ShmooCon 2008: Unauthorized Phishing Awareness Exercise

posted Feb 15th 2008 7:35pm by Will O'Brien
filed under: cons

[Syn Phishus] presented a pretty interesting talk. At $former_company he prepared and executed a rogue internal exercise designed to heighten awareness of phishing scams. (That is, attempts to gather personal information from users with trickery.) After noting a certain lack of effort on the part of security policy implementation, he put together an official looking email, set up a simple phishing site that didn’t actually store any collected information and set loose the dogs of war. OK, he actually sent it to a select group within the company without warning anyone else ahead of time. He purposely didn’t store any of the results to protect the foolish, but he estimates that maybe 10% of the recipients fell for it.

Comments [6]

Reader Comments

why does he have to “estimate maybe 10%”, wouldn’t it be a simple calculation involving the number of emails he sent out versus the number of times the “submit” button was pressed?

Posted at 12:23 am on Feb 16th, 2008 by macegr

seriously macegr…

Posted at 12:40 am on Feb 16th, 2008 by ian

i think it’s a valid question, this is a conference about security, suspicion, and social engineering (e.g. fast talkers). once you start to make statements without citing facts, how is the audience supposed to figure out what actually happened versus what just sounds good at a hacker convention?

Posted at 4:28 am on Feb 16th, 2008 by macegr

that is a valid question. “estimates that maybe 10%” is rather vague.

Posted at 11:04 am on Feb 16th, 2008 by conrad

Since his goal was awareness rather than user intelligence testing, he set up the form to do the same thing if submit or cancel were clicked. Many people hit the site several times, so simple hit counting didn’t reveal any usable numbers. (Users were behind a proxy, so IP address counting wasn’t an option either.

Posted at 11:39 am on Feb 16th, 2008 by Will O\'Brien

good clarification, thanks. it just struck me as weird only because it seemed like such an easy metric to get.

Posted at 12:35 pm on Feb 16th, 2008 by macegr