back to article Go phish your own staff: Dev builds open-source fool-testing tool

Security-oriented programmer Jordan Wright has published a capable and slick open source framework to help businesses defend against phishing attacks. The anti-phishing tool runs on 64-and-32-bit Windows, Mac, and Linux, and allows tech shops to send benign phishing emails to their staff in a bid to track which employees fall …

  1. Anonymous Coward
    Anonymous Coward

    Too simplistic

    It would count me as having fallen for it when i would (when bothering to respond) put false identity details and an (often very NSFW) password. I know others who do the same.

    Does the framework distinguish between those looking to waste the phishers time, and those who submit real credentials?

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Too simplistic

      Well, if you click on the link in the e-mail you've already fallen for it... as there are also browser infection vectors that are utilised on the phish page (heavily dependent on browser version of course). As a poster above said, you're also confirming you're a live, responsive target - credentials are the icing on the cake.

    3. Anonymous Coward
      Anonymous Coward

      Re: Too simplistic

      The first trap is thinking your more clever than the attacker.

  2. Paul Woodhouse

    hmm, I once did something similar with an Excel spreadsheet, it wrote the current logged in username into idiotlist.txt file on my server when opened and I then sent it to everyone from a throwaway email account ... I was actually quite impressed with just how few of them opened it, out of about 400 users, only 3 names ended up in the list... *sigh* one of them 4 times...

    on opening it silently wrote the name into the idiot list and then popped up a msgbox saying "HAHA, you've been infected with a virus, tell your IT monkey"...

    only 1 of them told me...

    1. Pascal Monett Silver badge
      Trollface

      The question is : where did you get rid of the rolled-up carpet this time ?

      I sense a BOFH in the making . . .

  3. g00se
    Devil

    Recursive phishing

    So, as these become more popular will we see management getting fake anti-phishing (i.e. phishing) links?

  4. dotdavid

    An ex employer sent me a snotty email once when I reported one of their phishing test emails as abuse to Google and told them I had. I very much doubt that Google did anything with the report but some wannabe-bigwig emailed me telling me my action had been "escalated" as it might have effected the success of the education campaign. Of course nothing further happened to me, but it did leave a sour taste in my mouth for doing the right thing.

    I think ignoring phishing emails, legit or otherwise, is the best policy.

    1. Anonymous Coward
      Anonymous Coward

      Damned if you do...

  5. jake Silver badge

    Oh my fscking gawd/ess ...

    Corporations STILL allow numpties who have zero clue about Internet[0] security un-fettered access to the corporate email system? The mind absolutely boggles ...

    [0]Whateverthat is, of course.

    1. dgc03052

      Re: Oh my fscking gawd/ess ...

      "Corporations STILL allow numpties who have zero clue about Internet[0] security un-fettered access to the corporate email system? The mind absolutely boggles ..."

      Yes, some corporations are still primarily composed of people. Some bright at certain things, and not so bright at other things.. Ok, and some really, really not so bright...

      1. Ed_UK

        Re: Oh my fscking gawd/ess ...

        "Yes, some corporations are still primarily composed of people. Some bright at certain things, and not so bright at other things"

        I think that attitude is part of the problem - calling people "less bright" just because they don't yet know what you know. It's the punchline of several computer-related yarns. Education is needed, not silly name-calling.

        I come to this site to learn stuff from the knowledgable contributors, partly to stay safe but also because the topic interests me. We need to help the people who aren't directly interested in "all that computer stuff" but would be seriously inconvenienced by an attack (compromised email, bank etc).

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh my fscking gawd/ess ...

      Welcome to the world of MS Outlook. The virus has been pre-executed for your convenience. Share and enjoy!

  6. TRT Silver badge

    Reminds me of that time...

    a guy took an iPad around the building saying that the IT security team were concerned about password strength, and had sent him round with an app to check it. The script went along the lines of

    "they can't check their files, as the passwords are all stored in an encrypted form. Don't worry, you don't have to tell me the password - we'd never ask anyone to tell us their password. All you have to do is type it into the app and tell me the score you get out of 100 for password strength. I'll write the score down next to your username."

    I understand they got over 80% of the passwords.

  7. Pascal Monett Silver badge

    "SaaS solutions that require you to hand over your data to someone else"

    Sounds like the ultimate phishing scheme to me.

  8. Kubla Cant Silver badge
    Trollface

    Phone phishing for phun

    I recently spent a few weeks at home. During this time I received at least three phone calls from India, telling me "Your computer is logging a lot of errors on the server". Their objective was to try to get me to install some kind of remote-access software.

    The first time, I carelessly revealed my lack of ignorance, and the caller quickly ended the call. Thereafter, I decided that I'd see how long I could get them to spend talking to me, on the basis that during that time they can't be scamming somebody else. I kept them waiting while "the computer is starting up", then I couldn't find the Start button. When asked to type a URL into the browser I'd deliberately misspell it, then read it back with painstaking phonetics: "H for Henry - sorry, I think that should be hotel - t for tango, t for tango, p for papa, then two little dots and two diagonal lines...".

    My record was 35 minutes, but a shorter call was more fun because the crook on the other end got really angry and started shouting insults down the phone.

    1. TRT Silver badge

      Re: Phone phishing for phun

      "You see the blue e icon? Now, open the window..."

      "Hang on... OK"

      "Click where..."

      "Speak up."

      "Click whe.."

      "Speak up!"

      "CLICK WHERE THE..."

      "Sorry. I still can't hear you. It's blowing a ruddy gale in here. Do I absolutely HAVE to have the window open?"

    2. Anonymous Coward
      Anonymous Coward

      Re: Phone phishing for phun

      Dammit, I want one of these. All I get are Indian ambulance chasers.

      1. Arthur the cat Silver badge

        Re: Phone phishing for phun

        All I get are Indian ambulance chasers.

        I get those too.

        Him: Have you had an accident recently?

        Me: Yes.

        Him: Was it serious?

        Me: Very. I died at first.

        CLICK.

        1. leaway2

          Re: Phone phishing for phun

          "have you ever worked in a noisy environment?"

          Pardon

          "have you ever worked in a noisy environment?"

          In a news department?

          "no noisy"

          Can you spell that? my hearing is not so good as I used to work in a noisy factory.

          .......................................

          I can't believe it took 20 minutes for him to give up.

        2. JakHaxz

          Re: Phone phishing for phun

          This normally gets rid of them quickly in my experience.

          "Hello, Our records indicate you've recently been involved in an accident"

          "It wasn't a accident. That b*st*rd had it coming."

          Most hangup at this point, however I've had one that didn't so I started ranting about said b*st*rd not letting the caller get a word in.

    3. Arthur the cat Silver badge
      Trollface

      Re: Phone phishing for phun

      My record was 35 minutes, but a shorter call was more fun because the crook on the other end got really angry and started shouting insults down the phone.

      I do the same when bored. They usually get around to telling you to open the event log because it baffles most people who don't realise much of it is completely harmless information. This is when I really have "problems" and have to repeatedly ask them to run through that again because it isn't working as the program isn't found. In the end I say "shall I just more /var/log/messages?". A small number get it, most need the further explanation that my computer runs FreeBSD, not Windows. Invariably they shout at me for wasting their time.

      When busy I simply ask them which IP address they mean, as I run four class C subnets. That usually makes them go away.

    4. Fonant

      Re: Phone phishing for phun

      I managed 45 minutes once. Failed as I couldn't help laughing when the "support" guy told me that the IP address they had for my errors in the logs was 127.0.0.1.

      Another time it was a "lady" support person, who turned out to have a filthy mouth when she realised I had been playing her along.

      With one other I started trying to sell him a new website. We got quite chatty, and once he'd twigged what I was up to he offered to phone me every day for a chat. I said "why not", and he did actually phone me again, once.

      I haven't had a call from "Microsoft Support" for a while now. Perhaps my phone number has found itself onto a "don't bother" list.

    5. Old Handle
      Devil

      Re: Phone phishing for phun

      You can keep them playing even longer if you go ahead and install TeamViewer (or whatever they're using) in a VM. Assuming the one I got is the standard MO, what they'll do is run a bunch of pointless "computery" programs (defrag, tree command, etc) and claim to be cleaning up your system. Then they'll ask for money for premium antivirus utility.

      Next time I'm tempted to drop them into a VM with actual malware (or possibly just a fake virus that randomly opens horse porn sites) and see what they make of it.

      1. TRT Silver badge

        Re: ... a fake virus that randomly opens horse porn sites...

        And if they attempt to clean that up, complain "No, no, no! Leave that. It's mine."

    6. EnviableOne Bronze badge
      Stop

      Re: Phone phishing for phun

      Kinda falls appart when you find out its one of those that use a reverse billed premium rate number

  9. Alistair Silver badge
    Windows

    Happening real time.

    At least in a couple of companies this side of the pond, they are testing the end users. I'll be pointing a couple of folks at this.

    I've been around long enough that I happen to know far too many folks in my current employer. Last campaign on this front I got a call from the SDir for security - I was the 1st to file the mail as a phishing attempt and one of only 6 in the company to handle it properly. (it might have had something to do with the fact that I was up at 3:30 am on a change)

    I had to have a discussion with several of the folks I work with about *how* to handle crap like that. So -- even IT aware people can blow it.

    As a sysadmin with command and control access to *far* too many pieces of hardware I'll point out that in my books, if you've opened a web URI from one of these emails, you need to be fired. End of line. I don't leave passwords lying around on *any* disk unless those are in an encrypted form, but the risks of getting hit with a keylogger, dataslurp, or in fact ANY virus are so substantial in the sysadmin case that I have no sympathies for someone on that front.

    Its also why I try very hard not to use my windows VM for anything I don't *utterly* need to use it for.

  10. BurnT'offering

    I foresee a problem

    In that our IT people could improve the quality of their email communications by taking English lessons from Nigerian scammers. Perhaps one way to spot a phishing attempt might be that you can actually understand the instructions?

    1. a_yank_lurker Silver badge

      Re: I foresee a problem

      And that's native speakers lol

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019