Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

Posted on by Ben Rothke

All encryption (with the exception of a one-time pad) can be broken. Bruce Schneier likes to use the analogy of a pole in the ground for encryption. You can try to break the pole (encryption); or simply go around the pole. Rather than finding problems with a proven encryption algorithm, attackers will try to go around it via how it’s implemented, and other similar attacks.

In Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails, authors by Christopher Hadnagy and Michele Fincher write about those who have mastered the art of going around the security pole, namely phishers. The book defines phishing as the practice of sending e-mails that appear to be from reputable sources with the goal of influencing or gaining personal information.


It would take 1 billion billion years to crack the 128-bit AES key using brute force attack. If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key. Rather than mounting attacks in the trillions of years, attackers use phishing and spear phishing and often get their results in minutes.

At under 200 pages, the book is a quick and easy read. The book provides a number of real world examples of firms that were breached by phishing attacks; including Coke, Neiman Marcus, Home Depot and more.

The book shares insights on the reasons phishing is so successful, and details ways in which to train end-users to be aware of the tactics. Phishers are successful due to many combinations of factors, primarily the bad decision making on the end-users part. This is due to the fact that phishing plays on the base emotions of end-users, uses their natural curiosity, combined with the fact that many people are way too busy to pay attention to the warning signs in the email. On the other side, the attackers are getting much smarter and significantly more sophisticated. With directed spear phishing attacks; the pretexts detailed in the email are often quite convincing

The book is a great resource that can be part of a information security awareness program. For those that don’t want their organization to be phished, Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails is a good resource.






























1118958470 978-1118958476 Wiley Ben Rothke


Ben Rothke

Senior Information Security Manager, Tapad

hackers & threats risk management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs