By Renier van Heerden and Schalk Peach, South African National Research Network (SANReN)
During the worst of the Covid-19 lockdown, we decided to run an internal phishing campaign. These campaigns are usually designed to test for weaknesses in information security awareness and corporate governance, and to a certain extent, to the security of information systems.
Since most of our colleagues were working from home, and new administrative systems were made available online, we (our little CSIRT) thought it would be an excellent time to run an internal phishing campaign. Here are the steps that we followed:
- Permission Gathering
- Searching for Publicly Available Information
- Technical Set up
The first step was to get permission from the big boss. He thought it was a great idea. Next, we contacted our IT department. We did not want them to respond unnecessarily and to shut down systems during our exercise. They also thought it was a great idea, so everyone was on board.
Next, we brainstormed. We imagined a fictional bad guy: a disgruntled ex-employee.
One year within the COVID-19 pandemic, the national lockdown had a tremendous impact on business. As a result of the lockdown, many companies suffered a significant impact on revenue and filed for bankruptcy, applied for business rescue, or retrenched staff. An environment like this can be easily abused by a disgruntled ex-employee.
Employees who lost their jobs would have been first-in-line to lose jobs again due to a short term of service. The fictional bad-guy used in the phishing campaign was based on this type of ex-employee.
It is not unreasonable to assume that a disgruntled ex-employee could have access to old emails and could have retained a wealth of knowledge regarding internal operations. Such a fictional employee would be able to utilise this knowledge to gather information regarding current staff lists.
It is also not unreasonable to assume that such an employee might still have contact, or be close friends with current members of staff. Innocent questions such as “how does the work-from-home system work?” or “how is the company doing?” during casual social interactions can provide an incentivised attacker with all the necessary knowledge to launch a phishing campaign.
Searching for Publicly Available Information
Social networks such as LinkedIn and ResearchGate can provide additional information regarding current members of staff, such as staff lists and email templates. But a complete list of employees and emails is already included in our web. Thus, generating a list of employees’ names and emails was trivial. To craft a fake login page, a corporate website can give all the details required, such as the corporate logo, background and text font.
Technical Set up
The ‘disgruntled ex-employee’ set up a fake login site, which collects and forwards logins. A popular open-source system to run phishing campaigns is gophish (see below). A successful campaign is underpinned by the use of a trusted Mail Server to ensure that phishing emails do not get flagged. This may be where we overperformed, but this should still not be an impossible challenge for a skilled employee to overcome.
The basic infrastructure and flow of information for a phishing campaign (below).
The lure to click on the fake phishing login site was an email about a bonus. Unfortunately this revealed to be a big mistake on our part, as it raised expectations during difficult financial times. We recognised, albeit too late, that we should have chosen something less emotionally charged.
Results and Recommendations
Internal communications regarding financial and procedural matters should take place frequently. Clear, direct, and frequent communications can dispel rumours and prevent situations that can be exploited.
An aggressive email validation system should be implemented. Checking incoming emails for name fields that match with domains as a basic check could have stopped the phishing campaign early.
Working together with IT departments when executing a phishing campaign is a must. We had many employees who only reported the phishing to IT. Of course, they would have had a bad day if they were not involved from the start.
Information security awareness and training, as well as governance reviews, should form part of a continuous improvement process, repeated at sensible intervals.
Raising awareness among employees on how social engineering attacks are structured, how to identify and respond to these attacks can significantly reduce damage. However, information security awareness training is not a silver bullet and will not be effective without a secondary layer of supporting technical controls.
About the author
Dr Renier van Heerden is the Cybersecurity Manager at the South African National Research Network (SANReN), heading up the proactive, academic sector, coordinating CSIRT. The following domains are his interests: password security, network attack, network ontologies and cyber security training. Prior to joining the CSIR he worked as a software engineer in advanced optics applications for South African based Denel Optronics and as a Lecturer at the University of Pretoria. Renier obtained a degree in Electronic Engineering, a Masters in Computer Engineering at the University of Pretoria and PhD at Rhodes University. Renier leads the SANReN Cyber Security Challenge, since its inception in 2016.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022