All Articles

How to Run a Phishing Simulation Test

January 29, 2020 By Craig Hays Leave a Comment

Reading Time: 12 minutes

Running a successful phishing simulation campaign is difficult. This is how to test your employees to better prepare them for real attacks.

Following on from my last article on how to write phishing emails that work, this article outlines how to run a successful phishing simulation campaign. We do this to measure how employees respond to attacks from criminals, how effective our training is, and where we need to do more to help our employees stay safe online.

[Read more…]

9 Things I’ve Learned Writing Phishing Emails

December 6, 2019 By Craig Hays

Reading Time: 7 minutes

For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.

(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)

Writing phishing emails — Photo by Matthew McBrayer on Unsplash

My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.

Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.

Table of Contents

Phishing Simulation and Awareness Training

With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.

At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.

What I Learned Writing Phishing Emails

Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.

Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.

With that said, this is what I’ve learned so far:

[Read more…]

How to Define Vulnerability Testing Scope

August 3, 2019 By Craig Hays Leave a Comment

Reading Time: 6 minutes

When it comes to vulnerability testing, what should be in scope? In my view, that’s a really easy question to answer.

Everything.

Everything connected to your organisation’s network or using your organisation’s resources, including in the cloud, are in scope. The weighting of vulnerability findings will take into consideration their physical location as well as the data they hold and the services they provide. This might also change the frequency of vulnerability tests you run against them. Unless we include it in scope we’ll never know what risk it presents to us.

Table of Contents

Focus Areas

Networked devices
Cloud Services
Mobile devices (smartphones, tablets, etc.)

[Read more…]

Dynamically create a phishing page based on the HTTP referer header

June 11, 2019 By Craig Hays 1 Comment

Reading Time: 3 minutes

Table of Contents

Auto-generated phishing pages and the social web.

(The following is a cybersecurity research article on credential theft using non-traditional and underexploited phishing methods.)

You’re browsing the web. You’re logged into an online discussion space such as YouTube, Reddit, Twitter, Medium, a small community forum, etc. You click on a link from another user to another page on the same site. Instead of seeing the content you’re looking for you’re presented with the login page for the site you’re already on. Annoyed and a little confused as to why you’ve been logged out, you log back in and are taken to the content you were expecting.

You’ve just been phished.

[Read more…]

Enforcing better Active Directory passwords (Password audit part 3)

May 30, 2019 By Craig Hays Leave a Comment

Reading Time: 3 minutes

(This is the third and final post of a three part series on Microsoft Active Directory password quality auditing)

Following on from part 2 where we used DS-Internals to extract NT hashes and John the Ripper to crack them, in this post we cover what to actually do with all of this (usually worrying) information.

Table of Contents

What to do with a list of cracked passwords

Now that John has done his good work, you will likely have a list of passwords and their associated user accounts from some of your users. Once you’ve gotten off the floor and climbed back into your chair, you may start to think: “This is great! We can see exactly who has bad passwords. If they were good we wouldn’t have cracked them so easily.” So now what…

[Read more…]