Penetration Testing mailing list archives
Re: Testing the user community
From: Carl Jongsma <info () skiifwrald com>
Date: Thu, 1 Feb 2007 16:44:32 +1030
Hello Kurt,You might be interested in a recent writeup on the emergence of a new phishing technique that has been experienced in the wild. If you are able to create a fake phishing attack that is equivalent to it, then it is pretty much guaranteed that your users will not pick up on it. The following is a cut and paste from the other lists where it was sent, but you should be able to work out enough from the details in order to scare your users.
For those interested in the original FD/SF phishing email about a new phishing technique being employed on a professional networking site (late last week), the investigation and subsequent report have been published. Readers of 'The Register' will note a write up already in place with some feedback from the site involved. Although the claim of 10 or so reports per month of similar scams being made are probable, I doubt that many (if any) have taken as much detailed involvement from the scammer before the phish is set.
http://www.theregister.co.uk/2007/01/29/ecademy_419_scam/ You can find the report at the following address: http://www.beskerming.com/marketing/reports/index.html Or, for the direct link:http://www.beskerming.com/marketing/reports/ Beskerming_Phishing_Report_Jan_07.pdf
A higher detailed version is available upon request, which includes sufficient detail in the account screenshots for the profile text to be legible.
An Executive Summary for those who don't want to read the report:- Yes, it was a scam. The scammer started out with a stolen identity, maintaining it all the way through the scam (even when confronted) - Ultimately it was a 419-style phish / scam that was traced back to Nigeria - The first recorded use of the particular stolen identity was November 06, with a very similar scam (though a more traditional mass spam email). - The scammer invested at least 2-3 days of communication and trust- building before beginning to seed the phish / scam - The initial round of the phish bait was mild enough to almost be missed. - The Networking site was VERY prompt in addressing the situation once notified (less than 5 minutes to remove the account when it reappeared and they were notified again). Props to Ecademy in this case.
- Sometimes you just need to be paranoid. Any questions or queries, just ask them. Carl Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com On 31/01/2007, at 12:42 AM, webmaster () absolutenetworks biz wrote:
We all know our weak link but how do you identify just how weak they are? I think it's time to pen test my user community and have a couple ideas to gather statistics on just how nonaware they really are. Maybe a simple phishing scam and bogus email with a fake virus attachment that emails me when it's opened so I can track how many folks actually opened it. Has anyone ever done this before? I can't find any information about it on the web.. thoughts and ideasanybody? Many thanks Kurt---------------------------------------------------------------------- --This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php? camp=701600000008bOW ---------------------------------------------------------------------- --
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Testing the user community Matthew Snider (Feb 01)
- <Possible follow-ups>
- RE: Testing the user community Des Ward (Feb 01)
- RE: Testing the user community Morris Sgt Derek P (Feb 01)
- Re: Testing the user community mblack9905 (Feb 01)
- Re: Testing the user community Javier Fernández-Sanguino (Feb 01)
- Re: Testing the user community webmaster (Feb 01)
- Re: Testing the user community Carl Jongsma (Feb 01)
- Re: Testing the user community Nicolás F . Iglesias (Feb 02)
- Re: Testing the user community Lee Lawson (Feb 02)
- Re: Testing the user community Nicolás F . Iglesias (Feb 02)
- Re: Testing the user community Pete Herzog (Feb 01)
- Re: Testing the user community Schanulleke (Feb 01)
- RE: Testing the user community Paul Melson (Feb 01)
- RE: Testing the user community webmaster (Feb 01)
- RE: Testing the user community Paul Melson (Feb 01)
- RE: Testing the user community webmaster (Feb 01)
- Re: Testing the user community Mister Coffee (Feb 01)
- Re: Testing the user community Thor (Hammer of God) (Feb 02)
- Re: Testing the user community Gadi Evron (Feb 05)
(Thread continues...)