RSA: Phish Me If You Can (Video)

Video no longer available.

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.

Tim: Aaron, could you introduce yourself please?

Aaron: Hi, my name is Aaron Higbee. I'm Co-Founder and CTO of PhishMe

Tim: Okay. Now explain PhishMe. It is a funny name.

Aaron: So every organization is worried about getting spear phished. So we provide a software-as-a-service that allows organizations to send real mock spear phishing emails to their employees and as soon as they may fall victim to one of our emails, they are immediately funneled to training about why you need to be worried about this, why people are targeting you at work, and why a spear phishing email at work is a little different than the phishing email you get at home.

Tim: So walk me through this a little bit. They are at their desk, they open their corporate Gmail or their corporate email account, and what happens?

Aaron: Well, there is a variety of things. An attacker might be motivated just to send them a malicious link and hope to take them to a website that is booby-trapped with malware. They might put together a lookalike website that is trying to solicit credentials to get them to log into a fake website. Or they might be including a malicious attachment where the payload is embedded in the attachment and trying to get them to do that.

Tim: How far do you let people go before you let them in on the game?

Aaron: We do it right away. The value in this is the experience, and the person realizing that, hey if they are not vigilant, if they are just mindlessly clicking through emails as fast as they can, they can be victimized by this. And that there really are people out there. So we want to funnel them into the training and awareness portion of it right away, to close out the example, to let them know that this wasn’t to make fun of them, to make them feel bad

Tim: It sounds like it could be embarrassing.

Aaron: Right. We just were trying to empathize and let them know that this was designed to help you get good practice on identifying and spotting this.

Tim: Now you have it for spear phishing specifically over email.

Aaron: That’s right.

Tim: There a lot of threats though over various social media, over Facebook, they can get their account hacked, and send messages through that. Are you addressing things like that yet?

Aaron: Yeah, we are still focused I mean this is the number one attack vector, if you read the recent APT 1 report by Mandiant, they said spear phishing is the most prevalent, aggressive way that people are trying to get in. But I do keep up on those trends. Google was compromised via an instant messaging vector and so that’s interesting to me and I try to keep on top of that.

Tim: The malicious messages that people get, they’ve evolved over the years. I know the ones I get certainly have changed, and now there is something a lot more competent sounding than they used to be.

Aaron: Sure, sure. They might have researched you, they might know your interests, but there are certain emotional triggers that are going to be in all of these emails. And it is up to us as humans to figure that out. They are either going to be baiting you with curiosity, with fear, with a reward, one of those triggers. And if you look at it, and you see the sense of urgency in the email, you should have some spidy senses that tingle that say, wait a minute, I need to spend a little bit more time, this might not be legitimate.

Tim: Now do employees know in advance that the system is even in place within their company?

Aaron: Sometimes they do, sometimes they don’t. Because we are a software-as-a-service, organizations choose to run their PhishMe program anyway they like. We encourage that. We tell people that they should be upfront with their staff to let them know that the purpose behind this isn’t to make fun, or belittle anyone. And that we are going to be doing this for the next 12 months to give people experience in spotting and identifying these.

Tim: Now how long has PhishMe been around? Where did it come from? Is this academic research or?

Aaron: So where PhishMe came from was, I used to be a pentester, and I did a lot of pentesting work, and I noticed in about 2005, the way that attackers were getting into organizations was starting to shift towards spear phishing instead of your traditional vulnerability scanning and finding some vulnerable service to compromise. So I started offering this as a pentesting service, and in about 2006 and 2007 that light bulb went off where I realized I am actually damaging a valuable teaching opportunity, that the way to correct this is through user awareness education. That the attackers are always going to come up with some new technical tactic, and so we really need to focus in on the social and the human aspect to go after this problem.

Tim: Speaking of the way the stuff has changed, what have you observed about that? What are the trends you see in how have the spear phishing things have changed?

Aaron: Well, one of the things that we’ve noticed is when an attacker is going on a spear phishing campaign, two to three years ago, they would lob in one or two emails to certain employees inside the organization, and they would wait to see if they would respond. What’s happening now is they are sending batches of 10, 20, 30, or 50, because they know those emails are getting analyzed and they know that the command and control infrastructure that the malware connects to is going to be burnt. It is not going to be _____4:59. So they are being a little more tenacious about the volume that they are sending in, which is good; that means some of our preventative technology is working, and also that means user initiative reports are valuable, because now they are going to be sending more of these emails into the organization.

Tim: It gives you a bigger corpus to write your own too.

Aaron: Sure, sure. We are building our human sensors to help fight this problem.

Tim: And who are your customers?

Aaron: Anyone that has been in the news, that has a spear phishing breach, it is likely that they are one of our customers. Our customers are people that have bought all of the technological solutions. They have good information security practices. Yet people are still getting in. And they are frustrated by this. And they want to change. And so if you look at who are the big targets of spear phishing, it is the people that you would imagine, the financial, the government contractors, the oil and gas industry, manufacturing, anyone that has got intellectual property to protect.

Tim: And you are based in Northern Virginia, so that gives you a pretty good access to the various hackable governmental offices there?

Aaron: Yeah, absolutely. I have some interesting lunches with my colleagues in Northern Virginia, and there is always some spear phishing incident that we are talking about that has come up.

Tim: Now Aaron, have you ever personally been tempted or actually clicked on a spear phishing link?

Aaron: You know I might have. Given the nature of our business, we know that we are targets. It would be good bragging rights to be able to phish someone here. And it has changed the way that we do business. Email is not really a very useful tool to us. We have to use a lot of other collaborative software and other internal tools in order to get work done and anytime something comes in to email, we have this very strict process on what we do before we interact with it. I don’t think anyone in my company would say, we are impervious to this. We know that this is a human condition. People can make mistakes. And that is one of our training messages, is even if you did something, and you have that uneasy feeling afterwards, that this might not have been legitimate, it is still something that you need to report to your IT department. Maybe it was benign, maybe it was okay, but it still should be reported as soon as you have that uneasy feeling.

Tim: Anything else you want to tell us about? You mentioned something to me earlier about your Slashdot effect.

Aaron: Oh okay. So we try to offer PhishMe as a true-to-life example. So we send spear phishing emails from the internet, our spear phishing websites are hosted on the internet, and our customers want to make it accurate, but they also want it to be contained. So they don’t want a situation where an employee receives one of our training emails and then forwards it to Slashdot, hey look what my employer is doing to me. So we actually designed our phishing pages to self-destruct. So that we don’t get on the cover of Slashdot.

LOL

[Anonymous Coward]

Your daily Slashvertisement brought to you by Dice Holdings, Inc.

More stupid victim-blaming

[pclminion]

The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.

It's not the slashvertisement

[i kan reed]

It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.

Re:Open an email

[cusco]

In network security, just the same as physical security, the main problem is not the hardware or the software, it's the wetware.

Re:More stupid victim-blaming

[h4rr4r]

Yeah, they failed when they let you have admin on your pc. They failed when they did not enforce updates. They failed when they let you run a vulnerable email client.

Yet, if they don't let anyone have admin, ban outlook from the network and force updates and reboot that come with them you would be bitching up a storm.

Re:It's not the slashvertisement

[ShanghaiBill]

I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.

4. Pushes a stupid and unnecessary product or service.

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

Re:It's not the slashvertisement

[Peristaltic]

Same old shit. Disconnected suits, demanding more revenue, institute this kind of crap and gradually push away the users whose participation made /. a valuable site in the first place. If it gets worse, a site will eventually pop up that fills the niche left behind by /. Once the -new- one becomes valuable...... Around and around we go, ad nuaseum. In the meantime, before the new site has enough users / inertia, we're stuck with more and more "articles" like this one, which really should not have been put in front of this readership.

Remember to check your legitimate e-mails

[Todd Knarr]

When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.

Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".

It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.

Re:More stupid victim-blaming

[Gulthek]

This is what passes for +5 insightful these days?

The issue isn't opening an email: but clicking a link in that email or, worse, clicking a link that takes you to a legitimate looking site and entering data, or opening an attachment in a legitimate looking email.

There are all sorts of attack vectors present from an email message. To sweep it all up as "IT's Problem" is a very, very bad idea. It just takes one email fooling the right person to be a security problem.

PhishMe's philosophy is that at some point the technical protection will fail ... so you'd better ensure that your employees know what to look for. The best way to teach them what to look for is to let them actually experience safe emails using the same techniques that would be maliciously used against them.

Spear-phishing isn't an idle threat, it's a widely used attack method that has gotten data out of targets like the New York Times, Defense Department, Facebook, and Apple (http://www.theatlanticwire.com/technology/2013/02/spear-phishing-security-advice/62304/). I'm sure that each of those companies has a very robust and capable IT Department armed with email scanning and sanitizing software. You just can't catch everything with technology.

Re:This is stupid and useless.

[Gulthek]

It's not about being dumb, it's about not being aware. If the first phishing email you come across is one that's technically advanced and well written enough to slip through the technological filter: then you as a corporate employee are probably going to fall for it. Especially if it's a true spear-phishing email that's targeting *you*. It'll look like an email from your boss with yet another emailed PDF or DOCX report to review. Bam.

The solution that PhishMe proposes is to safely expose employees to phishing emails on a regular basis and teach everyone to recognize actual phishing emails from those demonstrations. The human reading the email and about to click the link or open the attachment is your last line of defense and shouldn't be neglected as such.

Re:It's not the slashvertisement

[Midnight_Falcon]

Amen to this. IT professionals get enough cold calls, account managers doing "account reviews" (sales calls), and the like already. They often are people who like advertisement the least and believe they are smart enough to make their own decisions on vendors without being swayed.

That's why ads written like a PR News story posted on Slashdot are insulting to us -- it's obviously an ad, but it's not labelled so. They no longer label the author as associated with Dice Holdings, so it can be passed off as legit news. It also can't be blocked by ad blocking software or the "disable ads" button that appears as a thank you for positive contributions.

On top of that, they are using the moderation system to mod down complaints about this unscrupulous practice.

This is part of the growing trend of stripping content that users want in favor of content that pays the most money to the site's publisher, the same thing folks like Facebook are doing in activity feeds. Monetizing the site at the expense of the experience of the user. How long can this trend continue before users have had enough?

Comment removed

[account_deleted]

Comment removed based on user account deletion