Customer Reviews

Phishing Exposed

5 star:		(9)
4 star:		(1)
3 star:		(0)
2 star:		(1)
1 star:		(1)

 

 

Phishing Exposed is a powerful analysis of the many severe problems present in Web-based activities. Phishing Exposed is another threat-centric title from Syngress. The book presents research conducted by Secure Science Corporation as a way to understand the adversary. The author demonstrates his own attacks against multiple popular e-commerce sites as a way to show how phishers accomplish their goals. I was surprised by the extent to which the author could repeatedly abuse high-profile financial sites, and for that reason I highly recommend reading Phishing Exposed.

The book begins with an overview of the phishing problem. Three basic phishing techniques (impersonation, forwarding, and popup) are explained. The mechanics of email and HTTP are also described. The heart of the book appears in chapters 4 and 5, where almost 270 pages are devoted to the author's assessment and abuse of banking sites. I was shocked by the author's ability to repeatedly take advantage of vulnerabilities in client and server software and configuration. These chapters made me wonder if it is possible for an average end user -- or even a skilled technical user -- running popular operating systems and browsers to survive these sorts of high-end attacks.

Ch 6 featured some innovative material on subverting caller ID by using Voice over IP and other methods. I also appreciated the historical perspective in that chapter.

My only real concern is that the author devoted lots of material to his own attacks, and not as much to attacks by real phishers. I would have liked additional details on how to detect and potentially defeat these attacks using network-based and proxy-based means.

Incidentally, reviews by "relatives" should be considered suspect, although reviews with the title "inadequate and unoriginal" should be completely ignored. Reviews like that demonstrate another instance where that particular "reviewer" has once again skimmed the text and not spent any time reading the book. Phishing Exposed is incredibly original -- and that's why I've given it five stars, despite some rough editing from Syngress.

This is a great book! The author really knows what he's talking about and the ideas he presents give a great indication as to where phishing is going in the future. The exploits detailed in the book are technical, educating and even down right genius, such as the Yahoo Cross Site Scripting attack. The author does a good job of explaining things to non technical people, before getting in depth and extremely technical.

The book does a great job of covering a wide range of topics related to phishing so the reader understands the phishing process as a whole. Even Caller ID spoofing and anonymous telephony is included in Chapter 6, which is an interesting read that gives you some ideas where phishing of the future may be headed. Also, some of the little stories in Chapter 7 are really interesting and left me wanting more!! The bit about scanning a whole Korean Class B subnet range looking for 0day phishing servers, is one example!

I read "Phishing: Cutting the Identity Theft Line" over the summer, and I think that "Phishing Exposed" gives the reader a better understanding of the current phishing problem and what needs to be done in the future to protect both consumers and businesses. I would say this book is the authoritive guide on phishing in 2005 and into 2006.

If you're on your way to a security conference this summer, and you'd like to get up to speed on web site abuses and browser design vulnerabilities, this book makes for excellent airplane-reading fare. I say this because Phishing Exposed manages to succeed on two fronts: it is both an instructive technical reference, as well as a surprisingly compelling narrative.

The first is unsurprising -- it is, after all, a Syngress book, and so is typical of technical books from this imprint. The second accomplishment, though, was a pleasant surprise. It's not common that someone as deeply involved in the technologies of network security are also talented writers.

As an example, while documenting the technical characteristics of e-mail delivery, James illustrates example forensic techniques of identifying the home city, working schedule, and handedness of the attacker. It's this mix of CSI-meets-ITSec that makes the book an honest page-turner.

Given this literary attention to narrative and even elements of plot development (especially on the follow-the-breadcrumbs analysis of a seemingly endless series of HTTP redirects), this book illustrates the phishing problem in a way that both technically-oriented defenders and interested "power user" readers will understand and enjoy.

Phishing quickly exploded from a nuisance to a full-fledged threat in the middle of 2005. Weaknesses in email, combined with flaws in Web security and with a little social engineering mixed in make for an effective tool to get the attention of users and lure unsuspecting people into the trap.

It didn't take long for the organized crime elements of the malware underground to recognize the power and efficiency of this tool. Phishing is a virtual poster-child for the convergence of malware because it is a malicious tool that helps tie viruses, worms, spam, Trojans and other malware together and get them delivered effectively to their designated targets.

While a book like Phishing: Cutting The Identity Theft Line is aimed at managers and executives and users, this book is more along the lines of Inside The Spam Cartel in the way it dives deeper to look at the secrets and techniques and explore the underground that makes it work.

While the content is more technical, James writing is engaging. Phishing Exposed is an excellent resource for developers, specifically Web developers, and for security experts to understand more about how and why phishing works, rather than just what it is and how to detect and defend against it.

Here are the chapters:

- Chapter 1 Banking On Phishing
- Chapter 2 Go Phish!
- Chapter 3 E-Mail: The Weapon of Mass Delivery
- Chapter 4 Crossing the Phishing Line
- Chapter 6 Malware, Money Movers, and Ma Bell Mayhem!
- Chapter 7 So Long, and Thanks for All the Phish!
395 pages paperback

As others have stated in their reviews, this is the book if you are involved in Internet security either at an ISP, webserver administrator or a security analyst at a large corporation or in law enforcement dealing with cybercrime. Phishing Exposed is also very useful for watch dog individuals on the web who actively report Internet scams to ISPs. It is an eye opener on how phishing scams have gotten more sophisticated in snaring unsuspecting victims' data within the last few years. This book was released in late 2005, however, most of the information is still rather relevant and useful for today for those who are working to minimize Internet fraud. For example, the use of botnets and malware have gained a larger role in the proliferation of phishing scams since this book was published; the author does cover some detail on this newer approach to perpetuating fraud online.

I have pretty much read the entire book, though I read quickly through all the scripting and coding details Lance outlines in his book and the detail takes up quite a few pages. I did enjoy reading it, thus why it only took me about 2 days to get through it. As I come across some of the coding complexities Lance outlines, I will return to this book as a reference.

One criticism I have is there is no glossary of terms. Lance uses many many technical terms, a few here and there that I didn't know and when I did read them, sometimes I forgot what they stood for.

I will point out a few highlights which may be useful for some of what is covered:

Email Headers
The author provides us information on how to read email headers we receive in spam from phishers who are just a subset of spammers anyway. This is quite useful for those still learning how to decode email headers line by line. Though there are a few things the author leaves out regarding explaining the breakdown of headers, he covers this seldom-covered subject quite well. Most of the samples of spam we have here are Lance's own fake phishing spams, similar to examples you will read in the scripting sections.

Scripting
The author tells us about CSS (Cross Site Scripting) - Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message [...]. This part of the book will take me longer to grasp as my own scripting knowledge is not very strong.

Lance covers the scripting exploits in creating phishing websites in regards to DHTML, DOM, SSL, JavaScript, redirects, and covers HTTP responses (common status codes) via user-agents. Lance uses his own made-up phishing sites to demonstrate how these scripts work. Status codes example: such as 404 file not found.

Money Laundering
Finally, the author also covers phisher money laundering in chapter (6) "Chapter 6 Malware, Money Movers, and Ma Bell Mayhem!" of the book. Phishers use mules to forward the funds for them (mules have bank accounts setup to accept the money and transfer it elsewhere: sometimes the "mules" do not even realize they are participating in illegal activity); this is similar to what drug dealers do to launder their money. He also covers caller ID spoofing in this chapter. This area is probably generally less well known, as it is more of the bank side of things of how the stolen money is transfered from account to account.

This book is poorly written, as a web professional I wanted to get more insight into this phenomenon but what I got was repetitive, shallow and obvious. Possibly, the technical aspects of phising do not deserve a book, but this is hardly a reason to spread 10 pages worth of content on 400 pages. The book I wanted to read was one with more emphasis on possible defense tactics and with further information on the people who engage in these activities.
Furthermore, This book is dated, 6 years in the web industry is a long time. What I did enjoy is another book by the same publisher Inside the SPAM Cartel: By Spammer-X

What do phishers gain from their techniques, and how do they steal identities, passwords, and information? Learn to identify the three classes of security attacks, how phishers scour the net for valid email addresses to attack, and how they are able to exploit computer vulnerabilities with Lane James's Phishing Exposed, which will interest programmers, network administrators and legal officers alike. Chapters expose attacks then probe the world of organized phishing gangs and operations to show how phishers operate, and how you can protect your system.

This book is intense and takes you on a serious technical roller-coaster when it comes to phishing attacks. Filled with detailed information on not only what phishing is, but there are chapters devoted just to displaying every move of a phishing attack, from copying the website, to setting up the blind drop, as well as preparing your crafty email and remaining anonymous when sending it. This book then takes you into two chapters that dive into the threats that face us with cross-site scripting attacks. These two chapters are loaded with seriously technical exploits that break SSL on a TDWaterhouse site, hijack a browser session to the point of controlling it's every move, and shows how a phisher can force a yahoo email user to send spam without meaning to. Almost every major financial institution is exploited in this book with some very comical detail. The book even nails Amazon in a very serious way - ouch! The final chapters lay down the problem of malware in severe detail - including a specific pre-0 day attack against the malware itself. There's a spot of Pac Bell hacking in here, and some very informative information on the money laundering activity of these phishers. The author even asks for people to send him phishing emails.

All in all, a very technically informative book detailing phishing activity in detail and the exploitations they deploy against their victims. A very worthwhile read if you are battling phishers.

As a system's administrator for a medium sized company, I've seen my share of phishing emails. I've become so used to seeing them that I stopped paying much attention to them. I didn't see anything technical about people sending an email.

Phishing Exposed is a look at the phishers themselves, their motives, their techniques. Bit by bit looks at new cross-user attacks, such as a new one (to me, anyway) called "Response Splitting." From malicious software using publically unknown flaws in software, even exploiting flaws in Voice over IP services to abuse the trust of their victims.

The author steps the reader through the cycle of the phisher, and even shows high-profile sites guilty of e-mail tactics that make them prime targets for phishing attacks.

I agree Security Professionals will take something from this book, but I recommend it largely to other Sysadmins, who might not consider the scope of this threat, which is becoming more and more a problem.

It's been a long time since I have read a book that caught me off gaurd as much as "Phishing Exposed" did. I am by no means an expert in the security industry, but I would consider myself well-versed. I read this book with particular interest in DNS poisoning and breaking the SSL protocol. This information was exactly what I was looking for, but I was incredibly surprised to find an enourmous amount of information about the complexities of phishing attacks. I had no idea they could get as sophisticated as this book describes in excellent detail. However, in my personal opinion, the most interesting section had nothing to do with the phishing attacks themselves, but the surprisingly interesting "intricate web of international money laundering" as the books' description explains. I have been a long time believer of security over obscurity, and this book does an excellent job of demonstrating the techniques used by phishers in fine print. Learning how the attacks are done will make us better able to prevent the attacks from happening to us. I recommend this book to anyone who has an interest in the security industry.