Social engineering

The goal of a simulated phishing attack is to test your employees’ reaction to a situation where an attacker tries to extort sensitive data from your company – most often user passwords.

For the attacker, this type of attack is simple and usually successful. With the access credentials obtained, the attacker can gain access to the company’s internal network, e.g. via a VPN, or to internal applications and their data. Due to the popularity of Single-Sign-On solutions, this allows an attacker to access a wide range of applications and data.

Main test areas

Email – We use email messages to persuade your users to send sensitive information, such as usernames and passwords, or to click on a potentially dangerous link.

Telephone – We contact the user by telephone and use pre-prepared scenarios to test whether the user succumbs to pressure and reveals some sensitive information.

The most common findings

Up to 60% of users succumb to potentially dangerous e-mail during the first testing.
In larger companies, for example, we act on behalf of the IT Helpdesk and require a domain password under the pretext. (15-20% success rate).
Successful attacks on specific users - accountants / receptionists, etc.
The ignorance / carelessness of the users is very high.

How does a simulated phishing attack work?

1. Analysis

We look at what applications or services your company uses. This could be Office 365, for example, or another business application.
We will find out what domains your company uses and register a similar one. Instead of firma.cz we can use firma.net or firna.cz. A typo in the domain is often not noticed by users.

2. Preparing

Create a page that looks similar to the real application page. As an example, we can use a page for changing the password of a corporate Microsoft account.

3. Action

We will place the site on a registered domain and send out an email to users urging them to change their password. Such an email might look like this:

4. Progress

Once the phishing campaign is launched, we can see how individual users react. Unless the company regularly trains its employees, we usually get the first employee’s credentials within minutes of the launch. We don’t store user passwords when simulating an attack, however, if the test was part of a larger penetration test of your company, then we would use them in the same way a real attacker would use them to penetrate your internal network.

5. Conclusion

We will leave the campaign running for a few days. After the campaign is finished, we will inform the company management about the results of the tests.
The test results include a summary of how the company fared in the test, as well as details of how individual users reacted.

How to defend against phishing attacks?

After completing the password, the user may be presented with an educational page that contains information on what the user should and should not do.

It is advisable to educate the user on a regular basis. For this purpose, we recommend deploying Proofpoint to provide regular education for your users in the form of e-learning courses, combined with phishing attack simulations. Based on the simulated attacks, you can see where individual users are going wrong and create an individual learning plan for them.

In addition to regular user education, two-factor authentication can also partially prevent a real attack. If an attacker obtains a user’s password, they will need a second factor – such as code from an authentication application – to access the application/internal network.

However, if the attacker forces the user to execute malicious code on their PC – e.g. by opening an attachment, downloading and running the attacker’s program, then even this protection will not help.

If you are interested in our services or have any questions, please do not hesitate to contact us using the contact form or we will be happy to meet you at our offices in Prague, Brno and Bratislava.

David Pícha

Cyber Security BDM
+420 604 200 062
david.picha[@]integra.cz