Publications on Phishing and Phishing Tests

Every day attackers employ new tactics to phish Internet users regardless of their position in companies, presumed level of expertise, or employment field. Modern phishing attacks are orchestrated to exploit human vulnerabilities as much as technologies.

Ponemon Institute reported that the average company suffers from about 160 successful online phishing assaults a week. The

Such scary statistics along with the need for security compliances have forced organizations to step up their phishing countermeasures. Organizations are increasingly employing trainings, tests, and external services and tools to create awareness amongst their employees against phishing attacks.

Each day phishers come up with evolving tactics, circulate new believable phishing mails, and put up phishing websites that are almost indistinguishable from the original ones. As an Internet user, you must all the more rise up to those challenges.

Countering phishing challenges requires understanding the different phishing techniques, keeping up with phishing attack trends, identifying attacks as and when you encounter them, and some simple common sense.

There are abundant resources on phishing available on the Internet. Some of them are:

• Phishing-related books
• Online publications on phishing
• Discussion forums and mailing lists
• Phishing tests
• Phishing simulators

Phishing-related Books

Some of the popular phishing-related books are:

• Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft: Available both in hardcover and E-book edition, this book provides a clear insight on why phishing is one of the greatest cyber threats and how to detect and prevent phishing attacks. The authors, Markus Jakobsson and Steven Myers, starts off with a vivid introduction on phishing followed by a detailed analysis of the different phishing types. The well-structured practical countermeasure steps in the book make it well worth a read for beginners and professionals alike. Computing Reviews’ comment on this book, “I highly recommend this as a must-read book in the collection of phishing literature,” speaks for itself.
• Phishing Exposed: This one by Lance James is an excellent source of information on the phishing phenomenon. Primarily addressing the financial industry, the most affected by phishing attacks, this book addresses a wide range of audiences, starting from the average Internet user, to law enforcement, security professionals, on up through senior management. Phishing Exposed unveils the techniques phishers employ and provides actionable defensive techniques and tools to block them. You can purchase the book from Amazon both in paperback and Kindle edition.
• Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails: Authored by Christopher Hadnagy, Michele Fincher, and Robin Dreeke, this book addresses the most widespread phishing threat – phishing emails. This book presents some excellent insight on security breaches in high profile organizations, such as the U.S. retailer Target, RSA that itself is a leading security provider, and Coca Cola. It explains how to spot a spoofed e-mail or a cloned website. Overall, it’s an indispensable guide to spotting and blocking phishing attacks. This book is also available in paperback and Kindle edition.

Online Publications on Phishing

The Internet is full of valuable resources on phishing and its countermeasures. Some of them are in the form of information portals, publication databases, and blogs.

Information Portals

• gov: The federal government’s website to help you be safe, secure and responsible online. It has a large collection of articles, blog posts, and video tutorials that you can explore here to learn about phishing attacks and trends.
• United States Computer Emergency Readiness Team (US-CERT): A government institution responsible for analyzing and reducing cyber threats. The US-CERT portal maintains a large volume of phishing-related resources and also allows you to report phishing attacks. Reported phishing email messages and website locations are used by US-CERT to help people avoid becoming victims of phishing scams.
• Anti-Phishing Working Group (APWG): A coalition of 18,000 institutions that includes government and law enforcement sectors, NGO communities, financial institutions, retailers, solutions providers, and many industry verticals. APWG maintains an anti-phishing portal with a rich repository of phishing related resources, such as articles, technical whitepapers, consumer advice alerts, and news feeds. APWG also allows you to report phishing that APWG analyzes and informs verified credential collection sites that were used for phishing.
• DMARC: A standard to ensure that legitimate emails are properly authenticating against established standards, such as DKIM and SPF. Co-developed by Return Path and a consortium of mailbox providers and security vendors, DMARC is one of the most powerful weapon to date in the fight against phishing emails. The site is a great place to access articles, tutorials, videos, blogs, industry data, and FAQs to learn how this new standard is revolutionizing the fight against phishing emails.
• Infosec Resources: This is owned by Infosec Institute, a front-runner in information security training with a diverse lineup of training materials, products, and services. With free practice exams, training tools, awareness programs, and a vast content repository, Infosec Resources can boast to be nonpareil in the information security training domain. The phishing publications written by industry experts are highly recommended. To-the-point content that’s relevant to the latest happenings in the industry make the publications stand apart from the rest, and are must-read phishing resources for students, employees, employers, security consultants, and management staff.

Publication Databases

There are several publication databases contacting resources on phishing. Such databases provide a centralized platform to allow users to search and study various phishing topics with only a few clicks. Few of the key ones are:

• Science Direct: This one is a publication database primarily targeting researchers. Accessing phishing-based publications is easy. Begin your search with a key word or phrase, e.g. “phishing”, on the home page and you will be returned with around 2,300 results. One great thing is that you can purchase only relevant parts of a book or journal from Science Direct instead of the whole one.
• Google Scholar: One of the most popular sources for scholarly literature, Google Scholar holds an extensive repository of resources for learning and research from different academic publishers, online repositories, universities and professional societies. For a search for “phishing”, Google Scholar returned an astounding 41,600 results comprising of articles, theses, books, abstracts, and court opinions
• Microsoft Academic Research: This is a research service developed by Microsoft Research targeting the online research community. In this online database, you can search with a “search phrase”, and optionally limit your searches to one or more fields of study, such as Computer Science, Engineering, and Multidisciplinary. A search for “phishing” returned more than 1,500 results. The results, in addition to the publications, also include information about authors, year of publication, citation counts, and lots more.
• CiteSeerX: A scientific literature digital library and search engine with over 7,000 research articles on phishing in PostScript and PDF format.

Blogs

Some high quality blogs on phishing maintained by individuals and organizations are:

• Google Security Blog: Provides the latest news and insights from Google on security and safety on the Internet. A few phishing related posts that you should read are:
• Phishing phree
• Behind enemy lines in our war against account hijackers
• Safe Browsing protection from even more deceptive attacks
• Landing another blow against email phishing
• Avast Blog: A security blog maintained by Avast Software, one of the leading antivirus software developer and internet security services provider. The phishing blog category provides some great posts, a few of which are:
• New fresh phishing campaign hits Facebook
• ‘Tis the Season to Shop Online
• Don’t take the bait: Beware of web attack techniques
• Top 4 malicious phishing scams to look-out for during the holidays
• WombatBlog: This blog on cyber security is maintained by Wombat Security, a leading security awareness and training provider. Some interesting posts on phishing are:
• The Latest in Phishing: March 2016
• Business Email Compromise: When Hackers (and Competitors) Attack
• Why Spear Phishing Is Your Biggest Cyber Security Threat
• Bruce Schneier Blog: Probably the most well-known computer-security expert. The Economist has even gone on to call Bruce Schneier a “security guru”. With his wealth of information, Bruce Schneier has written a large number of books, articles, essays and papers on security matters. He has been writing on his blog since 2004. A few posts worth reading from his blog are:
• Phishing and Identity Theft
• Tabnapping: A New Phishing Attack
• Phishing Has Gotten Very Good
• Brian Krebs on Security: Brian Kerbs worked as a reporter for The Washington Post from 1995 to 2009. During his career with The Washington Post, Kerbs wrote over 1,300 blog posts for the Security Fix blog. He now regularly writes blogs, security news and investigations in his KerbsonSecurity website. A few of his highly informative posts are:
• Krebs’s 3 Basic Rules for Online Safety
• Phishing Gang is Audacious Manipulator
• Phishing Victims Muddle Tax Fraud Fight

A few other blogs related to phishing are:

• ZEDnet Blog
• IT Governance Blog
• Securelist Blog
• Cisco Blog
• Securiteam Blog

Discussion Forums and Mailing Lists

Discussion forums are great means to hold conversations on phishing in the form of posted messages. Some active forums related to Internet security are:

• Scam Victims United: An online message board formed to offer support and resources to online scam victims through message groups and networking with other victims. The Phishing Scams message group is specifically for scams related to phishing that users can report in to help others from becoming victims. A nonprofit organization, Scam Victims United also regularly posts new scams, offers support and assistance to victims, and spreads security awareness through their website.
• SteamRep Forum: This forum is maintained by Online Fraud Prevention Foundation, a nonprofit organization. The forum has an active community and is well moderated. You can view the discussions as a guest but you need to log in to reply or post a new discussion.
• WebProWorld: An online security forum with over 1,500 threads. Once registered in this forum, you can keep yourself abreast with the latest phishing attacks, report if you encounter one, or ask for help.
• com: A technical support site and a self-education tool with an active discussion forum. The security section of the forum is segregated into nine categories. You can find phishing-related questions and their replies under the Am I infected? What do I do? category. With 72,327 topics having 423,135 replies in this category, there’s a high probability of finding your phishing question already answered. Otherwise, you can register and post your question.
• Information Security Stack Exchange: This one has to be on the list even though it’s more of a question and answer forum rather than the traditional discussion forum. This site is all about getting answers. You register with the site and post your questions. There are thousands of security specialists who might be able to answer your question right away. You can also answer other users’ questions. The best thing here is that you would be interacting with the best security professionals in their fields.

Security mailing lists are maintained by security organizations to distribute the latest security news, trends, and articles to subscribers. Subscribing to an electronic mailing list typically involves providing your name and email ID. Some electronic security-based mailing lists are:

• US-CERT: https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
• Open Source Security (oss-security) group: http://oss-security.openwall.org/subscribe
• Intel Security Support Notification Service (SNS): https://sns.snssecure.mcafee.com/content/signup_login
• Bugtrack maintained by SecurityFocus: http://www.securityfocus.com/
• Full Disclosure: https://nmap.org/mailman/listinfo/fulldisclosure
• PhishTank: https://www.phishtank.com/mailing_lists.php

Phishing Tests

Let’s start with some questions:

How good are you at spotting the difference between a legitimate email and a phishing one?

Can you differentiate a legitimate site from a phishing site?

What signs do you look out for in a phishing email or site?

If you aren’t sure about the answers, you should self-test yourself by taking an online phishing test. There are several tests on phishing available and, most are free. But two tests that you should definitely consider taking are the SonicWALL Phishing IQ Test of Dell Security and the OpenDNS Phishing Quiz of Cisco.

SonicWALL Phishing IQ Test

This is a free online test for correctly identifying if an e-mail displayed on screen is a “Phish” or “Legitimate.” There are ten test questions, each presented with three options: No Answer, Legitimate, and Phishing. You need to select one and submit your answer.

SonicWALL Test Question

Once you complete the test, your score will be displayed. You’ll also have the chance to review why a question that you answered incorrectly was a phish or legitimate.

SonicWALL Test Result

OpenDNS Phishing Quiz

This online quiz tests your ability to differentiate between a legitimate website and one that’s a phishing attempt. The quiz tests you with 14 questions. Each question presents you a screenshot of a website that you have to confirm either as PHISH or REAL.

OpenDNS Quiz Question

Once you complete the quiz, you are presented with the result and the chance to review any incorrect answers.

OpenDNS Quiz Result

If you don’t score well in the above mentioned tests, don’t get disheartened. Majority of users don’t get them right – and that includes security professionals. Last year, Intel Security Group (previously McAfee Inc.) circulated a similar phishing email quiz amongst their customers. Once it was over, they released the statistics:

Phishing Simulators

Cyber attackers come up with new and innovative phishing attacks almost on a daily basis. Security experts agree that no technology solutions can fully combat phishing attempts. You can’t rely on technology to weed out a well-crafted phishing email before it reaches the intended target. The consensus on the best defenses is to bolster the “human firewall,” and one such innovative approach is carrying out simulated phishing attacks on users.

Jack Koziol, President and Founder of InfoSec Institute, states that Employee awareness retention rates are almost doubled 12 months after a simulation program is implemented, at 40% instead of 20%.

Simulated phishing attacks in organizations involve creating phishing emails similar to those traversing the Internet and circulating them among employees. The period of circulations and the number of emails being sent out can be configured. The emails also vary in complexity, but typically contain clues that indicate the email is not legitimate. The objective is to test whether the employees can identify the clues and not fall for the attack.

Manually launching and managing a simulated phishing attack is cumbersome. Therefore, organizations employ professional phishing simulators.

SpearPhisher

SpearPhisher, a product of TrustedSec, is a Windows GUI tool that runs phishing campaigns. SpearPhisher is simple to use – just download, extract, and double-click on the executable to launch it.

The SpearPhish GUI

To use SphearPhisher, you need to specify an SMTP server to send out your phishing campaigns. You can specify the SMTP setting in the SMTP Settings section. Once done, starting a phishing campaign is easy. With the default campaign template, all you need is to add one or more email IDs, separated by semicolon (;), that you want to target in the To field.

Click the Send Email button to send out your campaign. SpearPhisher confirms the emails that were successfully sent.

Email Sending Confirmation

The campaign targets receive the phishing e-mail, similar to this.

Received Email Example

PhishSpear allows bulk loading of email-IDs from a file with one recipient email ID per line in the file. Another useful feature is the support for sending attachments. Although PhishSpear comes with a single default template, you can use the editor to easily create your own templates. If you are HTML savvy, you can add HTML code to create more professional looking campaigns.

PhishSpear, being a Windows executable, cannot be used on other Operating Systems. Also, reporting, the key feature of any phishing simulator, is missing in PhishSpear. Once you launch an e-mail campaign, you never know whether the receiver opened the email or clicked links on it.

Currently, PhishSpear is in beta stage, so you can look out for more features in further releases. Overall, it’s an easy-to-use phishing simulator for non-technical users to perform ad-hoc phishing email tests.

However, this may not be enough for your enterprise. If you are looking for a comprehensive (and also free) phishing simulator, an even stronger option exists.

SecurityIQ

SecurityIQ is a cloud-based service that combines:

• PhishSim: A phishing simulator
• AwareEd: Computer-based security awareness training

Being an easy-to-use product with an intuitive user interface, SecurityIQ has become the first choice for organizations, not only for cybersecurity compliance, but also to develop and enhance the organization’s Security IQ. Moreover, because it’s a cloud-based service, organizations don’t need to buy or maintain any extra hardware or software.

SecurityIQ is a subscription based product, but a trial version is available with some usage limitations. As I mentioned earlier, SecurityIQ has a very easy workflow to run a phishing campaign. Once you register and login to Security IQ, the first thing you’ll encounter is the Dashboard from where you can launch new phishing campaigns and view information about your recent campaigns.

SecurityIQ Dashboard

All the features of SecurityIQ are accessible from the Dashboard. Let’s look at the key features.

Add Learners

Learners are end users whom you target in a simulated campaign. You can assign learners to one or more groups. Think of a group as a collection of learners that you want to target in a campaign. To create a group and add learners to it:

1. Select Learners->Groups from the main menu.
2. Click on the New Learner Group button on the Learner Groups

The Learners Group Page

3. On the New Learner Group page that appears, type a group name in the Group Name text field. Under the Add Manually section, type the email ID, first name, and last name of the learner and click on the Add () icon. Finally, click on the Create Group

Creating a Group

Instead of manually adding one learner at a time, you can store learners’ data in a CSV file and upload the file to SecurityIQ. The CSV file must end with the .csv extension and the first line of the file must be the header, exactly like this.

First Name, Last Name, Email

The header is followed by entries for learners, similar to this:

John, Doe, jd@test.com

Kate, Brandon, kb@test.com

Configure Template Batteries

A template battery is a group of phishing templates. During a campaign round, one phishing email from each of the templates in the battery will be sent to the learners. To configure template batteries:

1. Select PHISHSIM->Batteries from the main menu.
2. The Template Batteries page lists the existing batteries. Click on the New Template Battery button to create a new one.

Template Batteries Page

3. The New Template Battery page displays all the available templates and a search option to view templates of a specific category. Statistics on the effectiveness of each template are displayed in percentage. The statistics indicate the percentage of learners opening emails of the template (Open Rate) and the percentage of learners falling for a phishing attack (Phish Rate).

Inbuilt Templates with Statistics

4. Click on a template’s magnifier icon () to view its content.

Template Content

5. When satisfied with a template, select the checkbox below it to add the template to your battery. Once you have added one or more templates, specify a name for the battery, and click on the Save Battery

Saving a Campaign Battery

Set up a Campaign

SecurityIQ provides a wizard to set up a phishing campaign. The wizard guides you through the steps to add learners who would receive phishing emails, select template batteries to generate emails, and schedule the campaign. To set up a campaign, click on the NEW PHISHING CAMPAIGN button on the dashboard, and then perform the following steps:

1. In the CAMPAIGN SETTINGS step, type a name for the campaign in the Campaign Name SecurityIQ gives you two options to start a campaign. One is for a campaign that targets real learners and the other for a campaign that targets one of three groups of 500 simulated “bot” learners. The latter option is for prospects and new users who aren’t ready to target real learners. To set up a test campaign with bots, select the Create a test campaign with learner “bots” option, and then click on the Next: Select Learner button.

Step 1 – Campaign Settings

2. In the SELECT LEARNERS step, click on a learner group to add to the campaign in the Learner Groups text area. The Selected Groups text area displays the group you selected. Click on the Next: Select Templates button to proceed.

Step 2 – Select Learners

3. In the SELECT TEMPLATES step, click on a battery in the Available Batteries The Selected Batteries textbox displays the battery you selected for the campaign. Click on the Next: Schedule Campaign button to proceed.

Step 3 – Select Templates

4. In the final SCHEDULE CAMPAIGN step, carefully go through the displayed information about your campaign settings. Observe the calculations that help you understand how many emails, how many notifications, how much training, and so on that you just set up. Confirm the default values of the Start Date, Length (days), and Repeat fields related to the campaign schedule. If you want to change the default values, modify them in this step. Click on the Schedule Campaign

Step 4 – Schedule Campaign

Performing the preceding four steps is all that’s required to set up a phishing campaign. Your campaign will be listed under the Campaigns section of the Dashboard.

Campaign Information on the Dashboard

Analyze Reports

SecurityIQ comes with a powerful reporting module for phishing campaigns. Once you set up a campaign, you can analyze the following:

• Percentage of phishing emails opened.
• Percentage of successful phishing attacks.
• Date of the campaign run.
• Phishing emails sent to learners.
• Learners who opened a phishing email.
• Learners who were phished.
• Learners who avoided a phishing email.

To view the report of a campaign run:

1. Log on to SecurityIQ and click your campaign on the Dashboard. Details of your campaign run are displayed.

Details of a Campaign Run

2. To view the report of the campaign run, click the Report () icon in the Result The report is displayed in a tabular format.

Report of a Campaign Run

References:

http://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/

http://resources.infosecinstitute.com/a-brief-history-of-spear-phishing/

http://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/

http://resources.infosecinstitute.com/phishing-dangerous-cyber-threat/

https://securityiq.infosecinstitute.com/

http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#14089b003bb0

https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/

https://blogs.mcafee.com/consumer/phishing-quiz-results/

http://resources.infosecinstitute.com/wp-content/uploads/Security-Awareness-Training-Best-Practices.pdf

Be Safe

Section Guide

Simanta
Sarma

View more articles from Simanta

Motivate Your Workforce to Care About Security! Transform end user behavior with 1,200+ SecurityIQ awareness training tools

Request Demo