This might be a quite controversial opinion, and I would like to heretically anticipate this directly, but in my view, phishing is often quite far away from what I understand as “hacking”. Hacking, as I see it, involves a deep understanding of computer systems and the ability to exploit weaknesses in those systems to gain unauthorized access or control. Phishing, on the other hand, typically involves tricking users into giving up their login information or other sensitive data. While it’s certainly a form of cybercrime, it doesn’t necessarily involve the same level of technical skill or understanding as hacking. I believe it’s important to make this distinction clear because that’s exactly what I often read in news articles where an attacker is alleged to have hacked an international company with just a Nokia 3310.
I understand the need to use meaningful and gripping titles. However, in this form, it is clickbait and harms the technically adept hacker in terms of the skills needed to be able to label him as such.
Hacking is technical wizardry.
I want to clarify that I’m not discrediting a hacker’s abilities if they employ a social engineering attack. Such techniques require their own set of skills and understanding of human behavior to successfully manipulate individuals into disclosing confidential information and social engineering is usually a part of a overall hacking scenario. However, labeling such an act alone as “hacking” in my opinion, equates it with the technical prowess involved in true hacking incidents. This could potentially blur the lines and reduce the perceived significance of actual hacking events that involve exploiting system vulnerabilities.
Intrusion KillChain and Phishing Attacks
To emphasize my opinion in this context I want to briefly introduce the Intrusion KillChain which is a model developed by Lockheed Martin to identify and prevent cyber intrusions.
It shows the typical steps of a comprehensive hack and consists of the following steps: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
In the context of phishing attacks, these would typically fall into the ‘delivery’ stage of the KillChain. This is the stage where the attacker transmits the weapon to the victim. In the case of phishing, this could be an e-mail with a link to a website where you are asked to disclose your data under a pretext.
It’s important to differentiate exactly what occurs during an attack. If someone merely asks for login information in an email, it’s comparable to someone knocking on your door and asking for your debit card and PIN. Can this really be classified as “hacking”?
Indeed, when someone asks for your personal information, it is certainly a form of fraud. However, asking for your debit card and PIN does not make one a burglar, but rather a con artist, doesn’t it?
The topic of the Intrusion Kill Chain is certainly a subject in its own right, and there will undoubtedly be a dedicated explanation in the future. Please feel free to leave comments if you wish to know more about this. The illustration is merely to show that a hack is a multi-stage attack and often a quite long process, and simply asking for access data does not, in my heretical opinion, constitute hacking but rather … fraud which makes the attacker a trickster, fraudster, scammer … or whatever … Please do not devalue the worth of a hacker by labeling every minor incident as hacking.
Cheers.
