Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: Bob Bayn <bob.bayn () USU EDU>
Date: Mon, 7 Jun 2010 19:37:26 -0600
Don Miller asked:
Has anyone attempted, or thought about, sending fake phishing messages to your students and/or employees?
Valdis Kletnieks replied:
If your message is "We will never ask you for your password", this is a *really* bad idea because it confuses your users and shoots your credibility. We usually just wait for a real phish to get reported, then block the address outbound and trap any attempts to reach it. Anybody who tries it gets targeted for re-education.
We toyed with this notion, but the decision was made by our state board of trustees who sent a security audit team that conducted a fake phish as one of their activities. They phished about 750 addresses, as I recall, and it only took 20 minutes for the first inquiries to hit our helpdesk and begin an active discussion on our campus-wide tech support staff list. It also caused some long lasting strains in relations between central IT (innocent bystanders in the decision) and parking services (target of the phish). Meanwhile, as Valdis describes, real phishers give us the opportunity, once detected, to identify and contact recipients, send an explanatory warning, and install a DNS redirect of the host webserver or block the outbound address. That approach is only unsatisfying (to me) in a few ways: 1) Our response is triggered after a suspicious recipient reports the phish to us. This step usually happens within a few hours of delivery of the phish messages, so some recipients may have already "bitten". 2) the detected recipient list seems to always be more or less the same subset of users who have been on the 'net a while, so our followup education only goes to that subset. some phishes may be going to a whole different subset of our users. 3) we can only block replies and website accesses from recipients who are on our network or using our SMTP services. At-home users and distance ed users can be harder to "protect" and identify. 4) Email for our whole student population has been outsourced to gmail so we are unable to identify phish recipients in that major part of our population. If we controlled a fake phish exercise, we could overcome many of those problems, but the credibility damage is an obvious deterrent for us. Bob Bayn (435)797-2396 Security Team coordinator “The pain of the exploit is worse than the pain of the patch.” -Publilius Syrus Office of Information Technology at Utah State University
Current thread:
- attempts sending fake phishing messages to students and/or employees Miller, Don C. (Jun 07)
- <Possible follow-ups>
- Re: attempts sending fake phishing messages to students and/or employees Valdis Kletnieks (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Bob Bayn (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Lorenz, Eva (Jun 08)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 08)