October 29th, 2009
Phishing experiment sneaks through all anti-spam filters
A recently conducted ethical phishing (New study details the dynamics of successful phishing) experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.
The experiment emphasizes on how small-scale spear phishing campaigns are capable of bypassing anti-spam filters, and once again proves that users continue interacting with phishing emails.
More info on the methodology used:
“This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox. The phishing link can be identified in the HTML source code below.
The Phishing site was based on the Linkedin sign in page. The form action was changed so that the user would be redirected to a subsequent page on our site. No usernames or passwords were collected during this assessment. All targeted users were contacted before the phishing email was sent, and were expecting a Linkedin invitation from Bill Gates.”
A similar study was conducted by ethical phishing vendor PhishMe.com in March this year, pointing out that based on the 32 phishing scenarios tested against 69,000 employees, people are less cautious when clicking on active links in emails than when they are requested for sensitive data. This behavior is not surprisingly cited by PhishCamp as a possible opportunity for the introducing of blended threats, similar to known cases where phishing and scareware sites were also serving client-side exploits.
- Go through related posts: 419 scammers using Dilbert.com; 419 scammers using NYTimes.com ‘email this feature’; Fortune 500 companies use of email spoofing countermeasures declining; Gmail, Yahoo and Hotmail systematically abused by spammers
With the average price for a thousand active Gmail, Yahoo Mail and Hotmail accounts decreasing due to the economies of scale achieved by the vendors of CAPTCHA-solving services, and the numerous tools available at the spammer’s disposal to take advantage of these accounts, in the long-term all spammers will start abusing the already established DomainKeys trust among the most popular free email service providers.
What’s the success rate of spam and phishing emails hitting your inbox? What about your corporate email? Also, do you believe that ethical phishing is most constructive way of building awareness on phishing attacks, or do you think that it drives innovation in the wrong direction by attempting to gather click-through metrics instead of advising users to avoid interacting with such emails in general?
TalkBack.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
