CAPEC-98: Phishing

Description
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.
Extended Description

Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components.

These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.

Severity :

Very High

Possibility :

High

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-89: Pharming Pharming CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-163: Spear Phishing Spear Phishing CAPEC-164: Mobile Phishing Mobile Phishing CAPEC-186: Malicious Software Update Malicious Software Update CAPEC-543: Counterfeit Websites Counterfeit Websites CAPEC-611: BitSquatting BitSquatting CAPEC-630: TypoSquatting TypoSquatting CAPEC-631: SoundSquatting SoundSquatting CAPEC-632: Homograph Attack via Homoglyphs Homograph Attack via Homoglyphs CAPEC-656: Voice Phishing Voice Phishing CAPEC-701: Browser in the Middle (BiTM) Browser in the Middle (BiTM)
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.
  • An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
  • An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.
  • The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Basic knowledge about websites: obtaining them, designing and implementing them, etc.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Phishing ATTACK | Phishing for Information
Resources required

Some web development tools to put up a fake website.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-451: User Interface (UI) Misrepresentation of Critical Information

Visit http://capec.mitre.org/ for more details.