SecureState performs numerous Social Engineering Assessments every year. Social engineering is a technique that relies on weaknesses in human nature, rather than weaknesses in hardware, software, or network design. Attacks are successful because they target basic human nature. Humans are susceptible to persuasion and manipulation through various methods.
SecureState uses social engineering to determine the adequacy of an organization’s Security Policy Procedures (SPP) and the awareness training surrounding these policies. One popular form of social engineering is spearphishing. Using a targeted list of employee emails, SecureState then typically impersonates another employee from the list in order to trick personnel into visiting SecureState’s malicious sites. SecureState sends various emails with different ploys to convince the end user to visit the malicious website hosted by SecureState. When the user connects to the website, the user will be presented with a login screen. Upon logging in, the victims’ credentials are captured, and then a malicious payload will execute in an attempt to compromise the underlying operating system. SecureState will also send emails which resolve to blank pages in an effort to simply track if a user clicked the link in the email.
While we typically pretext the messages to the company’s unique situation and goals, we find that certain common approaches often generate the most clicks. One of the most effective messages is some variant on the following:
Saw you quoted on this site [link to SS-hosted site]. Please tell me you didn’t say these things. Not sure if we have to get legal involved.
In performing a phishing assessment for a client, one of the employees targeted was a mid-level executive that happened to be away at a conference. It also happened that he had been out drinking the night before. So when he received the email from the “CEO of the company” on his phone, he was understandably concerned. What DID he say? When he clicked on the link, no page came up. He called his boss several times, but received no answer.
After flying home from the conference (and having tried the link again on his phone, his iPad, his home computer, his work computer, several coworkers’ computers), he went into the CEO’s office in a panic. When the CEO heard the story, he just began to laugh. He knew that SecureState was conducting the assessment and that it was just a phishing link.
However, while the incident did provide some comedy, had the link been from an actual malicious party, the executive would have potentially allowed the compromise of multiple company assets. The fact remains that phishing attacks are difficult to defend against without effective employee awareness training, especially given the perfect storm that caught this poor exec. But what exactly DID he say at that conference?