Skip to main content

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails



Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

Christopher Hadnagy, Michele Fincher, Robin Dreeke (Foreword by)

ISBN: 978-1-118-95847-6 April 2015 224 Pages


An essential anti-phishing desk reference for anyone with an email address

Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analyzed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.

Phishing is a social engineering technique through email that deceives users into taking an action that is not in their best interest, but usually with the goal of disclosing information or installing malware on the victim's computer. Phishing Dark Waters explains the phishing process and techniques, and the defenses available to keep scammers at bay.

  • Learn what a phish is, and the deceptive ways they've been used
  • Understand decision-making, and the sneaky ways phishers reel you in
  • Recognize different types of phish, and know what to do when you catch one
  • Use phishing as part of your security awareness program for heightened protection

Attempts to deal with the growing number of phishing incidents include legislation, user training, public awareness, and technical security, but phishing still exploits the natural way humans respond to certain situations. Phishing Dark Waters is an indispensible guide to recognizing and blocking the phish, keeping you, your organization, and your finances safe.

Foreword xxiii

Introduction xxvii

Chapter 1 An Introduction to the Wild World of Phishing 1

Phishing 101 2

How People Phish 4

Examples 7

High-Profi le Breaches 7

Phish in Their Natural Habitat 10

Phish with Bigger Teeth 22

Spear Phishing 27

Summary 29

Chapter 2 The Psychological Principles of Decision-Making 33

Decision-Making: Small Bits 34

Cognitive Bias 35

Physiological States 37

External Factors 38

The Bottom Line About Decision-Making 39

It Seemed Like a Good Idea at the Time 40

How Phishers Bait the Hook 41

Introducing the Amygdala 44

The Guild of Hijacked Amygdalas 45

Putting a Leash on the Amygdala 48

Wash, Rinse, Repeat 49

Summary 50

Chapter 3 Influence and Manipulation 53

Why the Difference Matters to Us 55

How Do I Tell the Difference? 56

How Will We Build Rapport with Our Targets? 56

How Will Our Targets Feel After They Discover They’ve Been Tested? 56

What Is Our Intent? 57

But the Bad Guys Will Use Manipulation . . . 57

Lies, All Lies 58

P Is for Punishment 59

Principles of Influence 61

Reciprocity 61

Obligation 62

Concession 63

Scarcity 63

Authority 64

Consistency and Commitment 65

Liking 66

Social Proof 67

More Fun with Influence 67

Our Social Nature 67

Physiological Response 68

Psychological Response 69

Things to Know About Manipulation 70

Summary 71

Chapter 4 Lessons in Protection 75

Lesson One: Critical Thinking 76

How Can Attackers Bypass This Method? 77

Lesson Two: Learn to Hover 77

What If I Already Clicked the Link and I Think It’s Dangerous? 80

How Can Attackers Bypass This Method? 81

Lesson Three: URL Deciphering 82

How Can Attackers Bypass This Method? 85

Lesson Four: Analyzing E-mail Headers 85

How Can Attackers Bypass This Method? 90

Lesson Five: Sandboxing 90

How Can Attackers Bypass This Method? 91

The “Wall of Sheep,” or a Net of Bad Ideas 92

Copy and Paste Your Troubles Away 92

Sharing Is Caring 93

My Mobile Is Secure 94

A Good Antivirus Program Will Save You 94

Summary 95

Chapter 5 Plan Your Phishing Trip: Creating the Enterprise Phishing Program 97

The Basic Recipe 99

Why? 99

What’s the Theme? 102

The Big, Fat, Not-So-Legal Section 105

Developing the Program 107

Setting a Baseline 108

Setting the Difficulty Level 109

Writing the Phish 121

Tracking and Statistics 122

Reporting 125

Phish, Educate, Repeat 127

Summary 128

Chapter 6 The Good, the Bad, and the Ugly: Policies and More 131

Oh, the Feels: Emotion and Policies 132

The Definition 132

The Bad 133

Making It “Good” 133

The Boss Is Exempt 133

The Definition 134

The Bad 134

Making It “Good” 134

I’ll Just Patch One of the Holes 135

The Definition 135

The Bad 136

Making It “Good” 136

Phish Just Enough to Hate It 136

The Definition 137

The Bad 137

Making It “Good” 138

If You Spot a Phish, Call This Number 138

The Definition 139

The Bad 139

Making It “Good” 140

The Bad Guys Take Mondays Off 140

The Definition 141

The Bad 141

Making It “Good” 141

If You Can’t See It, You Are Safe 142

The Definition 142

The Bad 143

Making It “Good” 143

The Lesson for Us All 143

Summary 144

Chapter 7 The Professional Phisher’s Tackle Bag 147

Commercial Applications 149

Rapid7 Metasploit Pro 149

ThreatSim 152

PhishMe 158

Wombat PhishGuru 161

PhishLine 165

Open Source Applications 168

SET: Social-Engineer Toolkit 168

Phishing Frenzy 171

Comparison Chart 174

Managed or Not 176

Summary 177

Chapter 8 Phish Like a Boss 179

Phishing the Deep End 180

Understand What You’re Dealing With 180

Set Realistic Goals for Your Organization 182

Plan Your Program 183

Understand the Stats 183

Respond Appropriately 184

Make the Choice: Build Inside or Outside 186

Summary 187

Index 189