Re: Testing the user community

[Carl Jongsma <info () skiifwrald com>]

Hello Kurt,

You might be interested in a recent writeup on the emergence of a new  
phishing technique that has been experienced in the wild.  If you are  
able to create a fake phishing attack that is equivalent to it, then  
it is pretty much guaranteed that your users will not pick up on it.   
The following is a cut and paste from the other lists where it was  
sent, but you should be able to work out enough from the details in  
order to scare your users.

For those interested in the original FD/SF phishing email about a new  
phishing technique being employed on a professional networking site  
(late last week), the investigation and subsequent report have been  
published.  Readers of 'The Register' will note a write up already in  
place with some feedback from the site involved.  Although the claim  
of 10 or so reports per month of similar scams being made are  
probable, I doubt that many (if any) have taken as much detailed  
involvement from the scammer before the phish is set.

http://www.theregister.co.uk/2007/01/29/ecademy_419_scam/

You can find the report at the following address:

http://www.beskerming.com/marketing/reports/index.html

Or, for the direct link:

http://www.beskerming.com/marketing/reports/ 
Beskerming_Phishing_Report_Jan_07.pdf

A higher detailed version is available upon request, which includes  
sufficient detail in the account screenshots for the profile text to  
be legible.

An Executive Summary for those who don't want to read the report:

 - Yes, it was a scam.  The scammer started out with a stolen  
identity, maintaining it all the way through the scam (even when  
confronted)
 - Ultimately it was a 419-style phish / scam that was traced back  
to Nigeria
 - The first recorded use of the particular stolen identity was  
November 06, with a very similar scam (though a more traditional mass  
spam email).
 - The scammer invested at least 2-3 days of communication and trust- 
building before beginning to seed the phish / scam
 - The initial round of the phish bait was mild enough to almost be  
missed.
 - The Networking site was VERY prompt in addressing the situation  
once notified (less than 5 minutes to remove the account when it  
reappeared and they were notified again).  Props to Ecademy in this  
case.
 - Sometimes you just need to be paranoid.

Any questions or queries, just ask them.

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com


On 31/01/2007, at 12:42 AM, webmaster () absolutenetworks biz wrote:

> We all know our weak link but how do you identify just how weak  
> they are? I
> think it's time to pen test my user community and have a couple  
> ideas to gather
> statistics on just how nonaware they really are. Maybe a simple  
> phishing scam
> and bogus email with a fake virus attachment that emails me when  
> it's opened so
> I can track how many folks actually opened it.  Has anyone ever  
> done this
> before? I can't find any information about it on the web.. thoughts  
> and ideas
> anybody?
>
> Many thanks
>
> Kurt
>
>
>
> ---------------------------------------------------------------------- 
> --
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php? 
> camp=701600000008bOW
> ---------------------------------------------------------------------- 
> --


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------