Ponemon Institute reported that the average company suffers from about 160 successful online phishing assaults a week. The Such scary statistics along with the need for security compliances have forced organizations to step up their phishing countermeasures. Organizations are increasingly employing trainings, tests, and external services and tools to create awareness amongst their employees against phishing attacks. Each day phishers come up with evolving tactics, circulate new believable phishing mails, and put up phishing websites that are almost indistinguishable from the original ones. As an Internet user, you must all the more rise up to those challenges. Countering phishing challenges requires understanding the different phishing techniques, keeping up with phishing attack trends, identifying attacks as and when you encounter them, and some simple common sense. There are abundant resources on phishing available on the Internet. Some of them are:
Phishing-related books Online publications on phishing Discussion forums and mailing lists Phishing tests Phishing simulators
Phishing-related Books
Some of the popular phishing-related books are:
Online Publications on Phishing
The Internet is full of valuable resources on phishing and its countermeasures. Some of them are in the form of information portals, publication databases, and blogs.
Information Portals
Publication Databases
There are several publication databases contacting resources on phishing. Such databases provide a centralized platform to allow users to search and study various phishing topics with only a few clicks. Few of the key ones are:
Science Direct: This one is a publication database primarily targeting researchers. Accessing phishing-based publications is easy. Begin your search with a key word or phrase, e.g. “phishing”, on the home page and you will be returned with around 2,300 results. One great thing is that you can purchase only relevant parts of a book or journal from Science Direct instead of the whole one. Google Scholar: One of the most popular sources for scholarly literature, Google Scholar holds an extensive repository of resources for learning and research from different academic publishers, online repositories, universities and professional societies. For a search for “phishing”, Google Scholar returned an astounding 41,600 results comprising of articles, theses, books, abstracts, and court opinions Microsoft Academic Research: This is a research service developed by Microsoft Research targeting the online research community. In this online database, you can search with a “search phrase”, and optionally limit your searches to one or more fields of study, such as Computer Science, Engineering, and Multidisciplinary. A search for “phishing” returned more than 1,500 results. The results, in addition to the publications, also include information about authors, year of publication, citation counts, and lots more. CiteSeerX: A scientific literature digital library and search engine with over 7,000 research articles on phishing in PostScript and PDF format.
Blogs
Some high quality blogs on phishing maintained by individuals and organizations are:
Google Security Blog: Provides the latest news and insights from Google on security and safety on the Internet. A few phishing related posts that you should read are: Phishing phree Behind enemy lines in our war against account hijackers Safe Browsing protection from even more deceptive attacks Landing another blow against email phishing Avast Blog: A security blog maintained by Avast Software, one of the leading antivirus software developer and internet security services provider. The phishing blog category provides some great posts, a few of which are: New fresh phishing campaign hits Facebook ‘Tis the Season to Shop Online Don’t take the bait: Beware of web attack techniques Top 4 malicious phishing scams to look-out for during the holidays WombatBlog: This blog on cyber security is maintained by Wombat Security, a leading security awareness and training provider. Some interesting posts on phishing are: The Latest in Phishing: March 2016 Business Email Compromise: When Hackers (and Competitors) Attack Why Spear Phishing Is Your Biggest Cyber Security Threat Bruce Schneier Blog: Probably the most well-known computer-security expert. The Economist has even gone on to call Bruce Schneier a “security guru”. With his wealth of information, Bruce Schneier has written a large number of books, articles, essays and papers on security matters. He has been writing on his blog since 2004. A few posts worth reading from his blog are: Phishing and Identity Theft Tabnapping: A New Phishing Attack Phishing Has Gotten Very Good Brian Krebs on Security: Brian Kerbs worked as a reporter for The Washington Post from 1995 to 2009. During his career with The Washington Post, Kerbs wrote over 1,300 blog posts for the Security Fix blog. He now regularly writes blogs, security news and investigations in his KerbsonSecurity website. A few of his highly informative posts are: Krebs’s 3 Basic Rules for Online Safety Phishing Gang is Audacious Manipulator Phishing Victims Muddle Tax Fraud Fight
A few other blogs related to phishing are:
ZEDnet Blog IT Governance Blog Securelist Blog Cisco Blog Securiteam Blog
Discussion Forums and Mailing Lists
Discussion forums are great means to hold conversations on phishing in the form of posted messages. Some active forums related to Internet security are:
Scam Victims United: An online message board formed to offer support and resources to online scam victims through message groups and networking with other victims. The Phishing Scams message group is specifically for scams related to phishing that users can report in to help others from becoming victims. A nonprofit organization, Scam Victims United also regularly posts new scams, offers support and assistance to victims, and spreads security awareness through their website. SteamRep Forum: This forum is maintained by Online Fraud Prevention Foundation, a nonprofit organization. The forum has an active community and is well moderated. You can view the discussions as a guest but you need to log in to reply or post a new discussion. WebProWorld: An online security forum with over 1,500 threads. Once registered in this forum, you can keep yourself abreast with the latest phishing attacks, report if you encounter one, or ask for help. com: A technical support site and a self-education tool with an active discussion forum. The security section of the forum is segregated into nine categories. You can find phishing-related questions and their replies under the Am I infected? What do I do? category. With 72,327 topics having 423,135 replies in this category, there’s a high probability of finding your phishing question already answered. Otherwise, you can register and post your question. Information Security Stack Exchange: This one has to be on the list even though it’s more of a question and answer forum rather than the traditional discussion forum. This site is all about getting answers. You register with the site and post your questions. There are thousands of security specialists who might be able to answer your question right away. You can also answer other users’ questions. The best thing here is that you would be interacting with the best security professionals in their fields.
Security mailing lists are maintained by security organizations to distribute the latest security news, trends, and articles to subscribers. Subscribing to an electronic mailing list typically involves providing your name and email ID. Some electronic security-based mailing lists are:
US-CERT: https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new Open Source Security (oss-security) group: http://oss-security.openwall.org/subscribe Intel Security Support Notification Service (SNS): https://sns.snssecure.mcafee.com/content/signup_login Bugtrack maintained by SecurityFocus: http://www.securityfocus.com/ Full Disclosure: https://nmap.org/mailman/listinfo/fulldisclosure PhishTank: https://www.phishtank.com/mailing_lists.php
Phishing Tests
Let’s start with some questions: How good are you at spotting the difference between a legitimate email and a phishing one? Can you differentiate a legitimate site from a phishing site? What signs do you look out for in a phishing email or site? If you aren’t sure about the answers, you should self-test yourself by taking an online phishing test. There are several tests on phishing available and, most are free. But two tests that you should definitely consider taking are the SonicWALL Phishing IQ Test of Dell Security and the OpenDNS Phishing Quiz of Cisco.
SonicWALL Phishing IQ Test
This is a free online test for correctly identifying if an e-mail displayed on screen is a “Phish” or “Legitimate.” There are ten test questions, each presented with three options: No Answer, Legitimate, and Phishing. You need to select one and submit your answer.
SonicWALL Test Question Once you complete the test, your score will be displayed. You’ll also have the chance to review why a question that you answered incorrectly was a phish or legitimate.
SonicWALL Test Result
OpenDNS Phishing Quiz
This online quiz tests your ability to differentiate between a legitimate website and one that’s a phishing attempt. The quiz tests you with 14 questions. Each question presents you a screenshot of a website that you have to confirm either as PHISH or REAL.
OpenDNS Quiz Question Once you complete the quiz, you are presented with the result and the chance to review any incorrect answers.
OpenDNS Quiz Result If you don’t score well in the above mentioned tests, don’t get disheartened. Majority of users don’t get them right – and that includes security professionals. Last year, Intel Security Group (previously McAfee Inc.) circulated a similar phishing email quiz amongst their customers. Once it was over, they released the statistics:
Phishing Simulators
Cyber attackers come up with new and innovative phishing attacks almost on a daily basis. Security experts agree that no technology solutions can fully combat phishing attempts. You can’t rely on technology to weed out a well-crafted phishing email before it reaches the intended target. The consensus on the best defenses is to bolster the “human firewall,” and one such innovative approach is carrying out simulated phishing attacks on users. Jack Koziol, President and Founder of Infosec, states that Employee awareness retention rates are almost doubled 12 months after a simulation program is implemented, at 40% instead of 20%. Simulated phishing attacks in organizations involve creating phishing emails similar to those traversing the Internet and circulating them among employees. The period of circulations and the number of emails being sent out can be configured. The emails also vary in complexity, but typically contain clues that indicate the email is not legitimate. The objective is to test whether the employees can identify the clues and not fall for the attack. Manually launching and managing a simulated phishing attack is cumbersome. Therefore, organizations employ professional phishing simulators.
SpearPhisher
SpearPhisher, a product of TrustedSec, is a Windows GUI tool that runs phishing campaigns. SpearPhisher is simple to use – just download, extract, and double-click on the executable to launch it.
The SpearPhish GUI To use SphearPhisher, you need to specify an SMTP server to send out your phishing campaigns. You can specify the SMTP setting in the SMTP Settings section. Once done, starting a phishing campaign is easy. With the default campaign template, all you need is to add one or more email IDs, separated by semicolon (;), that you want to target in the To field. Click the Send Email button to send out your campaign. SpearPhisher confirms the emails that were successfully sent.
Email Sending Confirmation The campaign targets receive the phishing e-mail, similar to this.
Received Email Example PhishSpear allows bulk loading of email-IDs from a file with one recipient email ID per line in the file. Another useful feature is the support for sending attachments. Although PhishSpear comes with a single default template, you can use the editor to easily create your own templates. If you are HTML savvy, you can add HTML code to create more professional looking campaigns. PhishSpear, being a Windows executable, cannot be used on other Operating Systems. Also, reporting, the key feature of any phishing simulator, is missing in PhishSpear. Once you launch an e-mail campaign, you never know whether the receiver opened the email or clicked links on it. Currently, PhishSpear is in beta stage, so you can look out for more features in further releases. Overall, it’s an easy-to-use phishing simulator for non-technical users to perform ad-hoc phishing email tests. However, this may not be enough for your enterprise. If you are looking for a comprehensive (and also free) phishing simulator, an even stronger option exists.
Infosec IQ
Infosec IQ is a cloud-based service that combines:
PhishSim: A phishing simulator AwareEd: Computer-based security awareness training
Being an easy-to-use product with an intuitive user interface, Infosec IQ has become the first choice for organizations, not only for cybersecurity compliance, but also to develop and enhance the organization’s Security IQ. Moreover, because it’s a cloud-based service, organizations don’t need to buy or maintain any extra hardware or software. Infosec IQ is a subscription based product, but a trial version is available with some usage limitations. As I mentioned earlier, Infosec IQ has a very easy workflow to run a phishing campaign. Once you register and login, the first thing you’ll encounter is the Dashboard from where you can launch new phishing campaigns and view information about your recent campaigns.
Infosec IQ Dashboard All the features of Infosec IQ are accessible from the Dashboard. Let’s look at the key features.
Add Learners
Learners are end users whom you target in a simulated campaign. You can assign learners to one or more groups. Think of a group as a collection of learners that you want to target in a campaign. To create a group and add learners to it:
Select Learners->Groups from the main menu. Click on the New Learner Group button on the Learner Groups
The Learners Group Page
On the New Learner Group page that appears, type a group name in the Group Name text field. Under the Add Manually section, type the email ID, first name, and last name of the learner and click on the Add () icon. Finally, click on the Create Group
Creating a Group Instead of manually adding one learner at a time, you can store learners’ data in a CSV file and upload the file to Infosec IQ. The CSV file must end with the .csv extension and the first line of the file must be the header, exactly like this. First Name, Last Name, Email The header is followed by entries for learners, similar to this: John, Doe, jd@test.com Kate, Brandon, kb@test.com
Configure Template Batteries
A template battery is a group of phishing templates. During a campaign round, one phishing email from each of the templates in the battery will be sent to the learners. To configure template batteries:
Select PHISHSIM->Batteries from the main menu. The Template Batteries page lists the existing batteries. Click on the New Template Battery button to create a new one.
Template Batteries Page
The New Template Battery page displays all the available templates and a search option to view templates of a specific category. Statistics on the effectiveness of each template are displayed in percentage. The statistics indicate the percentage of learners opening emails of the template (Open Rate) and the percentage of learners falling for a phishing attack (Phish Rate).
Inbuilt Templates with Statistics
Click on a template’s magnifier icon () to view its content.
Template Content
When satisfied with a template, select the checkbox below it to add the template to your battery. Once you have added one or more templates, specify a name for the battery, and click on the Save Battery
Saving a Campaign Battery
Set up a Campaign
Infosec IQ provides a wizard to set up a phishing campaign. The wizard guides you through the steps to add learners who would receive phishing emails, select template batteries to generate emails, and schedule the campaign. To set up a campaign, click on the NEW PHISHING CAMPAIGN button on the dashboard, and then perform the following steps:
In the CAMPAIGN SETTINGS step, type a name for the campaign in the Campaign Name Infosec IQ gives you two options to start a campaign. One is for a campaign that targets real learners and the other for a campaign that targets one of three groups of 500 simulated “bot” learners. The latter option is for prospects and new users who aren’t ready to target real learners. To set up a test campaign with bots, select the Create a test campaign with learner “bots” option, and then click on the Next: Select Learner button.
Step 1 – Campaign Settings
In the SELECT LEARNERS step, click on a learner group to add to the campaign in the Learner Groups text area. The Selected Groups text area displays the group you selected. Click on the Next: Select Templates button to proceed.
Step 2 – Select Learners
In the SELECT TEMPLATES step, click on a battery in the Available Batteries The Selected Batteries textbox displays the battery you selected for the campaign. Click on the Next: Schedule Campaign button to proceed.
Step 3 – Select Templates
In the final SCHEDULE CAMPAIGN step, carefully go through the displayed information about your campaign settings. Observe the calculations that help you understand how many emails, how many notifications, how much training, and so on that you just set up. Confirm the default values of the Start Date, Length (days), and Repeat fields related to the campaign schedule. If you want to change the default values, modify them in this step. Click on the Schedule Campaign
Step 4 – Schedule Campaign Performing the preceding four steps is all that’s required to set up a phishing campaign. Your campaign will be listed under the Campaigns section of the Dashboard.
Campaign Information on the Dashboard
Analyze Reports
Infosec IQ comes with a powerful reporting module for phishing campaigns. Once you set up a campaign, you can analyze the following:
Percentage of phishing emails opened. Percentage of successful phishing attacks. Date of the campaign run. Phishing emails sent to learners. Learners who opened a phishing email. Learners who were phished. Learners who avoided a phishing email.
To view the report of a campaign run:
Log on to Infosec IQ and click your campaign on the Dashboard. Details of your campaign run are displayed.
Details of a Campaign Run
To view the report of the campaign run, click the Report () icon in the Result The report is displayed in a tabular format.
Report of a Campaign Run References: https://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/ https://resources.infosecinstitute.com/a-brief-history-of-spear-phishing/ https://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/ https://resources.infosecinstitute.com/phishing-dangerous-cyber-threat/ https://securityiq.infosecinstitute.com/?utm_source=resources&utm_medium=infosec%20network&utm_campaign=infosec%20iq%20pricing&utm_content=hyperlink/ http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#14089b003bb0 https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/ https://blogs.mcafee.com/consumer/phishing-quiz-results/ https://resources.infosecinstitute.com/wp-content/uploads/Security-Awareness-Training-Best-Practices.pdf
