Phishing is all about the bad guy and fooling the victim, says Kevin Mitnick, founder, Mitnick Security Consulting. Mitnick knows about bad guys—he used to be one.
CNET's Dan Patterson interviewed Kevin Mitnick, a former most wanted computer criminal, and now the founder of Mitnick Security Consulting and chief Hacking Officer of the security awareness training company KnowBe4. He discussed phishing, spam, and the similarities, differences and dangers of both. The following is an edited transcript of the interview. The following is an edited version of the transcript.
Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.
Dan Patterson: Kevin, can you explain how phishing works, and walk us through a successful attack.
Kevin Mitnick: Sure. Phishing is all about the bad guy, the attacker, sending a malicious email to a victim and fooling that person either to click on a link within the email or open up an attachment. And when the victim does that, their computer ends up being compromised, and malware is installed so the bad guy has full control. And phishing attacks are quite sophisticated these days, so it really looks like it's the email originating from a customer, a supplier, or a vendor, and people fall for it.
SEE: IT leader's guide to big data security (Tech Pro Research)
There's another type of phishing attack where a victim might receive an email. They'll click on a link in an email, and then it'll present them a page to login. And it will look like, you know, something that they ordinarily login to like Gmail, Twitter, or Facebook. And they'll put in their credentials to login, but what happens, they do get logged in, but then the bad guy is also able to get access to those credentials. What do I mean by credentials? That's like your username and password. So they're able to steal your username and password through these types of phishing attacks.
Dan Patterson: Kevin, phishing sounds a lot like spam, but I wonder if you could tell us the differences between the two, and what do phishing attackers want?
SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)
Kevin Mitnick: Well, spam and phishing are different. Spam is advertisements that are just sent to your email, that are unwanted, right? And we've been dealing with the spam issue for years. Phishing, on the other hand, is where an attacker wants to get access to your accounts, they want to compromise your computer, and their objective is a lot different. Spam is all about trying to get you to buy a product or a service. Phishing is all about the bad guy getting access to your computer to install malware that allows them, for example, to gain access to your bank account or something like that.
- What is phishing? Everything you need to know to protect yourself from scam emails and more (ZDNet)
- Phishing attacks: A guide for IT pros (PDF) (TechRepublic)
- Why phishing remains a critical cyber-attack vector (TechRepublic)
- Phishing attacks hit financial services, tech companies hardest: How to stay safe (TechRepublic)
- The top 11 phishing email subject lines SMBs should look out for (TechRepublic)
- Google is releasing its own 'Titan' security key to prevent phishing (CNET)