WEBVTT - Phishing, Spear Phishing and Whaling 0:00:04.120 --> 0:00:07.160 Get in touch with technology with tech Stuff from how 0:00:07.200 --> 0:00:13.720 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:13.760 --> 0:00:16.720 I'm your host, Jonathan Strickland. I'm an executive producer with 0:00:16.720 --> 0:00:20.279 how Stuff Works in a love all things tech, and 0:00:20.360 --> 0:00:23.560 today we're going to kind of do a continuation on 0:00:23.680 --> 0:00:27.080 our discussions about critical thinking and skepticism. I know I've 0:00:27.120 --> 0:00:29.760 been talking about that a lot, but this is another 0:00:30.200 --> 0:00:33.600 area where that's important, and recently in the news, there's 0:00:33.600 --> 0:00:36.559 been a lot of talk about spear fishing. Now much 0:00:36.600 --> 0:00:41.440 of that discussion centers on a report from that detailed 0:00:41.440 --> 0:00:45.839 how Russian intelligence agents targeted the United States Democratic National 0:00:45.880 --> 0:00:49.600 Committee or d NC with a spear phishing campaign that 0:00:49.760 --> 0:00:52.800 ultimately allowed the malicious actors to make off with a 0:00:52.800 --> 0:00:57.360 lot of sensitive and confidential information and infiltrate sensitive systems. Now, 0:00:57.400 --> 0:01:00.120 I'm not going to get political on this EPISOD, so 0:01:00.280 --> 0:01:02.760 that's not what I want to focus on. I rather 0:01:02.840 --> 0:01:05.840 want to focus on the strategies that malicious actors use 0:01:06.240 --> 0:01:09.160 to either steal information or convince people to hand it 0:01:09.200 --> 0:01:12.720 over willingly through deception. So I'm going to talk about 0:01:12.800 --> 0:01:18.120 concepts like social engineering, fishing, spear fishing, and whaling and 0:01:18.120 --> 0:01:21.360 I'm listing them in that order because it involves moving 0:01:21.440 --> 0:01:25.520 from a more general concept to a more specific application 0:01:25.760 --> 0:01:31.080 of those concepts. So let's get it started with social engineering. Now, 0:01:31.120 --> 0:01:36.119 generally speaking, social engineering, at least in this context, refers 0:01:36.160 --> 0:01:40.479 to using deception and manipulation in order to get hold 0:01:40.520 --> 0:01:43.480 of information. It's just, really it's just about tricking people 0:01:43.520 --> 0:01:47.119 to give up stuff that normally they wouldn't part with, 0:01:47.560 --> 0:01:50.880 and that's really all it boils down to. Typically, this 0:01:50.960 --> 0:01:54.440 means that someone is pretending to be a trusted entity 0:01:54.640 --> 0:01:57.920 and they work to convince a target or mark in 0:01:57.960 --> 0:02:01.400 the old carnival speak, the marking the person that you 0:02:01.480 --> 0:02:05.600 have marked as being vulnerable. You are trying to get 0:02:05.600 --> 0:02:08.400 them to hand over information or even give them control 0:02:09.160 --> 0:02:12.720 of their devices. So you might convince someone to install 0:02:12.880 --> 0:02:17.240 some malware. It's disguised as something else, like an innocent file, 0:02:17.800 --> 0:02:20.440 but your your job is to get them to do 0:02:20.560 --> 0:02:24.960 something that compromises information or system information systems. And this 0:02:25.000 --> 0:02:27.720 shows us yet again that critical thinking is a really 0:02:27.760 --> 0:02:30.919 important skill. It's good to apply critical thinking when someone 0:02:31.000 --> 0:02:33.600 is asking you for information or telling you that you 0:02:33.600 --> 0:02:38.040 should install a program. Sometimes those are bad people, and 0:02:38.120 --> 0:02:40.520 sometimes they're up to no good. Now, you can think 0:02:40.520 --> 0:02:43.880 of a social engineer as a con artist, so it's 0:02:43.919 --> 0:02:48.040 someone who uses psychological manipulation to get a specific reaction 0:02:48.200 --> 0:02:52.160 from mark. Stage magicians and mentalists use those sort of 0:02:52.160 --> 0:02:55.640 strategies or to entertain. They're not doing it to do 0:02:55.840 --> 0:03:00.480 something underhanded. They're doing it in order to make people uh, 0:03:00.520 --> 0:03:04.400 amazed or laugh or applaud. A stage magician, for example, 0:03:04.520 --> 0:03:07.480 has to learn the art of misdirection. This is the 0:03:07.520 --> 0:03:10.239 technique of getting an audience to pay attention to something 0:03:10.320 --> 0:03:14.280 that is ultimately unimportant, at least as far as the 0:03:14.320 --> 0:03:17.200 mechanics of a trick, and that's so that they don't 0:03:17.280 --> 0:03:20.320 notice the actual important stuff that's going on. It gives 0:03:20.360 --> 0:03:23.200 the magician the time and opportunity to pull off a trick. 0:03:23.760 --> 0:03:27.120 A good magician can hold an audience's attention with some 0:03:27.200 --> 0:03:31.280 mesmerizing stage work. They might incorporate clever pattern, but the 0:03:31.320 --> 0:03:33.600 whole point is to keep focus off of something that 0:03:33.720 --> 0:03:37.920 might otherwise spoil the illusion. Dr Robert Saldini, is a 0:03:38.000 --> 0:03:42.160 professor emeritus of psychology and Marketing at Arizona State University, 0:03:42.360 --> 0:03:47.640 outlined six basic principles of influence. These relate to strategies 0:03:47.680 --> 0:03:51.840 that they're they're drivers that someone can employ to convince 0:03:51.880 --> 0:03:55.400 another person to agree with what they are saying. And essentially, 0:03:55.680 --> 0:03:59.080 these six broad principles can get someone to say yes. 0:03:59.240 --> 0:04:02.240 It's the idea of influencing someone to agree to do something. 0:04:02.640 --> 0:04:05.920 Understanding these principles can help you recognize when someone is 0:04:05.960 --> 0:04:09.400 trying to use those strategies on you. But these are 0:04:09.440 --> 0:04:14.080 strategies that rely on very human traits. They work because 0:04:14.120 --> 0:04:17.640 of the way we're wired. More or less, it's even 0:04:17.640 --> 0:04:19.640 being aware of them doesn't mean that you will be 0:04:19.720 --> 0:04:24.159 immune to them, because it's it's very much dependent upon 0:04:24.200 --> 0:04:27.520 what it means to be human. So Childni cites other 0:04:27.560 --> 0:04:32.440 psychologists who identified what they called judgmental heuristics. You can 0:04:32.480 --> 0:04:36.200 think of these as sort of cognitive shortcuts. They are 0:04:36.279 --> 0:04:39.200 basic rules that we accept as being generally true, so 0:04:39.240 --> 0:04:42.279 it's sort of like a foundational statement that we would 0:04:42.279 --> 0:04:45.800 not question. But if someone knows how those work, they 0:04:45.800 --> 0:04:48.440 can take advantage of it. So, in other words, if 0:04:48.440 --> 0:04:51.120 someone is really good at using these principles, you might 0:04:51.160 --> 0:04:53.640 not be aware of it right away. And I certainly 0:04:53.640 --> 0:04:56.080 consider myself to be vulnerable to them. I know I'm 0:04:56.160 --> 0:04:58.479 vulnerable to them. I can think of examples where people 0:04:58.600 --> 0:05:01.679 use these technique U on me and it worked. Sales 0:05:01.720 --> 0:05:05.200 people in particular tend to really focus on these their 0:05:05.360 --> 0:05:08.479 entire books out there that are all about how to 0:05:08.640 --> 0:05:13.600 leverage these principles in order to make sales, make business deals, 0:05:14.360 --> 0:05:18.000 et cetera. So what are the six big categories. Well, 0:05:18.279 --> 0:05:21.880 the first is the rule of reciprocation. That's our tendency 0:05:21.960 --> 0:05:25.200 to want to repay someone who has done something on 0:05:25.200 --> 0:05:29.640 our behalf. Essentially, this comes down to the concept of favors. 0:05:29.720 --> 0:05:32.839 So an example you might have encountered could be free samples. 0:05:33.240 --> 0:05:36.320 Merchants know that a free sample can create the urge 0:05:36.320 --> 0:05:39.359 within a potential customer to buy a product because that 0:05:39.400 --> 0:05:43.240 person feels obligated after having accepted a sample. So if 0:05:43.279 --> 0:05:46.080 I'm sitting at a table and I have samples of 0:05:46.160 --> 0:05:49.160 let's say it's olive oil, I've got different little bowls 0:05:49.160 --> 0:05:51.159 of olive oil, and you can dip a little bit 0:05:51.240 --> 0:05:53.200 of bread in there and taste them, and I'm there 0:05:53.240 --> 0:05:56.160 saying I'm here to answer any questions. Do you like it? 0:05:56.240 --> 0:05:59.520 What do you think? We have the social pressure within 0:05:59.640 --> 0:06:02.080 us to say, oh, I like it a lot, even 0:06:02.120 --> 0:06:04.720 if we don't. We have that social pressure, Like very 0:06:04.760 --> 0:06:06.359 few of us would say, oh, I don't like this 0:06:06.440 --> 0:06:09.680 at all to someone who seems like they are invested 0:06:09.720 --> 0:06:13.400 in your answer. So we feel obligated to go along 0:06:13.440 --> 0:06:15.520 with it. And we may feel obligated because we have 0:06:15.600 --> 0:06:19.080 accepted something that in return we will buy something even 0:06:19.160 --> 0:06:22.720 if we didn't like the thing, because we feel this 0:06:22.960 --> 0:06:27.640 social pressure. And this goes along with what it means 0:06:27.680 --> 0:06:29.640 to be human. I'll touch back on that when we 0:06:29.680 --> 0:06:32.159 get towards the end of these principles. So most people 0:06:32.200 --> 0:06:34.880 don't like to feel that they are under some sense 0:06:34.880 --> 0:06:37.679 of obligation to someone else. They don't like to feel 0:06:37.680 --> 0:06:42.000 they owe somebody something, and so they will very quickly 0:06:42.160 --> 0:06:45.200 try to act to even the scales right so that 0:06:45.240 --> 0:06:49.159 they are no longer obligated. So rule of reciprocation is 0:06:49.200 --> 0:06:53.359 the first principle. Next is scarcity. People tend to want 0:06:53.440 --> 0:06:56.920 more of stuff that they can have less of. That's 0:06:56.920 --> 0:07:00.200 the basic idea. And you can look at this with 0:07:00.360 --> 0:07:03.880 just like the prices for precious metals. Precious metals are 0:07:03.880 --> 0:07:07.159 precious largely because of their scarcity, because they're so hard 0:07:07.200 --> 0:07:09.080 to get and there's not a whole lot of it. 0:07:09.440 --> 0:07:11.640 That's what drives up their value. People want it more 0:07:11.720 --> 0:07:15.440 because it's harder to get. The entire diamond industry is 0:07:15.480 --> 0:07:19.240 based off of this concept. There are plenty of diamonds, 0:07:19.320 --> 0:07:23.560 There are tons of diamonds. They are not even rare. 0:07:23.680 --> 0:07:29.040 But because the world's supply of natural diamonds is controlled 0:07:29.200 --> 0:07:33.360 essentially by a single company, that company can control the 0:07:33.440 --> 0:07:37.280 scarcity of diamonds and thus inflate their value. Because people 0:07:37.320 --> 0:07:40.559 want what they can't have, So offering someone a chance 0:07:40.600 --> 0:07:44.320 to experience something or possess something that has extremely limited 0:07:44.320 --> 0:07:49.120 availability is a really useful tactic. If you tell someone, hey, 0:07:49.120 --> 0:07:51.480 this service that we have, we're gonna get rid of 0:07:51.520 --> 0:07:54.320 it in a week, typically you see a lot more 0:07:54.360 --> 0:07:56.560 people try and take advantage of that service before it 0:07:56.600 --> 0:08:00.000 goes away forever. It's an incredibly useful way of getting 0:08:00.080 --> 0:08:02.600 people to do something you want them to do. Next 0:08:02.720 --> 0:08:05.640 is the principle of authority, which is the notion that 0:08:05.680 --> 0:08:07.920 people will tend to go along with someone they view 0:08:08.040 --> 0:08:11.280 as being an expert or being credible. So have you 0:08:11.280 --> 0:08:14.600 ever encountered a problem and thought, Uh, someone smarter than 0:08:14.600 --> 0:08:16.800 I am is going to handle this, or you just 0:08:16.880 --> 0:08:20.680 assume that someone more capable than you has the situation covered. 0:08:21.080 --> 0:08:24.280 Maybe you were present when an emergency happened and you 0:08:24.320 --> 0:08:26.640 look around to see if someone else jumps to help, 0:08:26.720 --> 0:08:29.360 because you think, well, clearly, there's gotta be someone here 0:08:29.400 --> 0:08:32.080 who's better at handling this kind of situation than I am, 0:08:32.320 --> 0:08:34.920 so I'm gonna step back and allow that to happen. Well, 0:08:34.920 --> 0:08:37.760 that behavior shows that we frequently will defer and even 0:08:37.840 --> 0:08:41.040 seek out people who appear to be more knowledgeable or 0:08:41.200 --> 0:08:45.400 capable than ourselves under certain situations. So if someone poses 0:08:45.480 --> 0:08:48.760 as a person of authority convincingly, they can more easily 0:08:48.800 --> 0:08:52.480 persuade people to do stuff. The fourth principle of influence, 0:08:52.480 --> 0:08:56.320 according to Cialdini, is consistency. This is related to the 0:08:56.360 --> 0:08:59.880 concept of commitment committing to do something. If you get 0:09:00.000 --> 0:09:03.839 someone to agree to a small initial commitment, that can 0:09:03.880 --> 0:09:07.040 set the ground for a larger commitment further down the road. 0:09:07.120 --> 0:09:10.280 So a classic example in a scam could be the 0:09:10.360 --> 0:09:13.600 Nigerian scam. A lot of Nigerian scams will start off 0:09:13.640 --> 0:09:16.240 where the scam artist first asks for a relatively small 0:09:16.280 --> 0:09:19.079 amount of money because they say, hey, there's a huge 0:09:19.120 --> 0:09:22.160 amount of money in this country. Has your name on it. 0:09:22.160 --> 0:09:24.480 It's it's clearly not meant for you, but because it 0:09:24.480 --> 0:09:26.280 has your name on it, we can get it to you. 0:09:26.720 --> 0:09:29.400 It's an enormous sum. However, in order for me to 0:09:29.440 --> 0:09:31.400 get this money to you, first, I'm gonna need a 0:09:31.440 --> 0:09:33.920 small amount of money from you to help secure this, 0:09:34.200 --> 0:09:36.640 and then we can get you rich. And people will 0:09:36.640 --> 0:09:38.959 say okay, And then the scam ars might come back 0:09:39.000 --> 0:09:40.640 and say, oh, as it turns out, I'm gonna need 0:09:40.679 --> 0:09:42.319 a little bit more money because I'm gonna have to 0:09:42.400 --> 0:09:46.080 bribe some officials here in order to get your wealth 0:09:46.240 --> 0:09:49.120 to you, and so on and so on. The idea 0:09:49.160 --> 0:09:52.319 being that because you've already made an initial commitment, you 0:09:52.360 --> 0:09:55.800 would be willing to make a larger subsequent commitment. And 0:09:55.880 --> 0:09:58.559 this can happen not just in scams, it can happen 0:09:58.559 --> 0:10:04.640 in completelygitimate, although sometimes questionably ethical applications. That in the 0:10:04.679 --> 0:10:07.679 Principles is the principle of liking, which means we're more 0:10:07.720 --> 0:10:12.440 easily influenced by people we like. This is not brain surgery, right, 0:10:12.920 --> 0:10:15.840 If you like someone, you're more willing to agree with 0:10:15.920 --> 0:10:19.199 them and to do things that they need you to do. Now, 0:10:19.480 --> 0:10:22.040 Sheldeoni states there are three factors that go into whether 0:10:22.120 --> 0:10:25.280 or not we actually like someone. First, we tend to 0:10:25.360 --> 0:10:28.680 like people who are similar to ourselves. The more alike 0:10:28.760 --> 0:10:30.800 they are to ourselves, at least to a certain extent, 0:10:31.120 --> 0:10:33.800 the more we tend to like them. Second, we like 0:10:33.920 --> 0:10:38.240 people who complement us because we're vain. We're egotistical creatures. 0:10:38.640 --> 0:10:40.040 If you come up to me and say, hey, I 0:10:40.080 --> 0:10:42.600 really like your work, I am far more likely to 0:10:42.679 --> 0:10:45.720 like you. And Third, we like people who will work 0:10:45.800 --> 0:10:49.079 with us towards a mutual goal. If we both need 0:10:49.120 --> 0:10:52.640 to get a specific task done, and you help me 0:10:52.760 --> 0:10:55.640 do that task, I am more likely to like you. 0:10:55.800 --> 0:10:58.400 So a scam artist might try to wheel out some 0:10:58.720 --> 0:11:01.240 information about you in order to make it seem as 0:11:01.280 --> 0:11:04.439 if the artist also shares the similar interests and values 0:11:04.480 --> 0:11:07.960 that you have, and try and create this pathway to 0:11:08.040 --> 0:11:10.640 get you to like the scam artists so that in return, 0:11:11.360 --> 0:11:13.680 you will actually do whatever the scam artist wants you 0:11:13.720 --> 0:11:18.240 to do. The sixth principle is consensus, which essentially says 0:11:18.520 --> 0:11:20.360 that when we're in doubt, we tend to look at 0:11:20.360 --> 0:11:22.480 what other people are doing so that we can get 0:11:22.520 --> 0:11:25.280 some direction over what we should do. Now, I certainly 0:11:25.360 --> 0:11:28.560 identify with this. I think about just about any situation 0:11:28.600 --> 0:11:31.120 I've been in in which I was joining a group 0:11:31.160 --> 0:11:34.000 of people working together on an activity. Maybe we're all 0:11:34.520 --> 0:11:37.480 doing the same thing over and over, like folding T shirts. 0:11:37.480 --> 0:11:40.480 That's an easy one. We're all folding T shirts, and 0:11:40.640 --> 0:11:42.680 I keep looking over to the left and right to 0:11:42.679 --> 0:11:44.280 see how other people are doing it, so that I 0:11:44.280 --> 0:11:46.199 feel like I'm doing it the right way, that I'm 0:11:46.240 --> 0:11:49.520 not messing up. I have this incredible social pressure on 0:11:49.559 --> 0:11:53.440 me to do it correctly, and rather than try and 0:11:53.800 --> 0:11:56.960 learn this in a more formal way, you know, a 0:11:57.000 --> 0:12:00.719 more process oriented way, I'm doing it looking at how 0:12:00.720 --> 0:12:03.640 everyone else is doing this. Now, if everyone else is 0:12:03.679 --> 0:12:06.320 doing this quote unquote the correct way, that's fine. But 0:12:06.360 --> 0:12:09.440 if people are doing things incorrectly, then all I'm doing 0:12:09.520 --> 0:12:11.360 is adding to the number of people who are doing 0:12:11.400 --> 0:12:14.439 something incorrectly. But there's again, is a lot of social 0:12:14.480 --> 0:12:17.599 pressure at play here for you to do as the 0:12:17.640 --> 0:12:21.920 group does. And this is not just psychobabble. These principles 0:12:22.160 --> 0:12:26.640 put into words behaviors that humans have developed as social creatures. 0:12:27.320 --> 0:12:30.720 Human survival has largely depended upon our working together, and 0:12:30.760 --> 0:12:35.040 so we've developed these behaviors that promote cooperation and they 0:12:35.080 --> 0:12:41.239 discourage inhibiting cooperation. Understanding those behaviors and then subtly leveraging 0:12:41.320 --> 0:12:44.640 them can have a really big impact on interactions, and 0:12:44.640 --> 0:12:48.000 that plays right into the hands of social engineers. So 0:12:48.240 --> 0:12:51.960 if you happen to know people tend to follow these 0:12:52.000 --> 0:12:57.199 principles because humans as a species have sort of evolved 0:12:57.280 --> 0:13:00.000 to be these social creatures, then you can take advantag 0:13:00.040 --> 0:13:02.239 edge of that. Now, granted they are going to be outliers. 0:13:02.240 --> 0:13:05.360 There will be people who do not conform, they do 0:13:05.400 --> 0:13:08.679 not adhere to these principles, they don't have any connection 0:13:08.760 --> 0:13:11.640 to them, But more frequently than not, you're going to 0:13:11.679 --> 0:13:15.120 find that they work and that they work on you. Next, 0:13:15.200 --> 0:13:18.400 I'm going to define the terms like fishing, spear fishing, 0:13:18.440 --> 0:13:21.440 and whaling, and we'll explore some specific tactics and stories 0:13:21.480 --> 0:13:24.720 related to those practices. But first let's take a quick 0:13:24.760 --> 0:13:35.760 break to thank our sponsor. All right, So social engineering 0:13:35.800 --> 0:13:37.800 is all about manipulating people to give them to do 0:13:37.840 --> 0:13:40.599 what you want, typically in a way that involves deception 0:13:40.679 --> 0:13:44.880 and handing over confidential information. But what is fishing all about? 0:13:45.120 --> 0:13:48.040 And it's spelled p h I s H I n 0:13:48.080 --> 0:13:51.800 G by the way, fishing with a pH Fishing describes 0:13:51.840 --> 0:13:54.960 the practice of tricking people into handing over sensitive information 0:13:55.280 --> 0:13:59.440 through some digital means. Most frequently we talk about using 0:13:59.720 --> 0:14:02.640 e ail as a way of phishing for data, but 0:14:03.000 --> 0:14:07.959 you could use a spoofed website, you could use instant messaging, 0:14:08.360 --> 0:14:12.280 but it doesn't really matter. The basic concept is the same. 0:14:12.320 --> 0:14:15.679 You're fishing for data. I find it interesting, by the way, 0:14:15.720 --> 0:14:18.000 that we have a lot of nautically themed terms to 0:14:18.080 --> 0:14:22.160 describe different behaviors on the Internet, because there's fishing, their 0:14:22.200 --> 0:14:26.080 spear fishing, there's whaling, but there's also trolling. Trolling refers 0:14:26.160 --> 0:14:29.080 not to mythical monsters from fairy tales, but from the 0:14:29.080 --> 0:14:32.600 practice of dragging a net behind a boat to troll 0:14:32.840 --> 0:14:35.640 in an effort to scoop up a catch. Trolling on 0:14:35.680 --> 0:14:38.360 the Internet originally referred to people who would go into 0:14:38.800 --> 0:14:41.760 message forums and they would lay down a trap, which 0:14:41.760 --> 0:14:44.640 would be they would post something intended to get a 0:14:44.760 --> 0:14:48.440 rise out of members of the forum, legitimate members, so 0:14:48.800 --> 0:14:51.600 they weren't necessarily aiming at anyone in particular. They were 0:14:51.640 --> 0:14:54.000 just kind of laying a trap for anybody who was 0:14:54.200 --> 0:14:57.320 gullible enough to fall into it. The goal was just 0:14:57.400 --> 0:15:00.280 to rile people up, and why would you do that. Well, 0:15:00.360 --> 0:15:02.560 some people just want to watch the world burn. I 0:15:02.600 --> 0:15:04.960 guess they like to think that they were able to 0:15:05.000 --> 0:15:08.680 have influence on another person and that brings them some 0:15:09.160 --> 0:15:12.240 mean sense of joy. It's not great, but it does 0:15:12.320 --> 0:15:16.800 happen far too frequently. Or sometimes the troll actually has 0:15:16.840 --> 0:15:20.440 ulterior motives beyond just upsetting people. Maybe you have someone 0:15:20.480 --> 0:15:23.120 who's running a different message board, and so what they're 0:15:23.120 --> 0:15:26.440 doing is they're essentially sabotaging what they see as competition. 0:15:26.680 --> 0:15:29.840 But whatever the motivation, the practice involved being obnoxious in 0:15:29.920 --> 0:15:32.640 one way or another in an attempt to get at 0:15:32.680 --> 0:15:35.280 least a hit or two from well meaning but misguided 0:15:35.280 --> 0:15:38.880 forum members. And I say misguided because the person's anger 0:15:39.000 --> 0:15:42.040 or frustration was the trolls goal all along. They're not 0:15:42.520 --> 0:15:46.120 necessarily arguing something they actually believe in. All we wanted 0:15:46.160 --> 0:15:48.880 to do was get someone upset. So if you get upset, 0:15:49.040 --> 0:15:51.600 the troll wins. So the only real way to win 0:15:51.800 --> 0:15:54.440 is not to play. And that's why you often hear 0:15:54.480 --> 0:15:57.040 people say don't feed the trolls. Problem is, if you 0:15:57.040 --> 0:15:59.600 don't feed the trolls, sometimes trolls will just keep on 0:15:59.680 --> 0:16:05.520 trying to get people to agree to awful, awful things, 0:16:05.720 --> 0:16:08.400 So that philosophy only goes so far as well, and 0:16:08.440 --> 0:16:11.600 it's only applicable in certain situations. But that's another podcast. 0:16:12.080 --> 0:16:14.680 Fishing is similar in a lot of ways to trolling, 0:16:14.720 --> 0:16:17.600 except instead of trying to irritate people, you're trying to 0:16:17.640 --> 0:16:20.960 trick people into handing over information they should definitely not 0:16:21.240 --> 0:16:24.960 hand over. Fishing is a general approach. The attacker does 0:16:25.000 --> 0:16:28.360 not necessarily have a particular target in mind. It's kind 0:16:28.360 --> 0:16:31.680 of a blanket attack. They don't really care who ends 0:16:31.760 --> 0:16:33.800 up being a victim. All they want to do is 0:16:33.840 --> 0:16:37.200 gather as many hits as possible. Just doesn't matter. From 0:16:37.240 --> 0:16:41.680 where as such this, phishing messages tend to be pretty generic. 0:16:42.320 --> 0:16:45.320 Phishing emails may appear to come from a legitimate source. 0:16:45.440 --> 0:16:47.520 On a casual glance, they might look like they were 0:16:47.520 --> 0:16:50.440 sent from an actual company, like a bank or a 0:16:50.480 --> 0:16:54.640 government organization. There are countless variations, but they all try 0:16:54.720 --> 0:16:57.480 to fool the recipient into taking an action that will 0:16:57.600 --> 0:17:01.200 ultimately result in a bad outcome for the target. So, 0:17:01.280 --> 0:17:03.520 for example, you might get an email from a bank 0:17:03.640 --> 0:17:05.800 stating that you have an old account with money in 0:17:05.840 --> 0:17:08.080 it and you should transfer that money out of your account. 0:17:08.480 --> 0:17:10.879 It is essentially saying, hey, you got free money, and 0:17:10.920 --> 0:17:13.399 this bank asks that you fill out some information so 0:17:13.440 --> 0:17:16.240 that you can retrieve your cash. But in reality, the 0:17:16.280 --> 0:17:18.679 emails coming from a phishing scheme and it's looking to 0:17:18.720 --> 0:17:22.120 harvest as much confidential information from users as possible. Maybe 0:17:22.119 --> 0:17:25.639 they're saying, give us your current bank account information so 0:17:25.680 --> 0:17:27.800 that we can transfer the money. We can wire it 0:17:27.880 --> 0:17:31.679 from this old account into your current account, but in 0:17:31.760 --> 0:17:34.680 reality they just want access to your current account. That's 0:17:34.760 --> 0:17:38.199 a pretty clumsy example, but it is an example of 0:17:38.200 --> 0:17:42.199 something that could actually happen. Often, the email address in 0:17:42.240 --> 0:17:44.639 a message can be a dead giveaway whether the message 0:17:44.640 --> 0:17:47.280 is legitimate or not. You can look at the originating 0:17:47.320 --> 0:17:50.720 email address and say, well, it says it's from Gmail, 0:17:50.960 --> 0:17:55.280 but the domain on the email is not related at 0:17:55.320 --> 0:17:58.320 all to Google. Well that's a dead giveaway. Chances are 0:17:58.359 --> 0:18:02.679 you're looking at a scam if email address does not 0:18:02.800 --> 0:18:06.879 match whatever entity it claims to be from. And I 0:18:06.920 --> 0:18:10.200 doubt any legitimate organization would ever ask for sensitive details 0:18:10.240 --> 0:18:13.040 to be sent over email. Almost every single one if 0:18:13.080 --> 0:18:15.560 they respond to these kind of attacks, says we will 0:18:15.640 --> 0:18:19.800 never ask for your personal information over email, particularly since 0:18:19.840 --> 0:18:23.479 there's no guarantee that the recipient is using encryption on 0:18:23.560 --> 0:18:27.520 their emails, So if you're not using an encrypted email service, 0:18:27.880 --> 0:18:31.240 there's no guarantee that a third party listening in wouldn't 0:18:31.320 --> 0:18:34.080 get access to that information anyway, even if everything else 0:18:34.119 --> 0:18:37.960 was legitimate. So that being said, it is possible to 0:18:38.000 --> 0:18:41.439 forge an email address so that a message appears to 0:18:41.480 --> 0:18:45.080 be from an official, legitimate source. There's nothing in the 0:18:45.160 --> 0:18:48.200 email protocol on its own, just the regular email protocol 0:18:48.520 --> 0:18:52.280 that verifies an address in the front field is actually 0:18:52.320 --> 0:18:55.400 a legitimate address. Now you can do some snooping yourself. 0:18:55.680 --> 0:18:59.280 You can examine email headers, which might require activating a 0:18:59.320 --> 0:19:03.080 specific feature in your email interface like in Gmail. I 0:19:03.119 --> 0:19:07.480 think it's reveal source or something along those lines. Uh oh, 0:19:07.520 --> 0:19:09.320 show original is what it is. That's what it is. 0:19:09.560 --> 0:19:12.240 You choose show original, and that's gonna give you kind 0:19:12.280 --> 0:19:16.160 of the hypertext version of the email, and that will 0:19:16.200 --> 0:19:19.040 include listing all the servers that the email has passed 0:19:19.280 --> 0:19:23.879 through with the line received colon from, and at the 0:19:23.880 --> 0:19:28.720 bottom of that section, the last received from would represent 0:19:28.840 --> 0:19:32.760 the original computer that sent the email. And if you 0:19:32.800 --> 0:19:36.360 look at that and the original computers domain is different 0:19:36.480 --> 0:19:40.600 from the official domain. Again, that could be a red flag. 0:19:40.640 --> 0:19:44.639 It's not necessarily proof positive, but it does indicate that 0:19:44.680 --> 0:19:46.679 it could be a malicious email and you should be 0:19:46.720 --> 0:19:49.800 careful about it. On the admin side of this, if 0:19:49.800 --> 0:19:53.560 you were a system administrator, organizations can implement what is 0:19:53.560 --> 0:19:58.120 called a sender policy framework to prevent forged email addresses, 0:19:58.600 --> 0:20:02.800 which is an email validation protocol, and essentially it allows 0:20:02.840 --> 0:20:06.760 an organization to map specific I P addresses that are 0:20:06.800 --> 0:20:10.920 authorized to be associated with email addresses containing the organization's 0:20:10.960 --> 0:20:13.879 web domain. So, in other words, it says, if someone 0:20:13.920 --> 0:20:16.480 tries to send an email and they claim that email 0:20:16.520 --> 0:20:20.560 is from US, check to make sure their IP address 0:20:20.760 --> 0:20:24.720 is on this list of authorized IP addresses, and if 0:20:24.720 --> 0:20:29.080 it isn't, don't allow our email. Don't allow that that 0:20:29.200 --> 0:20:33.280 from field to display our domain. It's essentially saying check 0:20:33.320 --> 0:20:36.359 here to make sure that it's legit. But again, you 0:20:36.400 --> 0:20:39.080 have to implement this. It's not something that is natively 0:20:39.280 --> 0:20:43.520 part of the email protocol. Now. I've received countless phishing 0:20:43.600 --> 0:20:45.680 emails over the years, and my favorites are the ones 0:20:45.720 --> 0:20:48.640 from companies or banks that I have never done any 0:20:48.680 --> 0:20:52.320 business with. But even those types of obvious scams can 0:20:52.359 --> 0:20:55.200 fool people. They might think, Hey, I might be able 0:20:55.200 --> 0:20:57.240 to get some free money because these folks think I 0:20:57.280 --> 0:20:59.920 have cash in their coffers, so I'll just play along, 0:21:00.440 --> 0:21:02.840 and I can essentially get some poor SAPs doughe just 0:21:02.880 --> 0:21:04.800 because they happen to have the same name as I 0:21:04.840 --> 0:21:07.920 do that stinks to be them. Only it turns out 0:21:07.960 --> 0:21:10.600 that the SAP all along was the person who received 0:21:10.600 --> 0:21:13.560 the email, because they will end up handing over sensitive 0:21:13.600 --> 0:21:16.400 information to an attacker rather than getting hold of someone 0:21:16.440 --> 0:21:19.840 else's money. A phishing attack doesn't need to get that 0:21:19.880 --> 0:21:22.800 many hits to be a success. Is a pretty cheap 0:21:23.280 --> 0:21:26.879 way of attacking people. It's not expensive to mock up 0:21:26.920 --> 0:21:29.479 an email that looks like it came from an official source, 0:21:29.800 --> 0:21:33.000 and it's also not that expensive to email hundreds of 0:21:33.040 --> 0:21:35.679 thousands of people. It's pretty easy to do so if 0:21:35.720 --> 0:21:38.640 you cast a wide enough net, you're sure to get 0:21:38.680 --> 0:21:40.760 some hits. There might not be a lot, but you 0:21:40.800 --> 0:21:43.160 don't really need a lot to actually make it profitable. 0:21:43.600 --> 0:21:46.159 So it's not an efficient way to trick people, but 0:21:46.240 --> 0:21:49.720 it can still make you money, though not at a 0:21:49.720 --> 0:21:52.600 super high profitability. But also you would be a total 0:21:52.680 --> 0:21:55.159 scumbag for doing it if you try chose to do 0:21:55.200 --> 0:21:58.800 this kind of stuff. So that's fishing. What is spear 0:21:58.880 --> 0:22:01.439 fishing because that's been the news quite a bit with 0:22:01.480 --> 0:22:03.800 this d n C stuff. Well, as I mentioned earlier, 0:22:03.840 --> 0:22:06.439 we're moving from the general to the more specific. So 0:22:06.480 --> 0:22:09.639 spear phishing is phishing. It uses the same sort of 0:22:09.680 --> 0:22:12.800 general approaches phishing, except this time the target is a 0:22:12.880 --> 0:22:17.040 defined one. Instead of it just being a widespread blanket 0:22:17.040 --> 0:22:21.680 attack against anyone and everyone, this is a targeted attack. 0:22:22.080 --> 0:22:26.119 It's targeting a specific company or organization. The emails or 0:22:26.119 --> 0:22:29.399 other messages take aim at the people who work in 0:22:29.520 --> 0:22:33.080