In the past, cyber-attacks became more common only in the professional community, but recently, attacks have increasingly affected ordinary citizens as well. Whether it is a medical organization or a smartwatch. Similar attacks, often “tailored” to a particular organization, are expected to continue. In such cases, the typical method of intrusion (attack vector) into the target network or application is through a phishing e-mail.

What is phishing?

Phishing is a fraudulent technique targeting users, as often the weakest link in securing most systems. By e-mail or another similar message, an attacker tries to deceive the user and force a certain seemingly harmless action, which, however, can fundamentally compromise the security of the information system. This can be entering credentials or running malicious code. In the first case, the phishing e-mail contains a link to a website where you can allegedly unblock the account after logging in, or take other necessary action, as explained in the e-mail. In reality, however, the linked website does not belong to the application it claims to copy and looks like, but it is located at a different address and stores the credentials entered. In the second case, when an attacker tries to run malicious code, the e-mail attachment contains some type of directly executable file, macros for MS Word and Excel are often used, or a link to download this file is attached. In this way, an attacker can gain remote access to the victim’s computer and the attacker’s internal network, exploit other vulnerabilities, attack other devices, and ultimately encrypt all data and demand a ransom (as Ryuk ransomware does).

Phishing emails can be sent blindly to thousands of users, including users for whom the attack is relevant (such as clients of a particular bank), or they can be targeted to a smaller group of specific users. This targeted phishing is called spear phishing. It can focus, for example, on employees of a specific company and the systems they use, or on employees in a certain position in several companies. These phishing e-mails are realistically mimicking the style of communication used and do not contain language errors. The success of such targeted attacks is then significantly higher, but also the complexity of their preparation.

Phishing, like other user-targeted attacks, uses manipulative social engineering techniques. Emotions such as fear of possible punishment are used, a stressful situation is often induced, when the user has to decide under time pressure, or, conversely, his willingness to help colleagues can be abused.

Phishing as a part of penetration tests

Phishing campaigns are not only run by malicious attackers but can also be a legitimate security test. The phishing test can take place independently or as part of a penetration test, which, in addition to vulnerabilities in the internal network or on interfaces available from the Internet, also scans the users themselves.

During the penetration test, an attack on the given information system is simulated to a certain extent, weak points are identified and examined, and possible consequences resulting from the use of this vulnerability are deduced. Unlike the actual attack, the penetration test does not result in the leakage of sensitive information or encryption of data, but the client receives a detailed report describing the vulnerabilities found and recommendations for their elimination.

Phishing testing, like other types of penetration testing, is typically provided by an external security company that has experienced staff, the necessary know-how and tools.

The specifications of the phishing test

Before the actual implementation of the simulated phishing campaign, it is necessary to clearly define the scope of the test with the client, ie primarily to determine:

  • what users to target,
  • whether the contracting authority provides e-mail addresses of employees or whether testers try to search for information on the Internet in the first phase,
  • a preliminary attack scenario, ie whether to try to obtain credentials (and to which system) or to run code; with a larger number of users, more phishing campaigns can take place for different groups of users and the success of these campaigns can then be compared,
  • requirements for the cooperation of the contracting authority, which may be relevant in testing whether the “malicious code” exceeds the technical measures used,
  • whether it is a one-time or repeated project,
  • possible other follow-up activities (user training, consulting services, etc.)

Tests are approaching a real attack, in which testers have a smaller amount of information at their disposal and they must first try to find it on the Internet (e-mail addresses, systems used, login interface addresses, etc.). On the other hand, such tests are more time consuming, which entails higher costs for their implementation.

After clarifying the scope of the tests, an attack scenario will be developed, especially the wording of the phishing e-mail itself. It can be, for example, a message from the IT department with a request to log in to a new version of the web application, a request to unblock access to the application, or an attached unpaid invoice. If required by the scenario, a fake login page is created, ideally of the same appearance with a similar address and a secure HTTPS connection.

After phishing emails are sent, the entered credentials or data sent after running the malicious test code are automatically captured. The highest number of records is usually obtained a few hours after sending e-mails, however, the data are recorded for about another week, so that, for example, employees who took a vacation can respond.

The basic indicator for evaluating a phishing campaign is its success, measured as the percentage of users who performed the action requested by the attacker. On the part of the IT department of the contracting authority, it is then possible to monitor the number of reported phishing e-mails. If multiple phishing campaigns run in parallel with multiple scenarios, you can compare their success. From the attacker’s point of view, some campaigns may be unsuccessful, if no user can be caught, or if some technical measures (antispam, antivirus) work. However, the success of a well-targeted campaign can often exceed 50%. However, even a single captured user may be enough to successfully compromise a network or system.

The output of the phishing test, as in the case of other penetration tests, is a final report that describes the course of the tests, the identified deficiencies and makes recommendations for improving the condition. The simulated phishing campaign can be followed by training of users in the field of IT security. The test itself, when properly conceived and presented, can be understood as a form of practical user training. Phishing tests and user training should best be repeated (eg annually), as users lose attention over time and staff turnover occurs. In the case of repeated tests, it is possible to monitor long-term trends and the effects of training on the success of individual phishing campaigns.

Benefits of phishing tests

Wondering how a secure phishing attack led by penetration testers can help you?

  1. Detects potential security vulnerabilities. Phishing email often comes at the beginning of serious security incidents.
  2. Tests, whether the deployed technical measures and security work, and against what type of attack.
  3. You will increase users’ awareness of the risks of e-mail communication, the positive training effect is not negligible.
  4. In combination with other types of penetration tests, it is a suitable simulation of the possibilities of a real attacker.

Of course, the correct configuration of systems and various technical measures – spam filtering, anti-virus solutions, whether within the e-mail server or at end stations, monitoring of security events and network communication, also have an irreplaceable role in defending against phishing and subsequent intrusion of the attacker into other systems. (SIEM, IDS / IPS). In addition to penetration tests, a company dedicated to comprehensive IT security can also help you in the above areas and will design a tailor-made solution that will suit your needs.

From us for you

We are aware of the seriousness of cyber threats and we have decided not to leave you alone. For new customers who order an internal or external penetration test, we offer a standard phishing test completely free of charge. We offer separate phishing tests for a limited time at a significantly discounted price. We will be happy to make you a non-binding offer. Write to us at business@axians.cz.