Clive Robinson January 27, 2023 10:29 AM

@ ALL,

It’s been said before that there are three basic reasons phishing works,

1, Human trust, is usually the opposit of security trust.
2, Most humans want to be liked thus tend to try to be helpfull.
3, We don’t have time to be suspicious, our bosses want timescales met, being suspicious takes time we dont have.

There are others such as “greed” and “avarice” but they are small fish.

So phishing works, and will almost always work.

Thus the “techniques” or “methods” whilst of interest to researchers, is actually not that interesting to others.

It’s like you get taught at school that all such stories are based on the dozen or so Greek Tragedies by Aeschylus, Euripides, and Sophocles. Unless of cause they are comedies or satire, that apparently the Greeks also wrote the originals of… You get the idea…

The sad reality is once you actually know the base elements, you can see how they underlie all such “human weakness” attacks.

CJ January 27, 2023 11:27 AM

The most sophisticated phishing attempt I’ve seen in the wild (and one which isn’t mentioned in that article) is Conversation Hijacking:

The one that I’d seen was extremely well-done; the actual text of the phishing attempt had been literally taken from an earlier point in the conversation, so it felt authentic, and since it purported to be coming from an outside vendor we were working with, the relative unfamiliarity of the specific URL wouldn’t necessarily raise red flags.

Really the only immediately-obvious tell was that it was resurrecting a thread which had finished up a few months’ previously. Obviously investigating email headers and such brought some other discrepancies to light, but most folks wouldn’t be looking for that in an already-established email thread. All in all, a scary attack — I could see myself falling for something like this in the future, even though I consider myself quite knoweldgeable and careful. Especially if the thread that got hijacked was a recent one.

I suppose the one saving grace for that kind of attack is that it relies on someone’s machine getting compromised in the first place; otherwise the phishing bot wouldn’t have the existing thread to work off of. So hopefully that keeps incidents down a bit.

CJ January 27, 2023 11:43 AM

(errr, re: that first URL, clearly I copied the wrong one. That was meant to be another one specifically about the conversation-hijacking thing. Alas!)

Ted January 27, 2023 10:28 PM

I like how the author puts numbered red dots next to the “phishy” signs of five different phishing emails.

He does a great job articulating what caught his eye and why.

I’m going to go on a limb and say it would be fun to play a game where you could try to find and label phishy elements.

The one that @CJ saw – conversation hijacking – sounds like a real doozy.

Steve January 27, 2023 10:47 PM

@ Clive Robinson Before school and during school we are taught, “Be polite, cooperative, and helpful”, it helps others, we will be helped in turn, it feels nice, and is good for society. In high school, college and the workplace we cooperate on group projects. For security we are taught, “Be suspicious of everything, your boss probably doesn’t need to transfer $8,000 to a random band account out of the blue, your boss probably doesn’t need iTunes gift cards right now, it may not be the actual IT department on the phone”, basically don’t be cooperative and helpful. Unfortunately this goes against the 2 decades of prior teaching and conditioning. Plus we still want/need to help out our fellow employees, just not attackers posing as employees. It’s a tricky problem.

Clive Robinson January 28, 2023 4:02 AM

@ Steve,

Re : Being nice.

“It’s a tricky problem.”

It is, especially when as anthropologists point out “being social” is actually effectively genetic, and may be due to evolution.

As you may not know, the size of the human head, thus the brain is limited by the size of what is politely called the “birth canal”.

As a result the head of a baby is actually “compressed” and expands significantly over the next few days after birth as the skull bones move into place.

It has been argued that this process is part of the reason human babies do not “get up and run with the herd” within an hour of birth. Or as with arachnida:araneae start spining geometrically complex webs.

As a very loose analogy human babies are like PCs once were and the spiders like the microcontroler in your coffee machine. Whilst the coffee machine “worked out of the box” the PC did not, it needed a little love and attention and software be loaded to give it it’s working personality and function.

Thus for babies to survive to become viable parents they need the support of their parents / family / troop / society. Being nice or atleast the ability to fake being nice is a survival trait.

It’s also been argued that adolescence where children undergo a major psychological change and thus appear almost as an “alien species” occurs because they have reached a point where they can survive independently. Thus they are faced with a choice along a scale of total independence from others to total dependence on others. Either end of the scale actually being evolutionary undesirable.

So the argument is being “social, is an essential built in” of humans more so in women than men as they are the initial primary care givers[1].

So… If being “social” is evolutionarily desirable, but also a “security anti-pattern” not only does it raise a series of interesting questions[2], it also tells us implicitly that phishing is not going to go away.

But it also has a more curious question lurking within, that is, is phishing effectively a “Maslow’s hammer”[3] or it’s inverse?

If it is the inverse then the advantage is actually with the Doves not the Hawks, as they have significantly greater numbers and can thus “organize around” the Hawks who are down at the near total independence end of the spectrum.

But there is a third option with phising that people should consider.

Phishing is reliant not just on humans being social, but the communications system being almost completely insecure.

Up untill less than a couple of centuries ago by far the majority of communications was “face to face” which implicitly gave a number of “authentication channels”. Every attempt so far to extend communications beyond “face to face” has been vulnerable to falsification or impersonation.

Thus the Doves have two potential solutions to the Hawks,

1, Only communicate face to face.
2, Develop communications authentication atleast as strong as that of face to face.

I’ve never been “phished” in my social communications, because I personally do not use Email or other weak/non authenticated distance communications, and I also “second channel” anything that looks even remotely “hinky”.

So far the use of a second channel has stopped issues to do with replay-attacks[4] but I’d be the first to say “Second channel is not sufficient on it’s own”.

But that raises the question of “Deniability” one asspect of society, that some claim is part of the glue that holds society together is “The little white lie”. They work because they can not be verified and are often easily deniable in very many ways often due to the ephemerality of face to face communications and the vagaries of language usage, where you can say things that can be multiply interpreted or miss interpreted[5].

So, we end up with the issue of is strong authentication of remote communications actually desirable for individuals or society?

Just remember before jumping one way or the other Cardinal Richelieu’s “six lines” maxim, is the very reason deniability is essential[6].

[1] There is an argument based on observation that a childs face has significantly more of “the fathers looks” than the mothers so that the father will see it as being their offspring. I could point out that the argument has flaws. However the argument works better if the similarity is not for the father but other members of the social grouping. Thus the implication that familial or genetic identification is quite essential in societal groupings.

[2] Look on it as a lead in to the “Hawks and doves” issues.

[3] From the observation of “If all you have is a hammer, every problem looks like a nail” implying an over reliance or cognative bias of a favoured tool. With the inverse of “If all problems are nails, you only need a hammer” implying an evolutionary cul-de-sac.

[4] SMS is actually “weakly authenticated” at best and only for the communications channel not the user of the channel. By the way SMS works, messages can be injected at intermediary nodes and appear with sender identification attached, but in no way verifiable. Not much mentioned is occasionaly due to software faults along the SMS path from sender finger to recipient eyeball messages can get replayed in part or whole. Any SMS I see as potentially hinky I then take to another channel, usually a voice call or “face to face” which adds a degree of “actual user authentication” (The face to face was how we reliased there was a software error because we could see both mobile devices and verify what we said had been sent and what we said had been received).

[5] The whole “Does my bum look big in this?” or equivalent trap that comedians still find new jokes in. The reply that gets you out of it is not to answer the question such as “That’s a fantastic dress, and you know I love your bum” then immediately drop into counter-measures mode of some form.

[6] One of the problems with most encryption by cipher is the “Unicity Distance” of the cipher. It makes deniability difficult to impossible when the second party (recipient) betrays the first party (sender) in a communications to a third party (adversary) who has a verified copy of the sent ciphertext. There are two basic solutions have a cipher where the unicity distance is longer than any message can be, or use some internal coding method on the actual message such that it is ambiquous at best to the third party who thus can not verify or uniquely identify the plaintext message agsinst the known sent ciphertext. In essence both methods need the equivalent of a “One Time Pad”(OTP).

Unfortunately the OTP has issues that generally stop it being used. The most obvious is the amount of “Key Material”(KeyMat) required thus the difficulties of “Key Managment”(KeyMan) of which, audit, grneration and distribution are just some. Obviously using an OTP cipher needs a large amount of KeyMat, however actuall plaintext is very mostly redundant thus an appropriate code book can take much of the redundancy out thus coding the plaintext needs less KeyMat. However the downside of using code-books to reduce message length is the plaintext becomes stylised, which removes or limits one form of authentication humans tend to rely on when face to face communications is limited.

gnpar January 30, 2023 4:13 AM

In my experience there’s a lot of phishing going on on discord and other chat apps lately. Would love to see a list not entirely focused on email.

Bill February 3, 2023 1:30 AM

Sorry, somewhat off topic.

In the past two days I have been getting robocalls from variously identified entities asking for me by name.

They seem to be trying to sell goods and services related to diabetes, a condition I don’t have.

There must have been another breach that contained names, phone numbers and possibly age. It will be “interesting” to see who the next batch of scammers using this info are.

As, for example, Stan, from Air Duct Cleaning, I assume that all of these are credit card fraud and identity theft operations.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.