Thursday, February 14, 2008
To Catch a Phish: Practice, Practice, Practice
Our adversaries are very good. Very very good. They are experts at deception and intrigue. They make a living (and a very good living at that) from separating you from your personal information. They prey on your gullability and trusting nature.
I don't advocate that you become a full on paranoid like me. Everytime I get a strange email that seems suspicious, I'm tearing apart the headers and doing link analysis to figure out if the message is legit. And I'm just an amateur. I know a lot of guys that pull these messages apart professionally.
Unfortunately, I'm not opening up your email nor are my security research friends. So you've got to learn to walk for yourself. How do you do that? I'm glad you asked. Step 7 in Security Mike's Guide will be all about detecting attempts at identity theft and other fraud techniques. What they look like, how to detect them, all of that stuff. I'm trying to teach you to fish (no pun intended), as opposed to just giving you a fish.
But you can get started, while I'm still working on the Security Mike content. CRN does a nice job in highlighting 10 phishing scams. The bad guys have moved on from these, so the likelihood that you'll get this very attack is small. But the techniques don't change that often. So pay attention and apply a wee bit of paranoia when you are opening your emails and surfing the web, and you'll be a lot better off for it.
Photo credit: Hook, line and sinker... by ToastyKen