ShmooCon 2008: Unauthorized Phishing Awareness Exercise


[Syn Phishus] presented a pretty interesting talk. At $former_company he prepared and executed a rogue internal exercise designed to heighten awareness of phishing scams. (That is, attempts to gather personal information from users with trickery.) After noting a certain lack of effort on the part of security policy implementation, he put together an official looking email, set up a simple phishing site that didn’t actually store any collected information and set loose the dogs of war. OK, he actually sent it to a select group within the company without warning anyone else ahead of time. He purposely didn’t store any of the results to protect the foolish, but he estimates that maybe 10% of the recipients fell for it.

6 thoughts on “ShmooCon 2008: Unauthorized Phishing Awareness Exercise

  1. why does he have to “estimate maybe 10%”, wouldn’t it be a simple calculation involving the number of emails he sent out versus the number of times the “submit” button was pressed?

  2. i think it’s a valid question, this is a conference about security, suspicion, and social engineering (e.g. fast talkers). once you start to make statements without citing facts, how is the audience supposed to figure out what actually happened versus what just sounds good at a hacker convention?

  3. Since his goal was awareness rather than user intelligence testing, he set up the form to do the same thing if submit or cancel were clicked. Many people hit the site several times, so simple hit counting didn’t reveal any usable numbers. (Users were behind a proxy, so IP address counting wasn’t an option either.

Leave a Reply to ianCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.