According to a 2016 Cyber Security Trend article, nearly one in three data breaches in 2016 were be attributed to phishing attacks as the initial point of ingress.   Furthermore, the article goes on to recommend user training and phishing simulation as the top preventive controls organizations can implement to help better protect their environments. With that said, we felt that it was important to illustrate to our subscribers just how simple it is for attackers to create a believable and effective phishing campaign.

The technical process of putting together a phishing attack is just a simple as creating a legitimate email, with just a bit of tweaking. It is the psychological part of phishing (or any social-engineering attack) that makes or breaks a successful campaign.

As you can see in the images below, creating a phishing email is as simple as gathering some HTML from a webmail provider, customizing the HTML to fit the attack, and setting up a phishing server.

Message Creation

 

HTML Customization

 

Set Up Phishing Server

 

Send

Incorporating this into your training program may or may not help an organizational staff increase their security awareness once they see how feasible and simple it is to create an attack. However it is equally, if not more so, important for staff to understand why these attacks are successful.

This example is a message that spoofs an alert from non-existent Gmail security team, regarding a non-existing event. A lot of people have Gmail, and a lot of people receive messages from Google alerting on account activity, which is why popular services such as Google are regularly used. A sophisticated attacker would use an attack like this in the wake of a recent headlining breach such as Yahoo, Target, Adobe, etc.

The scenario here would be that Google (or insert any major technology company) has recently been breached and the information is spreading like wildfire on the daily news. An attacker would leverage this breach along with a target list of Gmail users acquired from any number of publicly available sources, and exploit the legitimate concern of the potential victims by saying they have detected unusual activity on the account. Of course the attacker would provide a link for “more information” but that link would most likely point to a malicious resource.

Managers of security organizations should be cognizant of news headlines because attackers sometimes leverage them while emotions are running high. A daily or weekly security brief could be a valuable addition to a security awareness program by reminding staff that possibility of fraud is always out there.

Besides continual awareness and updates, organizations can also better protect themselves by encouraging users to validate sender addresses prior to opening any documents or links. In the scenario above a user could easily verify the senders address, or research what type, and from who, any such security notifications would legitimately come from. And the big one…if you haven’t yet, your organization should not be allowing access to personal webmail from inside your network.