2017 Phishing Contest: Nice research

This is another example of one of the contest entries that I wanted to share for educational purposes.  You can learn more about the phishing contest here:  http://www.w6fdo.com/2018/01/our-2017-phishing-contest.html

This was a solid targeted phish based upon research that Maritza performed about me on the Internet.  W6FDO is my Amateur Radio call sign.  Using “complaint” as well as the FCC logo would definitely prompt fear (if it were real =).

And the fun part is that the real link under her fake FCC link takes you to a really cool YouTube video of a cartoon short on the dangers of phishing emails: https://www.youtube.com/watch?v=gTApmz_ybus

 

Performing research on your target is what makes targeted phishing attempts so successful.  Very nice job Maritza!!

Remember to always be suspicious about something you receive that you don’t expect.

2017 Phishing Contest: Targeted with an attachment

This is another example of one of the contest entries that I wanted to share for educational purposes.  You can learn more about the phishing contest here:  http://www.w6fdo.com/2018/01/our-2017-phishing-contest.html

This entry simulated a targeted phishing attack with an attachment.  Lonny (or someone pretending to be him =) sent this asking me to check if the passwords in the Excel attachment were strong enough.  Seems straight forward, right?  :-P

However, when I opened the Excel attachment, it prompted me to run its embedded macros!  Of course, we know to never do this unless we are completely sure of the safety of the document.

After discovering that this was an entry in the contest, I opened the macro editor and found the following:

Lonny had created a custom macro and had embedded some fun information into it!  Very nice job Lonny!!! 

Of course, a real bad guy’s macros could easily compromise our computer or our account.  Since macro use in Microsoft Office has returned as an effective mechanism for compromising our computers, attackers are sending out custom Office documents that instruct the user that they must enable Macros in order to display the document’s contents.  Don’t fall for it!  It’s bogus.  Be suspicious, keep macros disabled by default, and never enable macros that come in a document where you don’t expect them.

2017 Phishing Contest: Provoking urgency and priority

This is another example of one of the contest entries that I wanted to share for educational purposes.  You can learn more about the phishing contest here:  http://www.w6fdo.com/2018/01/our-2017-phishing-contest.html

This one was brilliant and really startled me at first.  It appears to be from my boss, asking me to help one of the County Supervisors with a personal inquiry (I’ve blanked out the Supervisor’s name that was used).  When I first saw it, I thought “Wow, I had better respond quickly!”   Then I thought, “wait a minute…”   Even though this appears to be from my boss, it is highly unusual.  That’s the trigger that should always cause us to stop and verify. 

I hovered my mouse over the link and saw right away that it went to a different location:

hxxps://lmgtfy.com/?q=You+are+hacked+courtesy+of+2017+Monterey+County+Phishing+contest  

Hahaha.

Then I looked and saw that my boss’ email address was slightly different than his real one (not shown here), so his email had also been spoofed.  

Finally, I scrolled down and saw “2017 Phishing Contest” at the bottom of the email.  =)

Phil Hopfner of the Information Technology department did a great job going the extra mile and creating this spoofed email that provoked both urgency and priority.  Very nice job Phil!!

Remember to always be suspicious about something you receive that you don’t expect or seems unusual.  If you aren’t sure, always contact the sender using a different means.

2017 Phishing Contest: An account harvester

This is another example of one of the contest entries that I wanted to share for educational purposes.  You can learn more about the phishing contest here:  http://www.w6fdo.com/2018/01/our-2017-phishing-contest.html

The submission below was a beauty.  It’s a great example of a targeted email to a group (Monterey County Library users) that could easily have been sent to thousands of people.  Combined with fake websites that can easily be created, its intent was to harvest account and personal information.  It’s professionally done, and many have said that they would have clicked the links and entered their information right away (even if it wasn’t supposedly sent from a real librarian =).

Remember to always be suspicious about something you receive that you don’t expect or seems unusual.  Contact the sender using a different means.  Very nice job Kris!!

2017 Phishing Contest: A solid targeted phish

This is an example of one of the contest entries that I wanted to share for educational purposes.  You can learn more about the phishing contest here:  http://www.w6fdo.com/2018/01/our-2017-phishing-contest.html

The submission below was a solid winner.  If it weren’t for the fact that the sender’s name was different from the name in the signature, I would probably have investigated the attachment to see if was safe to open. =)

In this “phish”, Cody did some research online about me.  While many know that I am a fly fisherman, he discovered on LinkedIn that I am also a supporter of “Project Healing Waters”*, and used that to offer me free fly rods (they are expensive, so you can imagine the potential excitement =).  The paragraph is a natural introduction of the sender “Aleks” and has many elements of professionalism and real marketing in the language.  In fact, this is a real company (he misspelled the domain in the email address) and “Alex” Maslov is the real CEO.

In this instance, Cody utilized an attachment as the “hook”.  In real life, this attachment could contain malicious macros, or simply be a way to harvest personal information from me if I filled it out (such as tax info they need for the “gift”).

Remember to always be suspicious about something you receive that you don’t expect.  Very nice job Cody!!


* Project Healing Waters is dedicated to the physical and emotional rehabilitation of disabled active military service personnel and disabled veterans through fly fishing.  More info here: http://www.projecthealingwaters.org/

Our 2017 "Phishing Contest"

As part of our annual Security Awareness Training during 2017, we decided to try doing a "phishing contest".  This contest invited our employees to submit the best phishing emails they could create for the chance to win prizes.

Doing this type of contest was something very new for us.  While we weren't the absolute first organization in the world to do this (the University of Chicago did one, as an example), we discovered that it had not been extensively done before.  Even members of the SANS Security Awareness community were interested in what we were doing for the same reason.

Here's a summary of how we marketed this contest to our users.

Attackers are getting better and better these days at creating really good phishing emails, and it's getting harder and harder to tell the difference between a legitimate email and a fake one.

How can we become better at determining what's real and what's not?  By learning how it's done!  I often encourage people to have some fun and pick a friend that they know well.  Look up as much information about that friend on the Internet that you can find, and think about how you could take that information to create a really good phishing email (targeted at them) that would fool them!

When folks think about it, they realize it really isn't that hard to do.  And by trying it, we learn more about how hackers think and how they socially engineer people effectively.  That knowledge, in turn, makes us more suspicious, and better able to identify phishing attempts when they come our way.

We invite you to participate in the 2017 Phishing Contest!  Participation is completely optional and open to employees only.  The challenge is to create the best phishing email that you can, one that will trick us into believing it's real and tempt us into falling for it.  You are encouraged to do research about me on the Internet and create a "targeted" phish, or you can submit something on a different topic.  You must send it using your work email address (so we can find you if you win =), and you must write "2017 Phishing Contest" at the bottom of the email (so we don't accidentally think it's a real phish and just delete it =).

The deadline for submission is the end of 2017.  The Security Team will review all of the submissions, and the individuals who submitted the top FIVE entries will win $50 Amazon gift cards!

A brief video that was used for this marketing is here: https://www.youtube.com/watch?v=357GquKbofk 
 

So, how did it go?  

 

We marketed to a good portion of our employee base of approximately 4,000 people (but not all, as some departments request that "optional" events such as these be filtered through them).  We received 32 submissions.  While this was a bit disappointing, we knew this was new to everyone and might take a couple of rounds before people caught on and felt more comfortable submitting something, or even realized how easy it is to do.  However, the ones we did receive were great.  It was a ton of fun receiving them, and reviewing them as a team in order to decide the winners was HARD!  Overall, the feedback from our users was very, very positive about the contest.  We received multiple positive comments, such as "You make security cool and fun!"   So we will do it again this year.

In the posts that follow this, I will share samples of the submissions in the form of educational emails sent out to our user community, using the winning entries (and some others too) to teach more about phishing awareness.