What is phishing?
My definition of phishing seems to be different to almost everything I’ve read, including wikipedia. So I felt it was time to write my thoughts down.
Almost every security company I’ve researched defines phishing as a social engineering technique used to obtain sensitive information such as usernames & passwords and credit card details. In fact, PhishTank says that only webpages designed to steal usernames and passwords should be included in their URL blocklist.
I believe phishing is much more.
My definition of phishing
Phishing is the practice of impersonating people and organizations on the Internet
Phishing drives 90% of online fraud, data breaches, identity theft, malware and state-sponsored attacks. It’s not just about the theft of personal information.
Here’s an example of a phishing scam reported by PhishLabs that didn’t involve the theft of personal credentials. This shall serve as my web receipt to help demonstrate that I’m not alone in my thinking.
Why phishing is so popular amongst criminals
Criminals favor phishing to bypass security controls by exploiting people because it’s easier, quicker and cheaper than trying to find and exploit computer or network-based vulnerabilities.
Phishing is not limited to email, it also happens across team collaboration services such as Slack, messaging apps such as WhatsApp, social networks such as Facebook, and web browsing such as Google Ads.
Why phishing attacks are on the rise
It’s 2020 and despite billions of dollars being invested in cybersecurity technologies, phishing attacks are still on the rise. Why?
Here’s what I think…
It’s mathematically impossible for any computer vision or AI-based security solution to detect every look-alike domain or counterfeit website. Some companies will claim to be brilliant. I’m not debating their level of competency — I’m simply saying they can’t be right a lot of the time.
I have unique insights and experience on this topic as I’ve been working on URLs since 2004, when I co-instigated the creation of the standard for URL Classification & Content Labeling at the W3C, the standards body for the World Wide Web.
Reverse-proxy based phishing attacks discovered in 2019 use legitimate websites that serve legitimate content to victims, bypassing 2 Factor Authentication (2FA) solutions like Google Authenticator. This phishing technique is impossible to detect when relying on a threat intelligence system with blacklisted URLs. It typically takes a few days to report, validate and classify dangerous URLs to PhishTank, Google and other players. By then, most of the damage has already been done.
We learned this the hard way at MetaCert. Even though we eradicated phishing scams on Slack for the crypto world in 2017, there were always victims before others could be protected from the same fate.
Furthermore, Google and Mozilla removed website identity UI from Chrome and Firefox in September 2019 and October 2019 respectively. Given that over 90% of all phishing sites start with https, it’s now more difficult and time consuming for humans to detect look-alike domains and counterfeit websites.
And as we know, it only takes one person to open one dangerous link, or to trust one dangerous website for harm to be done.
That’s why we do things differently at MetaCert.
