Phishing Exposed Paperback – Jan 20 2006
|New from||Used from|
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
Most Helpful Customer Reviews on Amazon.com (beta)
The book begins with an overview of the phishing problem. Three basic phishing techniques (impersonation, forwarding, and popup) are explained. The mechanics of email and HTTP are also described. The heart of the book appears in chapters 4 and 5, where almost 270 pages are devoted to the author's assessment and abuse of banking sites. I was shocked by the author's ability to repeatedly take advantage of vulnerabilities in client and server software and configuration. These chapters made me wonder if it is possible for an average end user -- or even a skilled technical user -- running popular operating systems and browsers to survive these sorts of high-end attacks.
Ch 6 featured some innovative material on subverting caller ID by using Voice over IP and other methods. I also appreciated the historical perspective in that chapter.
My only real concern is that the author devoted lots of material to his own attacks, and not as much to attacks by real phishers. I would have liked additional details on how to detect and potentially defeat these attacks using network-based and proxy-based means.
Incidentally, reviews by "relatives" should be considered suspect, although reviews with the title "inadequate and unoriginal" should be completely ignored. Reviews like that demonstrate another instance where that particular "reviewer" has once again skimmed the text and not spent any time reading the book. Phishing Exposed is incredibly original -- and that's why I've given it five stars, despite some rough editing from Syngress.
The book does a great job of covering a wide range of topics related to phishing so the reader understands the phishing process as a whole. Even Caller ID spoofing and anonymous telephony is included in Chapter 6, which is an interesting read that gives you some ideas where phishing of the future may be headed. Also, some of the little stories in Chapter 7 are really interesting and left me wanting more!! The bit about scanning a whole Korean Class B subnet range looking for 0day phishing servers, is one example!
I read "Phishing: Cutting the Identity Theft Line" over the summer, and I think that "Phishing Exposed" gives the reader a better understanding of the current phishing problem and what needs to be done in the future to protect both consumers and businesses. I would say this book is the authoritive guide on phishing in 2005 and into 2006.
On how to stop phishing, the book is sadly inadequate. For example, it explains how the phishers inject their messages into the Internet. This is the broader problem of spammers doing so. And for this, there is no feasible antidote. Mostly because of the early, trusting model of email sending that was developed for the Internet before the Web appeared. But also a deeper problem is that as the Internet continues to grow, with millions of new nodes added each year, each node is a potential injection point. Exacerbated by many of these nodes being computers owned by individuals, without the background to regularly install antivirus software.
Then there are the book's suggestions on good practices. It says that users who get messages claiming to be from a bank and asking them to login to a [fake] site should be sceptical. While this is correct advice, it relies on a user acting accordingly. But this human factor is weak. It is precisely this that the phishers direct their attacks at. You might not be fooled. Probably because you are concerned enough that you are considering reading the book, and are in fact reading this review right now. However, phishing, like spam, preferentially targets the ill-educated or gullible. And they are very unlikely to read this book or any others on the subject. The point is that if a recipient gets to the point of actually reading a phishing message, then it is already too late for some non-negligible percentage of users. And it is that percentage from which banks take losses.
By the way, phishing messages can indeed be very well written. There was a survey recently of various technical managers, who were given a set of messages, some phishing and some not. Very few of them could correctly identify all the phishing messages.
Another countermeasure described is the use of honeypots to attract messages. Which might then be manually analysed by experts to identify phishing. But this manual identification is itself expensive and slow. Part of the expense is due to phishing being in several languages - those of the developed countries and also of several key developing countries like China, Brazil and India. So if you are a global antiphishing vendor, you need to hire people who know those languages. But why? The book doesn't offer any cheaper alternative.
Also, the book suggests that a bank who sends out real messages should only have links in these back to its main website. And not to any independent third party sites or to more obscure domains that it might own. Another instance of how unoriginal the text is. What if a bank wanted to do a co-marketing campaign with United Airlines or Toyota, and put links to those companies in its messages, for example? Why shouldn't it do this? Or say the bank owns the domain homemortgage.com. Why can't it have links to that as well as to its main domain?
The first is unsurprising -- it is, after all, a Syngress book, and so is typical of technical books from this imprint. The second accomplishment, though, was a pleasant surprise. It's not common that someone as deeply involved in the technologies of network security are also talented writers.
As an example, while documenting the technical characteristics of e-mail delivery, James illustrates example forensic techniques of identifying the home city, working schedule, and handedness of the attacker. It's this mix of CSI-meets-ITSec that makes the book an honest page-turner.
Given this literary attention to narrative and even elements of plot development (especially on the follow-the-breadcrumbs analysis of a seemingly endless series of HTTP redirects), this book illustrates the phishing problem in a way that both technically-oriented defenders and interested "power user" readers will understand and enjoy.
It didn't take long for the organized crime elements of the malware underground to recognize the power and efficiency of this tool. Phishing is a virtual poster-child for the convergence of malware because it is a malicious tool that helps tie viruses, worms, spam, Trojans and other malware together and get them delivered effectively to their designated targets.
While a book like Phishing: Cutting The Identity Theft Line is aimed at managers and executives and users, this book is more along the lines of Inside The Spam Cartel in the way it dives deeper to look at the secrets and techniques and explore the underground that makes it work.
While the content is more technical, James writing is engaging. Phishing Exposed is an excellent resource for developers, specifically Web developers, and for security experts to understand more about how and why phishing works, rather than just what it is and how to detect and defend against it.