Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • IT Management
    • Networking

    Phishing Drills Teach Employees to Dodge the Hook

    By
    Lisa Vaas
    -
    December 15, 2007
    Share
    Facebook
    Twitter
    Linkedin

      A security consultancy in February will launch a portal to automate the infliction of faux spear-phishing attempts on one’s own work force—an educational tactic that experts are increasingly pointing to as one effective method to stem the tide of information being unwittingly handed to thieves.

      The site, PhishMe.com, will be launched by Intrepidus Group, a consultancy with offices in New York and Chantilly, Va. It will feature templates for crafting customized faux phishing attacks and WYSIWYG workflow. In addition, the service will provide educational error message warnings to employees who attempt to enter sensitive information.

      Intrepidus will provide statistics on how many employees open the faux phishing messages, how many of them open links directly from the phony phishing e-mail, how many copy and paste the URLs into their own browser windows (considered a safer method to check out an e-mailed link than clicking directly from the e-mail), how many employees ignore the messages altogether, and how many attempt to enter sensitive information. No sensitive information will be collected or allowed to be entered, according to Intrepidus Managing Partner Aaron Higbee.

      Phishing scams proliferated in 2007, to put it mildly. During the first half of the year, Microsoft’s Malicious Software Removal Tool detected 31.6 million phishing scams—an increase of more than 150 percent over the previous six months—according to the company’s biyearly Security Intelligence Report, released in October.

      In fact, the SANS Institute included spear-phishing as one of 19 top security issues on its SANS 2007 Internet Threats List. “This year for the first time we’re reporting that one of the most critical risks is attacks against people, where attackers focus on executives,” said Alan Paller, director of the SANS Institute, when the list came out in late November.

      The spear-phishing of executives and rich people even rated a new term in 2007: It’s called “whaling,” drawing on the Las Vegas habit of referring to rich gamblers as “whales.” Targets have increasingly included military and government agencies, such as the recent, successful targeting of national labs.

      In early December Oak Ridge National Laboratory reported that it had been bombarded with a coordinated spear-phishing attackaimed at multiple national labs including Los Alamos.

      Oak Ridge may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers, due to workers having fallen for e-mail crafted to look like industry conference brochures and other legitimate-looking communications. That attack has been linked to Chinese scammers.

      SANS advises anti-phishing education and in its Top 20 list of threats for 2007 went so far as to recommend that organizations do exactly what PhishMe will soon offer: i.e., send out phony phishing scams targeting one’s own workers.

      Click here for a slide show on SANS’ top Internet security risks of 2007.

      It’s not a new concept. In 2005, the state of New York sent e-mail messages that appeared to be official notices to 10,000 employees. The messages asked that employees click on links and type in passwords and other sensitive information.

      Some 15 percent did so, typing in passwords and only stopping when a message informed them that they had fallen for a faux phishing attempt, according to a news accountin the Wall Street Journal.

      The military in particular is taking the threat of spear phishing to heart: The Department of Defense in November 2006 mandated that all personnel undergo spear-phishing awareness training by January 2007.

      In spite of the growing awareness of the need for spear-phishing training, administering a phony attack on one’s own crew hasn’t been particularly easy. As a New York official told the Wall Street Journal when the state conducted its ersatz phishing attack in 2005, the state hired an outside Web consultant to design the bogus e-mail lure, then it brought in the services of AT&T to route the e-mail so it came from outside the state’s own network, as would a real phishing attack.

      Thus the appeal of an automated service that can be set up to do it all automatically while collecting statistics on how well an organization’s doing, Higbee told eWEEK.

      Page 2: Phishing Drills Teach Employees to Dodge the Hook Intrepidus first started offering the service—in nonautomated form—to clients around 2004.

      “We had been doing [penetration] testing for clients for a while. The way attackers were breaking in back then was port scanning, or finding vulnerabilities and exploiting them,” Higbee said. “But things changed: People got their firewalls in line … and attackers starting changing tactics.

      “They [searched for e-mail addresses] off of the Internet, then they tried to sneak attachments into organizations, trying to trick people into giving up passwords [and other sensitive information]. We started seeing [phishing attempts] on incident response reports. We said, ‘We need to do these mock phishing tests in order to see where you really are as far as security goes.'”

      There is only one word to describe clients’ reactions after agreeing to try out the service and then seeing how their work forces fare: shocked.

      The first guinea pig back in 2005 was a health care organization with 70,000 employees. Of that employee base, about half clicked on the link offered in the phishing come-on, which purported to be a check to see if a given employee was eligible for a free computer.

      Of those 35,000 or so workers, 60 percent entered their user name and password when prompted to do so. The scenario lasted about a week, with employees who fell for the scam receiving a message saying they’d been phished by way of an authorized test.

      The health care organization didn’t stop there. One lesson Intrepidus had learned was that the phishing attack had been a little too authentic. The client requested a second test that introduced spelling and grammar mistakes that would make the phishing site look a bit more bogus.

      On the second go-round, 25 percent of the employee base still fell for the scam. Better, but still: It only takes one employee to fall for a scam and hand over the keys to a network, Higbee pointed out. A third test for the same client went back to sporting an authentic look. In spite of its lack of spelling and grammar errors, only 4 percent of the health care organization’s increasingly wary work force fell for the scam.

      Click here to read about a Salesforce.com employee who was duped into handing a customer list to a phisher.

      New employees are particularly vulnerable to being phished. One of Intrepidus’ clients, an insurance company, targeted only new hires in a bogus phishing campaign. Nearly 100 percent of the targeted employees fell for the scam. Not surprising, given that a new employee is used to receiving a barrage of e-mails telling him or her to go here or there to register for a 401(k) plan, for a health care plan, for intranet access, etc.

      The results were so appalling that the insurance company decided to no longer send links via e-mail for human resources-related activities, Higbee said. Instead, when announcing a new plan, the company puts the details on the intranet but doesn’t send out a link—instead, it only tells employees where to go on the intranet and what to click.

      To address the ease in which new hires are duped, templates on the automated PhishMe portal will generate e-mail come-ons that say, for example, that an organization is about to change its 401(k) plan or that employees can review their pay stubs if they go to a phishing site and enter their information.

      Intrepidus hasn’t yet worked out pricing. Higbee said that this type of campaign generally takes about a week of consulting services to set up, send out an e-mail campaign and then to collect statistics. The automated portal approach will be less expensive than a week of consulting, he said.

      Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×