Phishing is not a vulnerability. It is the utilization of vulnerabilities to exploit a technical platform to enable using social engineering to obtain identifying authorization information in order to leverage systemic flaws in the financial system.

Every vulnerabililty that enables the creation of zombies is a phishing vulnerability.

But the real phishing vulnerability is our completely broken identity system - the social security number and its use.

Hmmmm. If phishing were legal it would be subject to a business method patent.

Jean,

thanks for posting! I don't disagree with what you say, but bear in mind that your pov there applies more or less equally to many of the other categories in the list. SANS have lost any sense of precision, presumably in the fight to keep their sponsors and lawyers happy, so the list is like any coopted player's pronouncements.

For example, look at "W9 Mail Clients." What are they saying there if its not that email allows potentially harmful messages (viruses, spams, email checks) to be introduced into a user's computer? And what's that if not a description of a systemic flaw in our system of identity and mail communications?

Where phishing should be listed is in W6 Web Browsers, IMHO. Phishing is an attack on the secure browser, which is the one constant between the phisher and the user (not email). It is that security model that is breached in convincing the user that she is on some secure banking site.