Phishing Dark Waters — An Interview With The Authors

image is of the book phishing dark waters by chris hadnagy and michele fincher

Fishing is simple, right? You have a fishing pole, you bait the hook, and then you sit and wait. But ask someone who loves to fish, a bonafide fisherman, and they will tell you there is so much more to it: the type of fishing line, the lure, the type of bait, how you cast the line, the best location, time of day, etc.

Phishing is no different and every bit as complex once you really get into it. In fact, some of the same principles can be applied: getting the right lure for the goal, the type of bait used, the best place to find the targets desired, casting out at the right time of day, etc. Which is why when you want to know the sophisticated and complex details of phishing you go to expert phishers, Chris Hadnagy and Michele Fincher. Hadnagy and Fincher’s book, Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails comes out April 6th and we hooked an interview with the authors for the reel scoop (we couldn’t resist!).

Question: Getting right to the point, why are phish so dangerous? Why a whole book on the subject?

Answer: Phish are dangerous because clicking is so easy. We don’t need to pick up a phone or even get out of our chairs. Just one moment of bad decision making can lead to a compromised network, stolen credentials, or identity theft. In addition, we (people) are just plain ol’ busy. Sometimes if an email looks and sounds right, we ignore some factors that make it NOT right and take the action we should not take.

Question: Phishing has been around for a long time, but when did it become more than badly-worded Nigerian Prince scams and become a lucrative, criminal means of making money?

Answer: The Nigerian 419 is still in use; it’s just been augmented by more sophisticated phish. It’s like any other venture – if it makes money, people improve and capitalize on it. Bad guys now have access to 24/7 customer support to make sure their phish read well and get results, just like any other business.

Question: Some people seem to think that phishing isn’t any more dangerous than the junk mail they use to get in their physical mailbox. What’s the difference between spam emails and phishing emails?

Answer: We would say the main difference is in the overall goal. We all get spam from companies that want to advertise their services and products. It can be a pain, but the purpose is not malicious. Phish go out with the specific purpose of compromising systems or stealing information. The definition alone answers this question too… We define it as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information. The fact that it APPEARS to be from a reputable source (i.e. your bank, your friends, your boss) means its intent is already malicious.

Question: This book goes into a lot of detail on why people get caught by phishing, but is there a top reason we click the link?

Answer: There are lots of reasons. Most of it boils down to bad decision making, as a result of stress, distraction, emotions, etc. People who understand why phish work also understand how to manipulate various factors that increase the probability of a click.

Question: With the rise of smart phones and other mobile devices like tablets, it seems there are so many opportunities to view a phish via email, texts, or social media. Does the method of approach or device you use matter?

Answer: We don’t know if the method matters as much as the outcome. Did you enter credentials that you reuse on other accounts (like online banking)? Did you click on an attachment that will load malware and spread to the rest of your company? Obviously clicking on a phish on your corporate computer has immediate grave consequences, but it would be a mistake to assume that just because you clicked on a Facebook phish that it doesn’t matter. Also, as more companies are allowing BYOD, devices are becoming an increasingly worrisome problem. The more vulnerable the device, the more trouble can potentially be creeping on your network.

Question: But we gave our employees a class on what NOT to click a year ago, why repeat it again this year?

Answer: Good education is never about one and done. There’s a reason why professions require continuing education – would you be comfortable going in for a major procedure to be done by a surgeon who took a class a year ago? There’s no good reason to trust the security of your corporate network to employees who have had one class on phishing.

Question: The description for the book says that it is a reference for keeping both your business and your own finances safe. So when it comes to personal versus professional risk, what’s the difference?

Answer: Since we are so interconnected, we’d say for most people, there’s no difference. If your social media account is hacked and it’s full of people from work, you’ve potentially placed your company at risk. The differences come in the method of defense.  The corporate employee has IT teams, staff to help, agencies to report to internally… and the private individual usually does not. Although your employees might have help with defense at work, their vulnerability at home is just as important for education and awareness.

Question: So then what will security awareness professionals take away from this book?

Answer: Social engineering tactics like phishing are responsible for some of the biggest data breaches over the last couple years. We take you through some examples in order to learn from past mistakes. They will also be given specific how-to’s on recognizing the various types of phish.  But the largest take-away is why, when and HOW to set up a corporate phishing program to educate users and mitigate risk of information loss.

Question: And what about the professional pentester who is looking to add social engineering elements like phishing to the services they offer?

Answer: This is a growing industry and we provide the knowledge necessary for successful phishing awareness programs such as an understanding of the principles of influence, manipulation, and decision-making processes as well as how these are used by malicious phishers.

Question: Okay, gotta know…what’s your favorite phish tale?

Answer: We wrote a phish for a client. We were literally discussing the phish as a team over chat. We sent it out to the whole team for a review and one of our own employees fell for it. Why is this a favorite? It proves one simple fact – anyone can fall victim to a phish.

This essential guide to and about phishing demystifies the complicated variables of technical security measures and corporate policy-making and then ties them into the human elements of influence, manipulation, and decision making to give you the tools you need to help keep yourself and your organization safe. Phishing has become more sophisticated over the years as techniques like spear-phishing and masquerading have proven effective means of achieving criminal ends. Not only does this attack vector play on predictable human weakness but sending a bunch of emails costs a criminal only a few minutes of their time and maybe the fee for connecting to the internet (no “Mission Impossible” high-tech gear needed), so the profit margin generated is well worth the minimal effort it takes. Phishing isn’t going away but you can arm yourself with the knowledge to mitigate the threat inherent to this exploit of human nature. We admit we may be biased but this ground-breaking book is an excellent place to start.

Written by Tamara “blackwidow” Kaufman

Sources:
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://www.amazon.com/Phishing-Dark-Waters-Offensive-Defensive/dp/1118958470
https://www.fbi.gov/scams-and-safety/common-fraud-schemes/nigerian-letter-or-419-fraud/

Chris Hadnagy Michele Fincher