…Because they work.
One of the most popular forms of social engineering assessments that we do is Phishing. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Because the risk with Phishing is often so high, testing against it is a good idea – which explains it being the most common form of social engineering we do. I’m always a little surprised by how successful we are when we run a more sophisticated attack. A recent engagement where we conducted a phishing attack as part of a broader due diligence effort for a merger in the pharmaceutical industry really illustrates the value of this type of test.
Our phishing attack was intended to capitalize on the employees of the life sciences firm being acquired knowing that the merger was occurring. We created a replica of the life-sciences company’s website on a highly similar domain. Through Social Media we were able to identify email addresses for approximately 95 of the 120 employees. We spoofed an email from the HR Director to the employees directing them to the website to review some changes to the compensation plan necessitated by the merger. We intentionally did not send the email to 13 employees who we felt would be most likely to identify it as being fraudulent in nature.
Of the 82 emails sent, 27 employees used their domain credentials to log into our spoofed website (these same credentials provided VPN access). This is consistent with other tests over the last few years where we have noted that for organizations without a Security Awareness Training program, ~33% of the employees can be phished successfully.
This particular test also generated an interesting spinoff: It revealed how poor the passwords were.
- 5 of the passwords were the name of the company followed by a number (three were years, one was a birthdate or start date, and one was 1)
- 4 of the passwords were the name of a child coupled with the birthdate or birth year)
- 2 of the passwords were the name of the local baseball team followed by a single number
- 3 of the passwords were references to God followed by a single number
So the Social Engineering exercise pointed out another problem – poor password management. One of the challenges with Windows Active Directory is that it is not simple to enforce “non-easily guessed” passwords and most employees have a preference for “most easily remembered passwords”. If you suspect it’s a problem in your environment – you may want to consider running a password audit. You can pick up a password cracking application and do it yourself or you can hire a third-party to do it.