, and others that do will notice the forgery and either report it to authorities or simply not take any action. It’s easy to see how the method of just throwing out a wide net and seeing what gets snagged would be called fishing, and this was changed to “phishing” because of the phreaking connotation and to refer specifically to this type of fishing.

“Spear phishing” is more targeted phishing, as the name implies. Instead of throwing out a wide net, it usually targets a specific organization, class of members, or person. This allows for the e-mail messages to have more specific and personal information, that in theory will increase the confidence in the scam. This should result in a higher percentage of victims based on the number of targets.

Social engineering theory

I think it’s very important when teaching about phishing attacks to remind people to think outside of the box. If you just show people examples of phishing attacks, and don’t teach them the fundamentals, they won’t be well prepared for the next form of attack.

You will see many people simply use the word phishing without the word “attack”. If you’re not in the information security industry, you may see it as a unique phenomenon. In the security industry, it’s just another security attack. The security systems of the company being impersonated are being attacked, as well as the security control of the company or individual being targeted for their account or personal information.

The theory is simple. Social engineering, a method of lying to gain information, resources, or unauthorized access is as old as dirt. Everyone that works for an organization has been put in a position of trust. You will have access to information or  resources that are for that organization’s use only. Others will try to get access to that information and resources from you. If someone asks anything from you, you should assume that they don’t need it from you. If they actually had authorization to have what they’re asking for, they would have been provided a way to get it that doesn’t involve you.

To expand this further, your organization is likely at least somewhat compartmentalized, leaving you to be leery of people within your own organization as well. In fact, unauthorized access to information and resources probably happens more often with personnel within an organizaton than from outsiders. Regarding your personal information, everyone is an outsider.

The attacker will use trickery and deceit. If someone shows you something that looks real, remember that you are not an expert. If someone tells you something, no matter how plausible, remember that you are not an expert. When presented with an opportunity, you should certainly take your time and consult some experts. Don’t be pressured into making quick decisions. The most basic method of deceit is through impersonation and forged credentials to support it.

The attacker will pray on your compassion, optimism, and fear. When thinking of compassion, you may only think about destitue asking for money. However, compassion also involves your desire to help someone resolve a problem. If you work in customer service, and someone calls claiming to be a customer that can’t log into an online account, you will want to help. Some fear may also be involved, because you don’t want to get into trouble by not helping, and the attacker will certainly play on this by threatening to get you into trouble or just getting angry to encourage a quick resolution by getting you to provide what the attacker wants.

Everyone has some optimistic hope that one day they will have a very fortunate opportunity, and attackers will pray on this by making false offers of some type of good fortune. The fear of losing your current good fortune will also be prayed upon by prompting you to act to preserve it.

Although fear is in theory also a good defense against confidence scams, you have to be aware of them in order to fear them. Besides knowing of their existence, you must also be aware that you are a target.

 You are a target.

Monday’s blog post will include an interesting article from our CEO on what fuels the spam industry. Wednesday, I’ll be following up this phishing post with specifics on phishing attacks, including current methods and likely methods for the future, as well as specifics on countermeasures.

Next article in series: “Phishing attacks 201“