yARN: Gone phishing
- 27 May, 2011 12:28
We regularly hear of intrusions such as the recent RSA incident that originated with some kind of phishing attack via email.
Phishing, and it’s rather more targeted cousin spear phishing is the deliberate and planned attack on an organisation by tricking an employee to load your chosen malware from opening a malicious attachment or by having them visit an infected web site.
Whereas phishing involves blasting all and sundry with a generically enticing message; “hey; look at these cute cat pics” or “see pictures of
These attacks rely on a number of factors. A computer with an un-patched vulnerability, knowledge of the organisational structure in order to target a suitable person, a certain degree of gullibility in the targeted person and a good deal of luck.
As employers, we are forced to wonder about the savviness of our employees. Will they recognise the phishing attempt, or will they blithely open the attachment; click the link or do whatever the intruder wants.
Of course we have *policies* that govern this. But what are they? Generally, they’re black words on white paper; nothing more; we never do enough training.
Enter a service called PhishMe.
According to their website (if I told you what it was, you’d think I was doing my own phishing, but you can guess it easily!), “Using PhishMe’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises.”
Let’s break that down a little. PhishMe offers a tool to create realistic phishing attacks (even spear-phishing if you’re mean enough) that can be directed against your own employees to test the strength of your internal training and education programs.
Of course there are a few morals to consider here. Remember, it’s YOU attempting to trick THEM. If you succeed, it is no reflection upon them; far more importantly it reflects upon you – clearly your internal education programs are failing.
Phishing is rapidly becoming an art-form. An art that destroys the smug feeling of security when we least expect it.
Give a man a phish and he’ll feed you for a day; teach him how to phish and he’ll feed you forever.