As I mentioned in a previous blog post I'm doing a bit of lecturing for an undergraduate degree in Network Security, this semester I'm teaching Enterprise Security.  This week we covered Security Engineering and were discussing, among other things, the psychology/ behavioural economics of Phishing.  Rather than try and explain the incentives and mentality at play when someone clicks on a phishing link I thought I'd take a more practical approach and carry out a small simulated phishing campaign.

Using the Simple Phishing Toolkit, an excellent but sadly abandoned open source tool for running educational Phishing campaigns, I set out to phish the students under the guise that their Moodle platform had been upgraded with a number of bug and security fixes and a link to click to see a full list of the changes.  The tool provides the capability to have a dummy login form, even providing an inbuilt scraper to automate the building of the form, I stopped short of this however, mainly due to time constraints. For the purposes of this exercise just clicking on the phishing link was enough to get you marked as a victim.  After all, these are students who are studying security and should know better than to click on a links in an email without validating the destination and visiting a malicious site is often enough.

Having set up the campaign and pushed out the emails I went off to do some other jobs that needed doing, I didn't really expect to get too many hits on the link, it pointed at a dynamic IP and I didn't really think they would find a list of updates to Moodle worth clicking through for ( a theory that was subsequently confirmed when I spoke to them in the lecture). As it turns out either I'm a better phisherman than I give myself credit for or this group of students is a gullible bunch, 12 out of a total 32 students clicked on the link (see chart below).  Given that a couple of those 32 students seem to have given up checking course related emails, the percentage may be even higher. Those that clicked on the link were redirected to a phishing education page (also supplied in SPT) with a video on phishing from Symantec.

Phishing the students was certainly an interesting exercise and one that I'd like to repeat with other groups and extend into other organisations, more and more, having recognised the human element as the weak link in their security posture, organisations are running social engineering pen-tests and including simulated phishing campaigns.  Done right, this could be an excellent education tool, and one worth pursuing, it serves as a nice demonstration of the types of methods used by real attackers against organisations, giving your users real experience that they can relate to net time they encounter a real phishing (or spear-phishing) email, with the right instruction and correct incentives, users can be taught to identify phishing emails and report them to your security team.  The confidence to report a phishing email is even more important if the user did click on the link or fill in the form, it is important not to castigate users for making security mistakes, the knowledge that they have done so at least allows you to respond to the potential outcomes rather than having to detect it through other means.  It also serves as another source of insight into the security posture of your organisation and potentially an intelligence source for identifying high risk users to be correlated against mail gateway logs.