A couple of weeks or so ago, an old friend from the bike club asked in our club messaging group why supposedly sophisticated companies (such as Jaguar Land Rover. M & S and the Co-op) were still so susceptible to “hacking attacks”. I gave a somewhat flippant reply along the lines of “because their security is crap”. I also muttered about “software monocultures”, over-reliance on single outside “managed IT service providers” and poor, or non-existent, internal expertise, auditing and monitoring.
However, on giving that reply some more thought, I concluded that a more full, and rounded reply might be necessary.
I confess here to a personal prejudice. In my professional life have (variously) been: a sysadmin responsible for networked systems delivering services to both internal users and the internet; an internal network security manager; and a security advisor to third parties. I have a deep seated belief in the necessity for companies reliant on IT (nowadays that is all of them) to maintain some basic level of internal expertise – ideally in the technicalities of networks and the required security, but at the minimum in the form of really intelligent, knowledgeable and sophisticated IT contract managers. Sadly, I am usually disappointed.
I also really, really, don’t like software monocultures.
All the best security regimes in the world cannot and will not protect organisations from the “people problem”. People are naturally trusting. They believe plausible contacts, particularly if those contacts ostensibly come from internal Managers, HR professionals or trusted external third parties. One of the most important aspects of any business security policy is the need to raise awareness of the issues and educate everyone about their personal responsibilities. This is difficult. Worse, it is increasingly complex as people bring their own devices into the workplace and the split between work and personal communications becomes blurred. There is plenty of advice and guidance available to help people here, both free and paid for. The UK National Cyber Security Centre publishes a fairly comprehensive set of advice and guidance. I recommend readers use it.
So – when thinking about my mates in the bike club I decided on a “don’t tell ’em. just show ’em” approach to the problem – I phished them.
The group has an email list of a regular 21 members who, despite geographical dispersion, still meet up for runs, rides and social events such as meals out. The group uses several different mechanisms for communication. – WhatsApp (which I don’t use) is very popular, also Signal (which I do use), email and good old fashioned SMS. The medium is usually determined by the number and composition of users and the particular topic under consideration. So an email from one person to the whole group might announce a planned outing and thereafter a subgroup (on a messaging app) of the members involved will be used for that outing.
Recently a bunch of us went to Dinant in Belgium. We’ve all been before. It is a nice location, central to a part of Belgium which has some good biking roads. The town has some good restaurants and the timing of the visit co-incides with a Belgian VMCC “race” about 40 km away in Gedinne.
In my phish, I therefore sent an email, headed “Belgium remembered”, to all 21 members containing the following:
Hi all
I have posted some pics from Belgium if anyone is interested.
https://somedomain.net/wdmcc/
M
That embedded link simply went to one of my webservers which served the single page saying:
Boom! You are dead. Congratulations. You have sucessfully been phished.
(Actually, you haven’t and you are perfectly safe. This is merely an exercise in social engineering. But don’t you feel a little bit silly?)
Now go back and check that sending email address.
Love and kisses – Mick
Crucially, however, the email address I used was one that I have never used with this group in the past. None of them would have seen it before. All I did to obfuscate it was to replace the normal name for that address with “Mick”. So instead of the From: address saying “Name <name@somedomain.net>” it showed “Mick <name@somedomain.net>”. Furthermore, my email did not include the usual footer I attach to all my normal emails. Yes, the context, content and timing of the email made it look, as was intended, very plausible, as did the fact that it went to the whole group at once (I didn’t even bother to send it to one, bcc’d to others). But, that From address looked very suspicious – or did it? Herein lies a real problem (quite apart from the fact that the group would be likely to trust an email purportedly coming from “Mick” about a recent trip to Belgium). Lots of email clients, particularly those on mobile ‘phones, do not disclose the whole From: address, they just show the name ouside the angle brackets. This is not helpful.
I waited a whole 24 hours before emailing the group again, from my normal address, apologising for the scam. But the scary part is that of the 21 people involved, 7 (fully one third of the group) clicked on that link in that 24 hours. Following my second email, some of those who /hadn’t/ clicked it admitted that they might have done so had they seen it in time, a few others said that the email went to their spam boxes (well done gmail in particular here).
Oddly, they still all seem to trust me. Well, at least they say they do.