Cenzic 232 Patent
Paid Advertising
web application security lab

Phishme.com Internal Communication

Well, I’ve had to sit on this info for quite some time but I’m happy to see that Phishme.com is now up and running. Phishme.com is founded by the Intrepidus Group who you may have heard of, with names like Rohyt Belani and Aaron Higbee at the corporate head. What is it? It’s education, but the kind of education that actually works for a change. If you’ve read this site long enough or heard my speeches you probably know I’m not the biggest fan of consumer education. It just isn’t impactful and it doesn’t give enough incentive for people to pay attention and learn. People don’t digest the information and they don’t become armed with the correct information on what to do when faced with an attack. That is until now.

Phishme.com uses a fake phishing attack to simulate what a user might see in a really targeted (Spear-Phishing) attack against the company. Specifically it scrapes the pages of an organization’s website and then sends everyone in the company a phish email to entice them to click on it and give up their credentials. Once the user is phished their information is logged and aggregated for future use by the security team to do further communication with the impacted employees or build further metrics, etc. Screenshot of the interface:


Click to enlarge

Does it work? Preliminary numbers in at least one exercise with 24,000 people say there is a huge drop in the numbers of users who stop clicking on links. In the first run of one experiment 82% opened the email and 64% entered info. In the second 28% opened and 27% entered info and in the third 4.5% opened and 4% entered data. That’s a pretty impressive reduction because it’s actually actionable and it gets people thinking almost immediately about the problem and that it can and will negatively affect them personally. Would you rather phish your users or have the bad guys do it for you? Ethics of owning your own employees aside, I think it’s hugely valuable to know this information.

There are all sorts of legal implications for doing this to your own staff and personally I think those issues are almost completely outweighed by the benefits of solid actionable training. When I talked with Rohyt about this, I get the feeling they’ve spent a lot of time trying to make the interface as difficult as possible to inadvertantly get compromised by trying not to actually transmit the password. So all in all, I think this product is going to do a lot of companies a lot of good. I can think of a dozen or so companies that need to go through this training right now. With phishing attacks becoming a constant and ever present attack, this is a very timely product!

10 Responses to “Phishme.com Internal Communication”

  1. Daniel Clemens Says:

    I don’t think this is anything new other than its a more automated interface / product for security assessments. Aaron has been doing this for some time in the past with Foundstone etc, so I think this is just a spinoff and an instant product offering from the old Foundstone crew.

  2. thrill Says:

    Standard IT security measures include the running of password crackers on password files (windows/unix) to identify weak passwords. This is just one step higher in that it tries to identify the Not So Bright Bulbs(tm) in the company.

    Of course, I need to get permission from the CTO before sending anything like this out. :)

    –thrill

  3. Spider Says:

    Interesting. I don’t know if I like the idea of hiring a third party to collect corporate username/login combos. I’d want to handle that inside the company. Third parties are great for identifying security vulnerabilities that can be fixed, such that if the information the third party had were to become public, it wouldn’t be a problem because the problems have been fixed.

    We all know the difficulties in getting users to select secure passwords. Getting 64% of them to change their passwords to something significantly different, wouldn’t be easy.

  4. Rohyt Says:

    PhishMe.com, as Rsnake pointed out, does not collect passwords.
    It only determines if a password was entered or not.

  5. donwalrus Says:

    That’s a really good approach to managing some of the softer vulnerabilities within an organization. If this is at all like I imagine it will be, this could be used by an organization to raise awareness with senior management to get justification for things like budgeting more security dollars for security awareness training, etc.

    My guess would be that senior management will be as susceptible as the general body of employees….could be pretty interesting. I’m awaiting my demo account to give this a test run.

  6. malkav Says:

    excellent.

    in precedent audits i had to do all the crap myself, and it was a real pain in my meek php skills.

    now that i am thinking going from SelfUnEmployed to SelfEmployed, i will not have time to build those on assignement, and this kind of thing will permit me to bring it on to my clients.

    yeah, automation rocks.

  7. Ronald van den Heetkamp Says:

    User education is tough, and I don’t think it will solve this.

    Think about our expertise, skills, knowledge of the web and such. Can you imagine that there are still surfers on the web that think that only a blue & underlined piece of text is a hyper link? be amazed, such people still exist. Okay, it’s a blunt example to lay out the problem of user education but I learned that while being in the pr0n industry, and it can be measured: blue hyper links are clicked more than other links or images. I seen many people that tried to navigate a website, and believe me they had a hard time in doing so. Even if the navigation was pretty basic, they could not work it out on how do do certain tasks. Now those same people fall victim to phishers just because of this.

    So they stopped clicking links?

    Now imagine a website as e-Bay, their website is pretty complex form a surfers standpoint. Can you educate him on how NOT to fall for a phishing scheme when that user is getting an e-mail from e-bay on his and hers mail asking to confirm a bid, or a request to update their profile, or some more legitimate request link a e-bay newsletter that contains a spoofed link that does something malicious with CSRF? how can they make up the difference between a real request and a false one then? stop using e-bay? since that bid must be confirmed etc. etc. they must click a link.

    IMO it can’t be fool-proof, user education take years. And it certainly can’t be automated, nothing in security really can.

  8. Ronald van den Heetkamp Says:

    Sorry for the double post but i thought you might be interested in this.

    There is a good example on DollarRevenue which phished tons of surfers. When a user visits a site that had DollarRevenue, a large pop-up window appeared, obscuring the user’s view of the website beneath. This pop-up lists three steps that the user must take in order to close the pop-up ad:

    Step1 - Click on the ‘information bar’.
    Step2 - Click on ‘install ActiveX Control’.
    Step3 - Click on the ‘install’ button.

    Yes, 250 million people actually did what the website said they must do. Unbelievable, but true. It lays out a big problem here.

  9. Spider Says:

    @ Rohyt
    You still have a third party presenting a form asking for passwords. That is the problem. Maybe a I’m a bit paranoid, but as I said before I would not want to disclose any vulnerability that I could not do a reasonable job of mitigating in a reasonable amount of time. Determining who’s passwords had been compromised and having them changed to significantly different, yet still secure passwords would not be easy to do.

  10. thrill Says:

    @Spider

    It comes back to how much time you have to dedicate to user education. I am with you on allowing 3rd party to access internal information. For example, I have an internal IM server (openfire) which authenticates the user via their AD account. Recently I had a user attempt to use Meebo to connect to it. He happily entered his AD username and password without a seconds hesitation.

    Regardless how much time I spend trying to explain to him what he just did, it does not sink in until you show them. We have policies in place that make “sharing of internal user information” against company policy, but that too doesn’t help. You can’t explain to someone the pot is hot and they shouldn’t grab it, most of the time they have to learn that lesson themselves.

    –thrill