search

vz-risk / veris

Vocabulary for Event Recording and Incident Sharing (VERIS)
http://verisframework.org
Other
565 stars 161 forks source link

Improve phishing definition #376

Closed gdbassett closed 1 year ago

gdbassett commented 3 years ago

Phishing: Phishing (or any type of *ishing) is unacceptable. Need a better definition. This most greatly impacts deciding when to code phishing with other social varieties when 'email' is the social vector.

gdbassett commented 3 years ago

Based on wikipedia (https://en.wikipedia.org/wiki/Phishing) and the oxford dictionary (the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. "an email that is likely a phishing scam")

phishing always involves getting data from the victim. phishing probably always has some element of pretexting, but that often it doesn’t rise to the level of an invented scenario. like a fake google login page isn’t really pretexting.

Similarly pretexting may have some element of phishing (data transfer), but causing a fraudulent transfer or changing the bank account on a business account don't necessarily disclose data (such as the source bank account) the way phishing does (creds, PII, etc).

I think the significance of the information disclosed is clear enough to distinguish when you should use phishing, pretexting, or both.

gdbassett commented 3 years ago

One thing to consider is the colloquial definition has expanded to almost any crime by email. https://twitter.com/sawaba/status/1372932300841816065

gdbassett commented 2 years ago

Also request Dave/Suzanne edit.

gdbassett commented 2 years ago

This has caused some confusion as it does not leave a clear location for emails that involve malware. For now, we'll likely treat emails that use a social variety to get the recipient to run a malicious script or executable as phishing. However we need to consider how to handle the definitions, add a hierarchy such as "phishing - malware" -> "phishing" <- "phishing - data", or some other clear definition.

gdbassett commented 2 years ago

Alex agrees with adding hierarchy to phishing. In the short term we will keep coding `phishing - malware' as phishing.

gdbassett commented 1 year ago

malware.vector.Email vs attribute.confidenality.data (or just not malware.vector.Email) already captures this.

Instead consider enumerating social.variety.Phishing to look at malware.vector.Email together.