In "Social engineering pentesting against your employees", I mentioned setting up your own phishing attempt against your employees as a user awareness campaign. It also provides realistic results of the percentage of employees who are susceptible against social engineering.
Apparently, the American Army did just that!!!ALEXANDRIA, Va. (Apr 02, 2008) – More than 10,000 Soldiers, civilians and Family members with military e-mail addresses received an e-mail March 30 promising free tickets to area theme parks, with a link to a Web site that appeared to belong to the Family and Morale, Welfare and Recreation Command.
These e-mails were sent without the knowledge or consent of the Family and Morale, Welfare and Recreation Command (FMWRC) or installation MWR offices. These e-mails were "phishing" emails developed by the Army Computer Emergency Response Team (ACERT) in a Global Computer Network Defense exercise, Bulwark Defender 08 (BD08) to test the defensive posture of the Army LandWarNet.
FMWRC officials were not alerted to the exercise in advance because the unit "limits the number of trusted agents" in phishing exercises of this type, according to ACERT officials.
...
The e-mail and Web site created by ACERT were convincing enough to entice more than 3,000 people to click through, in part because of the use of the MWR web graphics and logo, and in part because patrons are used to receiving similar messages.Hmmm.... 3.000 out of 10.000 targets. That is 30%!!! If you do a similar exercise, get permission from executive management and work together with HR and Legal. I would like to see more people trying this exercise.
"We apologize for any inconvenience or false hope these e-mails may have caused. As users of Army network and information systems, you play an integral role in the Information Assurance and Network Security posture for the Army. As you know, phishing emails are a common method used by Hackers to infiltrate Army networks and systems. Your ability to identify and respond to phishing attempts is paramount to the defense of critical information systems that make up the Army LandWarNet. Soon, you will receive another e-mail from the ACERT that will provide education on how to identify "phishing" attempts as illegitimate.
We appreciate your participation in this exercise. Everyone plays a part in the security of the Army networks and systems. It is important for everyone to know the MWR brand can be trusted, so please forward this email to anyone you may have shared the original "phishing" email with." (Source: www.armyfamiliesonline.org)
Previous articles:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comment:
The best part of using phishing in your pentests is that you only need one person to click that link. with enough of a sample, thanks google!, your odds are pretty good.
the unfortunate part is that many organizations hand waive over that part with the "yeah we know our user training program needs work so just audit the servers" :-(
Post a Comment