Case study: the success of phishing campaigns
If a company has all the security measures in place to minimise the risk of infiltration of its computer network, there is only one weak link that can threaten its security. That link is the employees. People make mistakes, whether unknowingly or knowingly. End users are the target of social engineering campaigns. Sending a spoofed email with a link to a fake site is not a very difficult operation, and just one opening by a trusting user can result in the infection of a company computer. In this case study we will present our methodology and evaluation of its success.
What is phishing
Phishing is one of the biggest threats that every internet user faces. It is a form of attack where the attacker tries to lure the user's data by means of a fraudulent email message or a page that resembles a site or email known to him. If the attack is successful, login credentials or even access details to bank accounts are stolen. The most targeted group is seniors who are not well versed in internet security and are easily lured by fraudulent emails.
Most often, phishing attacks can be linked to topics such as:
- fake contests;
- the current epidemiological situation (for example, many attacks are occurring in connection with COVID-19);
- requests to update personal data;
- and others.
However, there are ways to effectively defend against it. In addition to a properly set up email system in the company (allowed and forbidden mail servers, spam filters, content filters, etc.), it is very important to make sure that employees are regularly trained in cybersecurity, thus ensuring their vigilance.
How to identify an attack?
- Emails from banks asking for account login via email, because banks and other reputable institutions never ask for account login in email messages.
- Hyperlinks in the message leading to an address other than the one mentioned in the text.
- A suspicious executable attachment is present or linked to.
- Immediate disclosure of sensitive data is requested under threat of restriction, cancellation or prevention of a service.
- The message contains atypical language.
How best to defend against such attacks?
- Regular employee training in cybersecurity.
- Do not reply to any unsolicited messages; it would be a signal that the address is in use and many more spam messages would follow.
- Only open messages from senders you really know.
- Be careful when clicking on links in emails you receive.
- Never give out account numbers, PINs, passwords, etc. to anyone.
- Do not send or upload personal data or banking information to unsecured websites.
How we proceeded
In the first step, we created a fake trusted website that was a faithful copy of the original XY website. It was a domain where only the ending was changed from "cz" to "ga". No data was stored at this stage, we only looked at how many employees opened the email, or even the page linked to in the email.
The second step consisted of creating several fraudulent and plausible email templates. In total, we created three, namely:
- Themed around XY's ongoing official competition; the links here led to a fraudulent site with a login screen.
- An email warning of new coronavirus measures in place, where the links again led to fraudulent login screen pages.
- An email alerting to a shared Microsoft Excel workbook with attendance for new employees; the links again led to fraudulent login screen pages.
The third and final step was to plan the campaigns. In total, five campaigns were created, using three templates that had already been created. The campaigns were not sent at the same time but over the course of two days. They were always sent to only part of the staff, where each group of target users received a different email.
- 1st Campaign – 99 users – email about the competition
- 2nd Campaign – 100 users – email with link to MS Word document
- 3rd Campaign – 100 users – email with link to MS Excel document
- 4th Campaign – 100 users – email about the competition
- 5th Campaign – 73 users – email with link to MS Word document
A unique identification code was generated for each targeted user, based on which it was possible to track when they visited the fake site and when they submitted the login form. No other data was collected. After completing the login form, users were redirected to the company's official website.
Based on our work, we have identified the findings presented in the next section. In the phishing campaigns that we conducted, we found that up to 38% of employees opened the emails and up to 31% of employees entered their login credentials.