Hi everyone, Ed Amaroso here, and I want to talk to you about a pretty advanced attack called phishing. Now, I say advanced because it works so well, and there's so many different variations on how you can do it. I would guess that many of you would say that it's probably a very simple type of attack to carry out. Here's what it plays on. We all know that email on the Internet is an open protocol. For example, any of you, and any of me, or any of the folks here in our studio can more or less exchange email for the most part, right? I give you an email address, you give me your email address, and we can send things back and forth. That's what the Internet intended for email to be. That was the whole idea, that it be open. Now, that trust, or that openness, or that ability to support and foster communication is exactly what a phish in some sense takes advantage of. Now, here's the idea. kind of two kinds of email, right? There's email that are just sort of casual communication, and there are emails that are trying to get you to do something, right? Like for example, a bank might send you an email asking you to do something, to buy something, change something, update something, or whatever. Or an administrator at work, an IT administrator might send you an email to ask you to do something. To update this, to change that, and make sure you do that, to click on this, click on that, download that, you get the idea. System administration in most businesses has been very email-based for years. Now, when an attacker recognizes that there is that hand shake between, say, a bank and a customer, the attacker can make an email look, quote unquote, very official. It can create the logos, and the look, and the font, and the voicing of a particular bank, or of an administrator, or whoever you're trying to spoof. You create something that's intended to look authentic, and you send it from you to wherever. Now, the from you, unfortunately, also in the Internet, turns out to be relatively easy to spoof. If you've studied spoofing, if you studied Internet attacks, if you spend some time looking into this, you know that the underlying infrastructure, the protocols of the internet supporting email, and application level content, for example, the from line in an email are not tightly bound. There are standards. There's a protocol called DMARC that allows you to tighten them up, but it's not a widely used protocol. So for the most part, there's separation between content at the email level and infrastructure protocols that are moving things around between mail servers. So, it turns out to be relatively easy to create an email that looks official, that appears to be coming from someplace that's reasonable. And if you really can't think of a way to do that, let's say you're going after bank, XYZbank. .com. Well, maybe you register xyz_bank.com, or xyz-bank.com, or some domain would refer to that as an adjacent domain or a cousin domain to the original one. And you send it from that domain, which you pay whatever amount for to register and own. And then, to the user, looks authentic, asking you to do something, looks like it's coming from someplace that appears to be valid. And it can be even worse, because the attacker can employ a technique called spearing. And for a phish, we call that spear phish, where they're going after you specifically. They've done some research on you, they're not spamming a thousand or a million users. They do research on you. Maybe you're a corporate executive. Maybe you're the chief financial officer for a company. They look into you, create something authentic, send it from a place that appears to be reasonable. They've speared. They've done research on you, and they get you to do something. And what's the something they're going to want you to do? Download malware. And how are they going to download malware? By having your click on an infected link. You see the tight loop? That's why I say it is simple, but it's kind of advanced. You really have to do your work and know what you're doing to some degree, to make this work. Now, the way that we deal with this unfortunately is very clumsy. There are some technology solutions that will go in and look for some sort of payload that may or may not be infected. They'll actually test and detonate the URLs. That's promising, but it's nowhere near enough. A wide deployment of that sort of technology, that's promising. But what do we usually do? We usually try to train users to be careful what they click on. Have them hover over a link, and make sure that as you hover, and you read the link, does it really look like it's coming from your bank.com? Or is there something weird about the address? That training, unfortunately, it's not really that effective. See, the problem is that it just can't get everybody to do it, and we'll talk more about that in other videos. But the bottom line here is that phishing is generally considered the first step in just about any advanced persistent threat or even nation-state attack. It's kind of ironic, right? That a simple attack affecting a simple protocol with these techniques that a child could learn to do are really embedded in some of the more advance attacks that we've seen. So it's kind of a curious mix of simple and hard. I often say that if you're the greatest burglar in the world, and you walk up to the house, and the window's open, do you really have to go taking an hour to decode and break-in to the lock, or you climb through the open window? You would do the simplest thing, right? So keep that in mind as you continue to learn more about cyber security. That attacks, for the most part, will take advantage of the easiest thing they can do, and phishing turns out to be extremely effective. Like most people tended to play on that trust are used to clicking on links in email. And if you get something that looks official, and it's coming from someplace that seems reasonable, and maybe there's something in there that knows something about you, the likelihood that you are going to click on that phish is spectacularly high. Unfortunately, we gotta work on that as a global community. Now, I've got a little quiz here. The answer, the best answer there is the middle one, C. That spear phishing does involve researching targeted individuals. And this idea that people give away too much information online certainly enables and enhances the likelihood that a spear phish is going to work. So hopefully, this helps your understanding of phishing and how spear phishing can target someone. The how the basic elements of making something authentic, making its source look reasonable, using spear to do something that's useful about you or that will help you think that it's reasonable. All of the above go into the equation of making phishing a particularly effective attack on the Internet. Hope this has been helpful, see you in the next video.
