Domain registrar and web hosting company GoDaddy recently raised eyebrows and the collective ire of Reddit over an email phishing test they conducted on their employees. The company sent an email to employees promising a cash bonus, in the spirit of Christmas, and to ease the economic burdens they face due to the Covid-19 pandemic. The email included a link to a registration form that collected employee information under the guise of confirming employee status and “ensuring everyone gets the bonus”. Employees who completed of the form didn’t receive a cash bonus but a notice of required security refresher training.
News of the test sent the technology reporter pool into a tissy and brought the collective ire of self-righteous Internet forum warriors. Some of the criticism was pointed and legitimate. Poor topic? Yes. Poor timing? Yes. Entrapment? Maybe. GoDaddy should have recognized the sensitive content and poor timing of its delivery. The betrayal felt by employees is understandable.
Ok, but you still clicked the link. You could have compromised the entire network and therefore the integrity of the company! GoDaddy played dirty pool but so do the bad guys. Do you think a Russian crime group dedicated to compromising the computer network of your company ever has moments of self-reflection where they say “Wow, this is just going too far. We need to let this pass”. Do you think they have an open-door policy or a corporate ethics officer? Hell no they don’t. They are criminals. Betraying your emotions and stealing your candy is their job and they will stop and absolutely nothing to ensure success.
Those involved in the debate fall into two camps….security and non-security.
In 2016, Dr. Zinaida Benenson of the Friedrich – Alexander University (Bavaria, Germany) conducted a study to measure the rate at which students would click links in messages received from unknown senders. Of course, they clicked links. There is little value in that finding. The true value of the study is the reason why they clicked the links.
Dr. Benenson’s study involved 1700 university students. They were interviewed to learn their self-assessed security awareness and understanding of phishing attacks. 78% of the students expressed an understanding of the dangers of clicking a link received from an unknown sender.
The students were later sent emails and messages through Facebook from sender names they would certainly not known since the accounts were fictitious. The messages referenced a New Year’s Eve party and the link allegedly went to an online photo album of photos taken during the party.
Why are business email compromise attacks so effective?
Because people are Helpful.
Because people are Trusting
Because people are Obedient.
Phishing and Business Email Compromise attacks are acts of social engineering. They are attacks on humans and they prey upon human emotions. The most effective phishing emails exploit the target's emotions of Obedience, Fear, Kindness, or Curiosity. The most effective BEC emails target the employee's sense of obedience.
Employees want to be good workers. They want to excel at their jobs and win the praise of their supervisors. Imagine you are an accounts payable clerk or junior accountant and the CEO walks into your office and says Jump. Are you going to question how high or why?
One of the biggest fears most employees have is failing at their jobs, or at least look like their failing. No one wants to question the boss and risk appearing incompetent or untrusting. Even when employees think the email directing the high dollar wire transfer is suspicious many times the urge to carry out the task with diligence and obedience overcomes the suspicion.
This week, the Milford Daily News detailed a Business Email Compromise attack executed on the city of Franklin, Tennessee. The cities treasurer transacted a wire transfer that resulted in a $522,000 loss to the municipality, The city manager described it as a “sophisticated cyber fraud”. It was not. It was just a standard spear-phishing attack taking advantage of an organization with untrained employees and insufficient security controls.
People often attempt to promote themselves or bolster their credibility by claiming they do good deeds. I am always amused by people who do this by claiming to do things that we are all expected to do anyway. “Why would I steal that, I pay all my bills?” or “I’m just out working hard trying to make it, I take care of all my kids”. In some social settings, such acts do set the claimant apart from their neighbors and peers, but in reality, it is what they should be doing anyway. Every member of society is expected to do these basic social responsibilities. You should pay ALL of your bills and you should take care of ALL of your children.
The Git repository and DevOps platform GitLab received some very positive press this week for conducting a phishing simulation on their employees. The GitLab Red Team used the open-source phishing campaign software GoPhish to target a sample of fifty employees with an email offering a laptop computer upgrade. Not surprisingly a significant portion of the test subjects failed. Thirty-four percent of the tested subjects clicked the link and fifty-nine percent of those employees provided their credentials. That works out to be ten employees provided their GitLab corporate credentials to the “bad guys”.
My agency recently conducted a “phish your own” campaign and the results were, as usual, disappointing. Or maybe shocking. I was unaware that the message was going to be sent, but as soon as it hit my inbox, I questioned my office mate if he had also received the message? Upon affirmative response I declared it a phishing simulation as there was no way the spam filter would not have caught it. The email had more red flags than a pre-hurricane beach. Yet, ridiculous as the email was, over twenty people still fell for it. In a real life situation that is twenty opportunities for the attackers to access our network.
So here are threefour a few quick and easy ways for to spot a phishing message.
In policing we have a simple saying to explain the monotony of continuously mitigating the poor choices of society, “same stupid thing, different stupid people”. Much Like your favorite gif video from the subreddit r/holdmybeer, rope-swings and mini-bikes never end well. Criminals keep using the same tricks to victimize different people, and different people keep making poor choices to become victims. It’s a never-ending loop. The faces change, the poor choices don’t.
In the most recent illustration of this concept, a cybercrime group dusted off a 15-year-old attack tool to victimize a new crop of fresh-faced college and university students. Most of these students were still learning to read the first time this tool was released to victimize – fresh-faced and naive college students.