Hence I've disabled this blog till further notice. For now the old blog is in a readonly mode below - enjoy and please leave your comments in my Guestbook
March 4, 2018
1. About Spear Phishing:
90% of cyber intrusions and breaches start with SPEAR PHISHING – End users or humans are the WEAKEST link in info security! One or few clicks by an end user receiving the email can bring the entire corporate network to its knees…that’s exactly how SONY got hacked by North Koreans.
2. About Mobile and Public Wi-Fi:
Imagine how many smartphone users leave Wi-Fi on while not using it (and even worse have email or other apps auto sync’ed), once they used a public Wi-Fi such as Tims or Starbucks, they could be under an immediate risk of losing email or other personal info to malicious attackers who can impersonate the public Wi-Fi easily – with only a smartphone!
Contact me if you, your family, friends or organizations are interested in an educational presentation with demo.
alphan3(at)yahoo(dot)com or bgk(at)hotunix(dot)com
Please see my blogs of “Phishing Campaign Part 1 and 2”. I can transfer the knowledge and send you on your way to do the test very effectively yet with a very low budget – all you need is 1) an Apache server you administer, 2) an internal Outlook account, and 3) MS Word!
I am on a temporary leave from my main job. Contact me if you know any short-term (sub-)contracts in phishing tests or awareness education. If you are truly interested in security awareness for your organization but short of funding, I’d still love to talk to you as I believe this is about our public safety and security online!
#2. How to send personalized mass emails using MS Mail Merge
I will now explain how to automate Step “d” above, sending personalized phishing emails to a group of recipients (through the same Outlook server).
First of all, create the list of recipients you intend to send email to. Each recipient will have his/her own unique URL link embedded in the email. At the minimum you need two columns: First column is recipients’ email addresses, and second column is their unique URL links. Optionally you can add two more columns, one being First Name the other Last Name (and you can personalize them, too). For example (consistent to the previous steps):
Firstname1 Lastname1 recipient1@company_domain http://phishing_test_site/link001.html
Firstname2 Lastname2 recipient2@company_domain http://phishing_test_site/link002.html
Firstname3 Lastname3 recipient3@company_domain http://phishing_test_site/link003.html
….
This file will be the source of input to the following MS WORD process.
The “Mail Merge” function in MS WORD (under the “Mailings” tab) can be used to personalize the email. The trickest part is in personalizing a hyperlink! Basically it’s not about how to store a personalized hyperlink in the MDB (MS Access) file; it’s about how to insert a “merge field” in a hyperlink that’s already rendered in the WORD file.
Here are the steps after opening WORD:
Mailings -> Start Mail Merge -> Step by Step Wizard…. This will create an MDB (Access) file, a .MSG (e-mail) file, and the WORD file itself. Except the first time, each time the WORD is opened, the MDB file is called to connect to and work with the WORD file.
Now about personalizing the hyperlink, when in WORD, select “Insert Merge Field” under the “Mailings” tab. It will show:
{ HYPERLINK first_instance }
But when you save, close, re-open the WORD, and press Shift-F9. It will show:
{ HYPERLINK { MERGEFIELD URL } }
Make sure above inner squiggly brackets are as thick as outer ones, not thinner!
That’s all for today…Happy Testing & Measuring!
Human is the weakest link of the security chain, and end users are the focus of any security awareness program. One of the key factors of such a program is the ability to measure metrics to demonstrate the program success. One big example of such metrics is phishing tests before and after awareness training. The main challenges of a phishing test are #1) identify an offender (person who clicks on the link), and #2) manage mass emails in terms of sending AND content creation.
With the first challenge, what happens is most professional phishing services (PhishMe, Wombat or SANS) set a UNIQUE identifier in the URL link embedded in EACH phishing email. Even though everyone goes to the same educational landing page, the service can still track who clicked on the link as each recipient has a unique identifier embedded in the link in the email he/she receives.
I will demonstrate how to achieve this yourself by re-configuring your web (Apache) server, i.e., how to tag the URL link uniquely for each individual email recipient so that you can fully identify an offender based on the web access log alone!
I will then spend more effort explaining a solution to the second challenge, which is more involved, i.e., how to send personalized mass emails (with custom content, especially custom hyperlinks) in an automated fashion using Mail Merge (our example is MS Outlook).
#1. How to uniquely identify an offender using web access logs
The trick is simple if you are familiar with web server configuration. Here are the steps:
a) Add the following custom error response in the Apache configuration file httpd.conf:
“ErrorDocument 404 /education.html”
b) Create the educational landing page “education.html” in the web root directory, with the content of end-user awareness educational stuff.
c) Restart the web server.
d) Send a personalized phishing test email embedded with a unique URL link to each of the targeted users:
Email containing “http://phishing_test_site/link001.html” sent to recipient 1
Email containing “http://phishing_test_site/link002.html” sent to recipient 2
Email containing “http://phishing_test_site/link003.html” sent to recipient 3
….
Of course link00n.html are non-existent.
e) When a user clicks on the link in the email, he/she will see the educational landing page.
f) The web log will record the following entries once these users click on the link:
IP_of_user001 – – [dd/mm/yyyy:hh:mm:ss -0500] “GET /link001.html HTTP/1.1” 404 52
IP_of_user003 – – [dd/mm/yyyy:hh:mm:ss -0500] “GET /link003.html HTTP/1.1” 404 52
….
This way the phishing tester will know who has clicked on the link based on his/her unique identifier.
“Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.” …far sneakier when leveraging CSS History Attacks —
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
(Of course it’s always Spear Phishing that would be more damaging, as its scale, or target size, is smaller and can more easily hide from security detection.)
We will talk a lot about security for Internet users at home! We will start from there…
The office environment is similar for end-users, with more safeguards than at home (such as corporate firewalls and corporate security personnel).
The targets of (spear) phishing against a corporation are typically finance/accounting people. So the awareness education should focus on them as well!