No More -ishings

But then, a few years ago, Coinbase dropped their infamous QR Code Super Bowl ad and every single infosec influencer and security vendor had a “Quishing” article out within 24 hours. Ugh. I distinctly remember complaining about this a few years ago, but I ultimately let it go. But today, I came across this extremely cursed blog post from Zimperium, titled “Hidden in Plain Sight: PDF Mishing Attack”. No! *whacks Zimperium blogger with rolled-up newspaper* - STOP.

First of all, this wasn’t even their first usage of the “term” (know that I’m using those quotes very sarcastically) Mishing. To understand it, you have to go back to this post where they explain that mishing is some sort of composite form of phishing which includes a bunch of other established phishing variants (e.g. vishing, smishing, quishing, etc…) What? So it isn’t even its own thing? Why does this need to exist? Let me answer that. It doesn’t. It shouldn’t.

What’s wrong with just using a descriptive, distinct word as a prefix for different types of phishing variants? Y’know, like “Spear Phishing”. There are plenty of other examples of how we’ve done this in sane way, e.g. Angler phishing, Clone Phishing, double-barrel phishing, Deepfake phishing, search engine phishing, etc… Now granted, I don’t love these either, but imagine if those who had coined these terms had instead gone with things like (respectively) “angishing”, or “clishing”, or “dubba-ishing”, or “deepishing“… *shudders*. You see how ridiculous that sounds? I’d even settle for coming up with a completely new term, like what we did with “Whaling” or Pharming. At least there’s some points for creativity. But no, Zimperium thought they could play God, and breathe life into this abomination.

Look, I think coming up with funny names for stuff is great. I mean I’ve been documenting named vulnerabilities for over 5 years now and will continue to do so. It’s whimsical and fun. Name every vuln for all I care. As for the -ishings though?…

I won’t stand for it. I’m going to use my platform, and what influence I have (and I can’t emphasize enough how little that probably is), to stir collective action. No more -ishings. We must band together. Take the pledge, sign the petition (yes, this is a real and totally not satirical petition on change.org), get the word out, don’t breathe further life into these terms, don’t legitimize them in any way. I call them out here only to shame them and the would-be influencers-turned-pariahs who were responsible for their creation. I hope you’ll join me.

Because if we don’t do something now. Who knows what the future will look like. Think you have it hard now with all the terms and acronyms you have to remember? It could be a lot worse.

All this said, you might be unfortunate enough to have to remember what all these terms mean. For that, you can look at my very cursed Glossary of -ishings. God speed.

Don’t know what the hell “Mishing” is? Don’t worry, no one should have to. But here you are anyway. Learn what allllllllll the different -ishings are below…

First though, to understand all derivatives, let’s define regular-ol’ “Phishing”. I’m just going to use Wikipedia’s definition for Phishing here as I think it sums it up nicely enough.

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware.

Good. Now, the -ishings…

• “Vishing”: Phishing using your voice. So like, over the phone as an example. Seems like we could have just left this as “Voice Phishing”.

• “SMiShing”: Phishing through text messages. Notice how officially this term has capitalized the first ‘S’, the ‘M’ and the second ‘S’ so that it spells out “SMS”. I bet whoever came up with that was real proud of themselves. Lame. Oh and yeah, seems like we could have just called this “SMS Phishing”.

• “Quishing”: Phishing with QR codes. Put a QR code on something, people just run around scanning QR codes all the time right? Unaware, they are teleported off to a malicious website or whatever. JUST CALL IT QR PHISHING. Jeez.

• “Mishing”: “Mobile-targeted” phishing (according to Zimperium). Just go look at the link, as it explains it better than I honestly care to do here. I’ve made my feelings quite clear about this particular term. I will say no more.

To finish this off, I’ll drop some quick definitions for the other -ishing-adjacent terms…

• “Spear Phishing”: A phishing campaign that is highly targeted at a single person or group.
• “Whaling”: A spear phishing variant aimed exclusively at high-level executives or important officials.
• “Angler phishing”: Phishing targeting users’ social media accounts.
• “Clone Phishing”: A type of email phishing where the malicious actor imitates (“clones”) emails from authorized senders.
• “Double-barrel phishing”: Sending two separate emails to a victim to establish trust and lend authenticity.
• “Deepfake phishing”: Leveraging deepfakes to phish someone. Basically deepfaking your voice, writing style, visage, etc…
• “Search engine phishing”: i.e. SEO poisoning, is where a malicious actor coerces a search engine to elevate a malicious phishing link in search engine results.
• “Pharming”: Hijacking DNS to redirect users to a malicious site. (Seems kinda similar to DNS spoofing/poisoning etc no?)

Know of another -ishing term I haven’t captured here? KEEP IT TO YOURSELF. I really don’t want to know about any more.

Hopefully I was able to adequately channel my inner-CrankySec. Sorry you had to read this!