[Full-disclosure] Are consumers being misled by "phishing"?
n3td3v at gmail.com
Thu Jun 29 11:59:46 BST 2006
On 6/29/06, Gadi Evron <ge at linuxbox.org> wrote:
> I guess I'm in kiddie flaming mood this week. About time too, been a
Kiddie flaming mood?
> > I believe the industry coined up "phishing" to make more money out of
> > social engineering. Its obvious now that both are over lapping. Only
> > the other day Gadi Evron was trying to coin up a phrase for "voice
> > phishing". Why can't we cut to the chase and drop the (ph)rases and
> > call it straight forward SOCIAL ENGINEERING.
> Hey there n3td3v team. I actually agree with you. Terming things with new
> names all the time is very annoying. Pharming is one good example.
Its not about being annonying, its about misleading the consumer with
catch phrases to describe social engineering.
> I guess when the annual revenuw from phishing for the mafia gets to 2
> Billion USD, things get their own names.
There are a million books on phishing in borders book store, if the
phishing phrase hadn't been coined, a lot of people wouldn't be
millionaires right now.
They brought in "phishing" in 2003. The actual act of phishing had
been going on for years before the phrase was coined. Since the
beginning of Yahoo corporation there have been fake login sites, and
people making voice-based social engineering attacks. Its as if the
technique known as phishing wasn't around until the term phishing was
coined. I can tell you phishing and voice phishing were around and
known as "social engineering" and everyone was happy with that.
Phishing hasn't increased since the term phishing was termed, it was
as big an attack method as it is today, its only because of the term
phishing being recently invented, that companies have decided to make
money out of setting up honey pots to detect phishing and report that
to the consumer and corporate scene, and offer security products to
protect users against phishing attacks. (websense ring a bell?). The
whole term phishing is purely for money making purposes , and to allow
security product vendors to break down the techniques of social
engineering, in able to allow them to make money out of breaking down
different characteristics of social enginnering, to allow them to
create a multi million pound market for each technique of social
engineering, as if each technique of social engineering is a seperate
attack method. which it isn't. The industry is now trying to break
down social engineering further by claiming theres this new type of
attack "voice phishing" or "vishing" as you call it, to enable a new
multi million dollar book market for people to sell books at borders
book store. The truth of the matter however, is social engineering in
all its glory has been around for years. These new names coming out
are artifical and missleading. We've got consumers right now thinking
theres a new threat, a new attack vector, when in fact their isn't.
Though the security product industry have coined up a new phrase
"voice phishing" to make your average joe sound convined that theres a
new threat, and you should buy yet another security product. Soon
they'll be websense voice phishing product, voice phishing for dummies
book and a whole host of other products. True being, there is no need
for consumers being misled just so websense, symantec etc can pretend
theres a new threat, a new reason to build dedicated products and a
new threat to take consumers money from. Now that voice phishing has
been introduced, websense etc will start honey pot haresting hundreds
of voice phishing reports, although these attacks have been around for
years, like original phishing and social engineering was. If you or me
want to make money and create a new sense of fear we could, thats
thats exactly whats happenign here.
> Thing is, I didn't term "Vishing". Wish I did, it's cute and to the
> point. Let call it a sym link to "Phishing +phone". Let me tell you
> a short story, though. It's about arguing on the colour of bits.
Its cute for the multi million dollar corporations. Pretend new
threat, pretend new technique.
The multi millions will start harvesting voice phishing reports now in
their hundreds to create a new sense of attack wave, like they did
with the original phishing term.
All the new "voice phishing for dummies books" will be being printed
as we speak.
I can bet, the same time next year, suddenly some clever multi million
corporate guy will extract another technique from SOCIAL ENGINEERING,
pretend theres a new technique, pretend theres a new threat, pretend
you need to buy their security products... and generally create a new
multi million dollar market, out of something as old as social
engineering, and all its levels of attackology.
> Ever heard of a guy (sorry, group) called n3td3v? :) I didn't either. Why
> do people need nicknames?! We all have names right!@
Do you know what security is? Then you would know why using a nick
name makes sense. To use the same name thats on your birth
certificate, bank details etc, when you are wanting to talk on the
internet is wrong. If someone decides they don't like you, they could
google in an attempt to see if your real name details are out there.
Or hack into a system, and extract your real name to gain information
on you. With using n3td3v, theres no chance of that kind of
information being obtained by enemy hackers of n3td3v. Thats why as
well, we use googlepages and geocities as websites, so that attackers
cannot obtain personal information of the bank, social security,
health records, birth cerificates and toehr real life documentation,
which might be sitting on bank or government servers, waiting to be
hacked, so personal attacks where personal information can be
published on the internet saying "this is the bank details of n3td3v,
this is the social security number of n3td3v" (or) by holding n3td3v
to ransom, saying, if you don't give us money, wel'll publish your
information. Theres a lot of different reasons for using a nickname,
and to me by calling yourself Gadi Evron in public on the internet is
putting yourself at risk from data theft, data compromise, personal
attacks on your career and other attack vectors in relation to
personal attacks, where malicious users will hack servers based ony
our real name you are pushing out right now, and attempt to ruin your
personal reputation, career, bank details, home address, car number
plate, social engineer your co-workers, friends and family in real
life, via e-mail, snail mail, telephone calls, and by computer based
attacks exploting their computer and personal information along with
> Well, I suppose we need 10 different users to digg stories with.
I hate Digg, I only used the site as an example of the confusion being
posed, where avaerage joe's who you Digg are becoming socially
engineered into thinking theres a new threat wave, so the multi
millons can create a new money making market.
> It's like the other guy responding here thought security is all about
> vulnerabilities, social engineering and some other silly thing. If you
> really have to simplify, than try and rise above Hacking Exposed. Security
> is about Trust.
Yes, trust ... or lack of knowledge by the consumer that trust is
needed. The problem isn't always trust, its the lack of knowlege that
trust needs to be applied.
Your average joe isnt security aware and paranoid liek you and me. It
would be wrong to expect the general public to give themselves a
'paranoid' mindthink on the internet, doing that would risk public
mental health. Thats why folks like us are employed to do the worrying
on their behalf, although I don't think creating new terms every time
profits are milked out on phishing, that the industry feels the needs
to create voice phishing as a supposed new threat.
> Oh, and BTW - I have two tasks for you:
> 1. Learn to read.
> 2. Learn to search Google.
Thats a very cheeky comment there. I guess you want people to think
you know more than me. Its people like me who are giving you people
something to think about. If it wasn't for people like me, your job
wouldn't be half as interesting. Be thankful theres people like me
keeping you ina job. Its not me who needs your books, we're the
people giving people things to write into books and to publish on the
web for people to google.
Thanks for playing though.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.