Does Spear Phishing Work?


December 05, 2013

By Steve Darrall, Practice Manager

You often hear about the dangers of general phishing attacks as well as targeted spear phishing attacks, but there can be a feeling that mainstream media will over hype these to the point that sometimes it feels as if the world’s falling in. Recently, one of our clients chose to see how effective a spear phishing attack would be against senior management. Read on for details of what we found.

Securus Global were engaged to identify a number of reports to a particular individual within our client (all senior IT management), send them all an e-mail, convince them to click on a link to a “malicious” site and provide some credentials. Sounds pretty hard doesn’t it? Especially as the targets are senior management in an IT division. What could possibly go wrong?The first phase of our engagement was to identify 14 reports to a particular senior manager. Through use of open source information that’s freely available on the Internet, we were able to identify 12 of the 14 individuals.

Being the conscientious types that we are, we then followed up these investigations with a couple of calls to the company’s switchboard. As a result, 3 of the employees were erroneously removed from our target list. Apparently, information freely available on the Internet was more accurate than the company’s own address book!

Once we’d clarified the ‘victims’ of our attack, we then developed a number of scenarios for e-mail content that would entice our victims to visit a pre-prepared web site. After much philosophical discussion and stroking of beards we decided against being overly complicated and the chosen scenario was “Your building pass is about to expire, click here to renew it”. This wasn’t the most exciting of scenarios, but we chose to play on peoples’ fear of not being able to get into work at 0900 on a Monday and watch cat videos on YouTube. This worked – of the 14 targets for the exercise, all 14 opened the e-mail.

Of our 14 targets that opened the e-mail we sent them, all 14 clicked on the provided link. We actually recorded 123 instances of our e-mail being opened and 23 hits to the link. Later we found out that some of our targets were suspicious of the e-mail and so decided to forward the e-mail around their department to verify authenticity…

We thought that getting people to open an e-mail and click on a link would be a fairly simple exercise so we realised that we had to put a reasonable amount of effort into creating a well-polished website in which people could enter their credentials. Then we came to our senses and decided that we’d carry on with keeping it simple (and thought give our victims a sporting chance). Our “website” would consist of a screenshot of the company’s intranet homepage (yes, just a background JPG) and a JavaScript popup requesting credentials. Thanks to this requirement, our HTML5 and CSS training budget for the engagement was no longer required and we went to the pub instead – much better ROI.

We did have some discussion with our client as to whether a malicious phisher would be able to get a screen shot of the company’s intranet. Given then tens of thousands of employees working at our client, we all agreed that this wouldn’t be an insurmountable task and would just require a quick phone call from “IT Support”, “Public Relations” or $100 put in the right pocket.

So, we’ve identified our targets, have them and their colleagues clicking on our link, how many of our targets would provide credentials? According to our small sample of 14 users, the answer is 70%.

We were specifically asked by our client to not store, process or transmit any credentials (hence the use of a JavaScript box for entry), so we’re unable to say for sure how many users provided valid credentials and how many left polite messages asking us to go away. Taking this possibility into account, it’s not unreasonable to suggest that 75% of the responses would’ve contained valid credentials. Added to this, given the state of many large corporates’ SOEs it would likely be game over at this point anyway given missing patches and the number of browser plugin exploits available.

The above is all well and good but it’s not rocket science. Since time immemorial, we’ve known that human beings are the weakest link in the security onion, but what can we do about it and what are the challenges we face in securing our key assets? It’s not as simple as applying a patch on the second Tuesday of the month, but it’s certainly doable and is something that we’ll be covering in our next post on protecting our weakest link.

This blog post summarises a single engagement for one of our clients but we’d be interested to hear about your experiences from phishing exercises against your staff. Did you have a good success rate? Did the targets all resign in disgust when they found out that you’d run such an exercise? If you’d rather not post a comment yourself, feel free to e-mail me directly – sd (at) securusglobal (dot) com and I’ll collate responses before reposting.

Leave a Reply

Your email address will not be published. Required fields are marked *