jueves, 22 de febrero de 2018

Phishing phish.

Phishing refers to the act of masquerading as a company or institution in order to steal information, such as usernames, passwords, and credit card details.

I presented this subject in class, and to be honest is quite a tricky one. The interesting thing about phishing is that, even if it occurs within the different communications technologies, the attacker doesn't actually need any technical knowledge about technology. The attack happens at a human level, so the attacker doesn't need to be a hacker per-se, they'll just send you an e-mail, pretending to be a company or something, saying that something is wrong with an account of yours, and they need your password to fix it. As easy as that.

The more intricate phishing scams will require technical/hacking skills, like hosting a fake websites online, with a url that's almost indistinguishable from the real deal (only different by a couple of characters, they added 'the', different extension, etc.), where users "log in", or at least they think they do, and actually give away their credentials to attackers. A recent example is what happened with the giant company Equifax because, not satisfied with having a massive security breach, they linked on Twitter to a phishing site. If a large company can be fooled, what about the rest of us. Thats why we always check, and double check the URL var.

But examples like the one above are just the tip of the iceberg, as I wrote above, attackers don't need to be technical experts, they just need to get in contact with you through an email, social media message, even phone calls.  We need to smart about protecting ourselves, if you someone approached you on the street asking for your email and/or password, even if he/she claimed to be from your bank, will you actually give them? so why should we trust an email.

There are many kinds of phishing:


  1. Phishing, or wide net phishing, is basically what I described above. Attackers target many people, usually using automated systems to send mass emails. Attackers can get a hold to your email address when massive databased are leaked. Attackers may address you as 'dear costumer' or some other general way.
  2. Spear Phishing refers to a phishing scam specifically directed at you. It's creepy, attackers will know information about you, social media is a main source, they will know your name and whatever other information about you is out there. Juan Martinez wrote a very in-depth article in PC Magazine that you should read. Spear Phishing attackers tend to target public figures, but anyone can be phished, so better be careful. 
  3. And perhaps the creepier of all, Cat Phishing. This can be horror story territory. Like Spear Phishing, Cat Phishing targets an individual person, but instead of disguising themselves as a company, attackers pretend to be an individual, someone who wants to know you. This attacks can happen through social media, but the real 'phishing pond' is in dating websites and apps. By using fake name and pictures, the lure victims into an illusion of connection and trust, and what happens next can go in very different directions. Best case scenario is that is just some person trying to get a date by pretending to someone more attractive, but it can get much worse. The'll ask for pictures that can later be used for blackmailing, meeting these people can lead to kidnappings, and much worse things, crimes that I'm not gonna write about in this blog, yes, it is that bad. Ellen McCarthy wrote an interesting piece on the Washington Post where you can learn more about Cat Phishing. 
Phishing isn't an attack that is done with malware, so anti-virus and anti-malware are of no help here. Its almost imposible to prevent you from getting a bad email or message, so you'll need to learn how to spot it and don't get caught. There is a very nice guide in The Guardian that shows tips for spotting Phishing, Microsoft also published some good pointers on the subject. But the Cliffsnotes version is: if it looks fishy, its probably phishing, look for typos, spelling and other errors; never follow randoms links; check with the official companies separately. 

 This hyper-connected world has brought us many blessings, but also many ways to put our security on the line. We need to stay alert, be smart, and don't get caught. 

Sources: 

Dredge, Stuart. (fri Jun 6, 2014). How to protect yourself from phishing. The Guardian, website: https://www.theguardian.com/technology/2014/jun/06/how-to-protect-yourself-from-phishing-attacks

N.A. (N.D.). Phishing. Wikipedia, website: https://en.wikipedia.org/wiki/Phishing

No hay comentarios:

Publicar un comentario

SEO test

This is not allowed: this isnt't allowed either:  this is allowed: