How to Phish Friends and Influence People
As I mentioned in a previous blog post I'm doing a bit of lecturing for an undergraduate degree in Network Security, this semester I'm teaching Enterprise Security. This week we covered Security Engineering and were discussing, among other things, the psychology/ behavioural economics of Phishing. Rather than try and explain the incentives and mentality at play when someone clicks on a phishing link I thought I'd take a more practical approach and carry out a small simulated phishing campaign.
Using the Simple Phishing Toolkit, an excellent but sadly abandoned open source tool for running educational Phishing campaigns, I set out to phish the students under the guise that their Moodle platform had been upgraded with a number of bug and security fixes and a link to click to see a full list of the changes. The tool provides the capability to have a dummy login form, even providing an inbuilt scraper to automate the building of the form, I stopped short of this however, mainly due to time constraints. For the purposes of this exercise just clicking on the phishing link was enough to get you marked as a victim. After all, these are students who are studying security and should know better than to click on a links in an email without validating the destination and visiting a malicious site is often enough.
Having set up the campaign and pushed out the emails I went off to do some other jobs that needed doing, I didn't really expect to get too many hits on the link, it pointed at a dynamic IP and I didn't really think they would find a list of updates to Moodle worth clicking through for ( a theory that was subsequently confirmed when I spoke to them in the lecture). As it turns out either I'm a better phisherman than I give myself credit for or this group of students is a gullible bunch, 12 out of a total 32 students clicked on the link (see chart below). Given that a couple of those 32 students seem to have given up checking course related emails, the percentage may be even higher. Those that clicked on the link were redirected to a phishing education page (also supplied in SPT) with a video on phishing from Symantec.
0 Response to "How to Phish Friends and Influence People"
Post a Comment