Browse Books

Reviewer: Radu State

On a daily basis, I receive emails asking me to update my account information on some very popular Web sites, like Amazon or Ebay. Basic security awareness will probably prevent a cautious user from being lured into disclosing sensitive account information to the originators of the email, but most Internet users lack this basic security knowledge, and will become victims of a phishing attack. From a technical point of view, I was always curious to learn how these attacks are carried out. The principle is very simple in theory: attackers perform massive email address harvesting, and obtain a large population of potential victims. Next, these victims must be lured into disclosing sensitive information to visited hostile Web sites. This process must be done transparently, so that the victims are confident that they are communicating with the legitimate Web sites. In practice, successful phishing attacks are based on a mixture of inherent and structural Internet protocol weaknesses, and a collection of Web programming hacks. Some recent phishing schemes are extremely well done, and show that ongoing work and progress has been made in the underground hacking and criminal communities. This is a remarkable book for its technical content and high-quality presentation. It starts with a general introduction to phishing, and next goes into the technical details of how phishing can be done. Starting with the second chapter, the book gets highly technical: it describes how to set up a phishing server, and how to generate spoofed email messages that look legitimate, but will in fact detour the victim to disclose important credentials. Some attack vectors are common to both spamming and phishing. In both cases, unwanted messages have to be read by Internet users, and therefore some of the tricks used are common to phishers and spammers. There are, however, some major differences: spammers do not need to impersonate someone else, while phishers must provide a look and feel identical to the legitimate service. Successful phishers commonly exploit security holes in Web applications. The fourth and fifth chapters essentially constitute the core of the book, and provide an extremely rich and comprehensive overview of how cross-site scripting, browser exploits, hypertext transfer protocol (HTTP) manipulation, and Dynamic Hypertext Markup Language (DHTML) are currently used by malicious attackers. The author illustrates this part of the book with many real-world examples. Some of the described cases are very surprising, since they concern well-known sites, where such vulnerabilities might have impacted a large user population. Chapter 6, about voice over Internet protocol (VoIP) phishing, is a must-read. This is the first time that this issue is addressed in a technical manner in a book, and, due to the recent take-off in the VoIP business, this issue will be of major interest in the near future. I recommend this book to all readers interested in the technical details of phishing attacks. A large category of readers will benefit from it: Web developers and webmasters will get valuable information on how to secure their applications and Web sites, and readers with average technical knowledge will learn the essential background information required to discover a phishing attack and unveil such a scam. To conclude, this excellent and timely book is more than welcome and is a must-read for the target audience. Online Computing Reviews Service