Trick or treat? How we launched an email spear phishing campaign to trick one client’s employees into giving money to a local children’s hospital at Halloween as part of a social engineering test.
Think it’s twisted to use sick children to lure unsuspecting people to provide their credit card information to donate? You bet! Think tactics like this are beyond the schemes of an attacker who will go to any length to steal sensitive data? Never.
To demonstrate this point, we conducted a social engineering test which used a scenario leveraging an email phishing attack that exploited a relationship our client had with a local children’s hospital. This test proved that while training employees to recognize an email attack is always important, implementing technical controls is always the most important priority!
All Tricks, No Treats
In recent years, many high-profile cyber-attacks have leveraged phishing attacks. Phishing attacks are very common because they are effective and prey on an organization’s weakest link – its people. The high degree of success from these attacks can be attributed to multiple factors which include an overall lack of properly trained employees and the increasing amount of vulnerabilities being discovered in client software such as browsers and third-party applications that plug into the browser software.
This email spear phishing campaign launched against our client’s personnel leveraged a scenario based on information gathered from their company website. A little googling was all it took for our consultant to identify an association between our client and a local children’s hospital. Not unlike what a real attacker would do, our consultant devised a phishing attack scenario leveraging this association to lend credibility to the phishing campaign. While using children as the subject of an attack seems pretty messed up, the reality is that hackers are ruthless and will do whatever it takes to get the job done, making this test attack scenario extremely realistic.
The bogus scenario attempted to convince (aka “trick”) the employees that the local children’s hospital was teaming up with their organization to find volunteers and donations to help the kids in the hospital celebrate Halloween by getting a chance to Trick-or-Treat at the hospital. If helping sick kids wasn’t motivation enough, the scenario attempted to further entice the employees by offering a bonus day of PTO to those employees that signed up.
Launching the Attack
Our consultant created an email appearing to come from the company that the employees worked for. To add additional credibility to the email spear phishing attack, our consultant registered a doppelganger (read “fake”) domain to attempt to mimic the legitimate domain of the local children’s hospital.
The email sent to the employee’s contained a link which brought them to the phishing website, which appeared to be the children’s hospital’s actual website and displayed the tug-at-the-heart theme: “Every child deserves to trick-or-treat”. On this website, they were asked for their User ID and password and they were asked to either sign up to volunteer or donate a dollar amount.
At this point, it’s a waiting game. Sit and wait for a bite. Even if only one employee takes the bait, that is all it takes to make the whole company reel. With just one employee’s log-in credentials, the attacker will have access to whatever internal (read “private” and “sensitive”) resources that the user had access to.
The Best Defense: Protecting Users from Themselves
Our client did very well in this attack scenario which resulted in a low success rate of under 5%. Even though our client’s employees are obviously well-trained and are not significantly susceptible to phishing attacks, the fact remains that even in organizations that have a well-implemented security awareness program there is always a handful of users that will be fooled and it only takes one wrong click to harm an entire organization. This is why the technical controls that protect the end user are so important. From controls that prevent the end user from receiving the email in the first place, to stopping the attack after the end user clicks the link, those additional controls that protect the end user from their own susceptibility are crucial.
This exercise uncovered two key strategic recommendations that can be used to thwart phishing attacks:
- Implement Strong Technical Controls: We always recommend that companies implement strong technical controls to protect people from themselves. These controls will alert users to the fact that an email is coming from an external source. Other email phishing controls will identify an email as a phish and stop it from getting to users in the first place, which is key. In the case of this client, email filtering controls could be enhanced to provide additional capabilities for detecting and blocking malicious phishing emails from arriving in the targets’ inboxes. Additionally, an effective end-point security solution would go a long way to save the organization in the event the email got through, and the link was enticing enough to click.
- Continue User Awareness Training: We recommend continuing regular security awareness training, including examples such as the scenario carried out by this attack in addition to other real-world attacks. This would showcase examples of threats and attacks being leveraged against employees and teaches or reinforces their responsibility in helping the organization to thwart such attacks.
The bottom line: Our consultant, who has been doing these tests for over 10 years, reports that at least one or two people are fooled every time. For this reason, even though security awareness training is important, it is not the #1 priority when it comes to protecting organizations from phishing attacks. The main defense against phishing attacks should always by implementing strong technical controls.
Think Your Organization Can Pass the Test?
Find out! Our social engineering testing team performs these routine tests to try and successfully compromise as much as we can within an organization to ensure someone with malicious intent won’t be able to. If your company is interested to see what vulnerabilities our social engineering testing team can uncover, contact us today.