As I mentioned in a previous blog post I'm doing a bit of lecturing for an undergraduate degree in Network Security, this semester I'm teaching Enterprise Security.  This week we covered Security Engineering and were discussing, among other things, the psychology/ behavioural economics of Phishing.  Rather than try and explain the incentives and mentality at play when someone clicks on a phishing link I thought I'd take a more practical approach and carry out a small simulated phishing campaign.

Using the Simple Phishing Toolkit, an excellent but sadly abandoned open source tool for running educational Phishing campaigns, I set out to phish the students under the guise that their Moodle platform had been upgraded with a number of bug and security fixes and a link to click to see a full list of the changes.  The tool provides the capability to have a dummy login form, even providing an inbuilt scraper to automate the building of the form, I stopped short of this however, mainly due to time constraints. For the purposes of this exercise just clicking on the phishing link was enough to get you marked as a victim.  After all, these are students who are studying security and should know better than to click on a links in an email without validating the destination and visiting a malicious site is often enough.

Having set up the campaign and pushed out the emails I went off to do some other jobs that needed doing, I didn't really expect to get too many hits on the link, it pointed at a dynamic IP and I didn't really think they would find a list of updates to Moodle worth clicking through for ( a theory that was subsequently confirmed when I spoke to them in the lecture). As it turns out either I'm a better phisherman than I give myself credit for or this group of students is a gullible bunch, 12 out of a total 32 students clicked on the link (see chart below).  Given that a couple of those 32 students seem to have given up checking course related emails, the percentage may be even higher. Those that clicked on the link were redirected to a phishing education page (also supplied in SPT) with a video on phishing from Symantec.

Phishing the students was certainly an interesting exercise and one that I'd like to repeat with other groups and extend into other organisations, more and more, having recognised the human element as the weak link in their security posture, organisations are running social engineering pen-tests and including simulated phishing campaigns.  Done right, this could be an excellent education tool, and one worth pursuing, it serves as a nice demonstration of the types of methods used by real attackers against organisations, giving your users real experience that they can relate to net time they encounter a real phishing (or spear-phishing) email, with the right instruction and correct incentives, users can be taught to identify phishing emails and report them to your security team.  The confidence to report a phishing email is even more important if the user did click on the link or fill in the form, it is important not to castigate users for making security mistakes, the knowledge that they have done so at least allows you to respond to the potential outcomes rather than having to detect it through other means.  It also serves as another source of insight into the security posture of your organisation and potentially an intelligence source for identifying high risk users to be correlated against mail gateway logs.

A whole new level of phishing...even the employees are fooled!

Now I always thought us Aussies were a pretty savvy lot, with an ingrained cultural skepticism of things that seem 'too good to be true'.

It is reported that a forthcoming study from the ACCC (Australian Competition and Consumer Commission) shows that over 50 Aussies a week are falling prey to online scams, paying out over $1.5 million per month.

Ouch!

By now it's a safe bet anyone working in the security space has heard about the leaked passwords from hotmail, yahoo and gmail.

The most interesting thing so far to come out of the leak is the results of an analysis of the passwords exposed. The results are an interesting mix and shed some light on how the message about using strong passwords is being received out there in user-land.

The most common password found was '123456' with '12346789' coming in second. It's enough to keep a security guy up at night!

Amazingly 'password' didn't make the top 20 list, but despite the fact the average password length was 8 characters, 42% of all the passwords listed were lower case only and only 36% were what we commonly consider 'strong passwords' (in complexity if not length). This shows the message is not being heard.

Why is this a concern to the security guy in the enterprise? Well the same users are likely to be in the office and these results show that the password message is not getting through. Not to mention employees with good intentions emailing work documents to themselves @hotmail so they can be diligent and work on them at home. That same hotmail address with the '123456' password....

The good news (comparitively!) is that the passwords have not been gathered due to a flaw in the security of these industry heavyweights, but by via phishing attacks against the users themselves.
The problem though is even when users are diligent and more complex passwords are used there is the problem of those same users being suckered in by phishing attacks. Even the head of the FBI was banned from online banking by his wife for almost falling victim to a phishing email.

A senior security engineer for nCircle recently presented at SecTor the results of a survey both technical and non-technical users that showed while 83% of users checked for the magic padlock in the browser when entering their credit card details, a dismal 41% checked for the same padlock when entering a password. Although the displaying the magic padlock can be easily faked.
Unsurprisingly almost 50% of users also clicked through security warnings without paying attention to them. In this we're paying the price for training end users to 'just click ok' through countless exposures to buggy software.

People can't be relied upon to pick strong passwords or read security warnings. Security guru Bruce Schneier has written about this back in 2006 when 100000 myspace accounts were exposed through a phishing attack. That wonderful password '123456' made the top 20 back then too, but the best performer was 'password1'.

Bruce comments that "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security?"

He's completely correct and in fact I'd hazard a guess that they've continued to learn and the most common password these days (where complexity rules are applied) is 'Password1'.

What's the answer? Nothing simple comes to mind, but clearly our education of users isn't working today, we need to do better.

And finally a more humourous look at choosing a password...