Protected Trust: Building your modern workplace with Microsoft 365 and Surface

Ethical Phishing Campaigns to Raise Security Awareness

March 09, 2020 Ingram Leedy, Steven Goodman, Sean Jacobs
Ethical Phishing Campaigns to Raise Security Awareness
Protected Trust: Building your modern workplace with Microsoft 365 and Surface
More Info
Protected Trust: Building your modern workplace with Microsoft 365 and Surface
Ethical Phishing Campaigns to Raise Security Awareness
Mar 09, 2020
Ingram Leedy, Steven Goodman, Sean Jacobs
In this episode, Sean Jacobs explains how he phishes organizations in order to demonstrate how easy it is to exploit their users. 
Show Notes Transcript
In this episode, Sean Jacobs explains how he phishes organizations in order to demonstrate how easy it is to exploit their users. 

spk_1:   0:06
Hey, if you have a successful business and you wanted to grow by empowering your employees with modern tools like Microsoft 3 65 or teams or even Microsoft Service devices, Or maybe you just want to get the most out of these tools, I think I can help. Just go to protect to trust dot com and that's protected trust dot com. You'll find on our website a road map that explains the steps on how to get to a modern workplace. And I'm happy to say that clients who have used our plan are happier and more creative employees who feel more connected to share more ideas. And they feel safer with technology which results in your business and employees achieving so much more. So if you want to begin your journey to a modern workplace, go to protected trust dot com. Enjoy the episode

spk_2:   0:52
To transform your business, you must be willing to re imagine how work can be done. Ingram Leedy and his team have protected trust have been advising business leaders like you all day, every day to do just that since 1995. If you want to reflect your business as a modern company. Keep listening if you want it faster. Visit protected trust dot com We've been telling people toe we've been blue in the face Hey, you gotta watch out for these phishing scams And we even developed a course for people to go to. And we've even made a short video for people saying, Here are nine ways to detect fishing. However, as we learned that most people ignore what they were taught, Um, and even if you did manage to teach an entire organization, it's no guarantee that at least I think there is. The percentage was 15% would still click on a fishing. So I thought it would be nice if we were to go over some examples of how people are getting fished. So instead of telling them you should watch out for fishing, let's show him how

spk_1:   2:01
I like it. Fish, how they

spk_2:   2:02
get fish. So, Sean Ah, you've run several successful fishing campaigns for House we ethical fishing campaigns. Sure, we'll call them to show people show business owners just how bad their employees are about clicking on things they shouldn't or things that they should know not to click on. Sure. Um,

spk_1:   2:24
well, even though you know one thing. When Sean came in here today, it was talking about like he just you're just working on a client today that got fished, right? It's great. It's common.

spk_0:   2:34
No, just just a little while ago, we had a client that had a compromised account in, and we've kind of traced it back to you. Okay, here's Here's that message that you clicked on and you gave somebody your credentials and using your credentials that you provided to them. They got into your accounting, created these rules, and they've been reading all your email for the past months,

spk_1:   2:56
even though the fishing pages that collect the passwords some don't like, respond back that you got the correct password in unit typing your other password and then your other password in the year of the password. And probably a long list of all your passwords that probably collecting, right? Sure, sure, probably to a lot of other things, too, that you might have not necessarily your work business, but other personal things.

spk_0:   3:16
Two. Or sometimes, after you know, after you've entered your username and password, they forward you, you know, to the website, then they were to be? Yeah, and it's like, Oh, it didn't log me in. Let me try one more time, then you get logged in. You

spk_1:   3:28
You don't think about it? Yeah. So, like I said, the idea of the room

spk_0:   3:32
and that's Ah, yeah. And actually, that's that's in examples that I put together. So Well, can we go through the examples? Sure. So, um, what I did for these examples, they're actually they're real wool riel world examples that we've received as samples. Um, and I've successfully being fished of people who received a fishing message, and they said, Hey, is this a fishing message? And I'm like, Yes, and it's a really good one. And I, uh, put it in a folder over here. And

spk_2:   4:02
so they didn't They didn't get compromised. They had the foresight to ask whether or not they should open

spk_0:   4:07
for these samples. They're probably ones that I received from people that said hey, showing this looks suspicious so often, the ones that where people are successfully compromised, we never hear about You know how what that thing was that actually compromised them. A

spk_1:   4:23
lot of people don't know what compromise them because they looked legit,

spk_0:   4:26
right? All they know is that they were are they don't know how it happened or sometimes aren't interesting and interested in how it happened. They just want the problem fixed.

spk_1:   4:36
So the examples you have today are ones that we've seen out there. We are there. Very good. Um, and they're most likely people are being compromised them, but they're always changing. They're getting better, or they're manipulating some other little detail about it or

spk_0:   4:49
right. And like, you know, these examples that I have, um, like I said that they came from real world examples, these air ones that I have, uh, I've I've sanitized them. So basically, these are ones that I've converted and I'm using for our own ethical fishing ethical fishing campaigns. Um, and ah, and they're pretty good. These these air these air, probably. These are very successful. And I would say these are probably the most successful when we're doing our own ethical fishing campaigns. Um, but, you know, and even if I were to receive something like this, I might not even question at that. That's how good these they're so

spk_2:   5:34
Yeah, well, before you start, I want, uh this is usually how I started. Um, the days of the Crown prince of Nigeria asking you Thio for your bank accounts, we gonna send you his fortune that's over there not doing that anymore. They've gotten so good at pretending to be the person who they're Impersonating that it's way more successful.

spk_0:   5:58
Yeah, and And the thing is, once you get fished, you know, once somebody gets those credentials than they can pretend to be you because they essentially are you, they can send, you know, they're they're in the account. And ah, I know we talked about, you know, an example in one of the previous videos that we did, where somebody actually compromised an account and, you know, from that person that was compromised, they requested a wire transfer to an account that it shouldn't have gone to.

spk_1:   6:25
Wasn't a real one right there

spk_0:   6:27
then and that's that's really common. Are

spk_2:   6:29
you familiar with the case in this building?

spk_0:   6:31
Um, I heard about it, but I'm not intimately familiar with that case. No. So I heard I heard Heard

spk_2:   6:40
something. We'll see if one of your examples so is what happened.

spk_0:   6:46
So yeah, so let's go through it. 12 Let's do it. So one of the ones that I have here is Ah, for users on 3 65 there's a feature in office 3 65 that lets you send quarantine notifications to users. Um, whenever you have an email that is sent to you that gets quarantined on administrator in your your tenant can set things up so that you get quarantine notifications on a regular basis That basically tells you what items have been sent to you that get quarantine. Um, my first example here is is a quarantine notification that didn't come from Microsoft? Um, this quarantine notification came from my fishing server and looks just like a quarantine notification that comes from Microsoft of his screen. Yeah, so So. And in this e mail here, you know, it's an email that, you know, office 3 65 actually quarantine at messaging dot Microsoft dot com sent me an email telling me that this e mail from Ingram got quarantined for some reason, which is kind of suspicious, but, you know, looking at that subject. Ah, you know, the subject on this is new 2020 pay scale. I'm kind of interested in what that is. So I mean, is that I might just click on that link to release the inbox. So, um, you know, if I go in and and do the same thing that I would normally do If I see something that's in my quarantine that I think I should look at, you know, I'm just gonna release that the inbox. When I click on that link, it takes me to, you know, an office 3 65 log in page. And I'm like, Okay, you know, to me, I can look at this. And I know I know for a fact that this is not correct because, you know, there's several things on this page that you wouldn't normally see on a 3 65 log in page, for example. You know, it doesn't ask you for both your email address and password. Um, another example. That address that showing in the address bar up here is completely wrong. That's definitely not a Microsoft domain. Um, but if I'm

spk_2:   8:50
my eyes were pretty porky. What domain does it say?

spk_0:   8:53
If I'm not, it's just an I P address. Okay, um, in this case, it's just an I P address. But, um, but this if if this weren't an example that I just sent myself, this could be based on a domain that, uh, you know, looks similar to Microsoft dot com. And

spk_1:   9:09
maybe it's the same domain with a misspelling in it. That's what it looks like exactly.

spk_2:   9:12
Switch the F in the tea at the very end.

spk_0:   9:14
Your, um or, um were, you know, sometimes I don't bother do that. They just do the same thing I did here where it's just an I p address because people don't get the address bar. It's like it's like, Oh, there's the log in page and you know, I need to log in. So when I enter, might email password on this page. You know, actually, you know what? I'll just give you an example. Holmes's dot com groups and this is my password. You know, whatever, um, when I enter that information and sign in actually got here this time, but, um, I need to look at that. What that should have done is redirected meter, my normal portal that office dot com log in.

spk_1:   9:58
So it looked like you just need a log in one more time or it probably lodging cause you're already logged into portal.

spk_0:   10:03
Or like Oh, maybe I entered my password wrong, right? Let me do it again. Right. But as soon as you do that, you know, I captured those credentials. You know, those the the Fisher of the person who sent this fishing message that a They have your credentials now. And if you don't realize the fact that they just captured that, then they can get right into your account and do whatever they want.

spk_1:   10:24
They just take that username password log right into your 3 65 account.

spk_0:   10:29
So this is actually this is a really this is a really, you know, a very specific example. But it's a really good example, because this is, you know, something that's actually out there in the wild. Spammers fishing full.

spk_1:   10:41
It looks just like that, right? When you receive a spam,

spk_0:   10:43
it looks just like this. I mean this This is exactly what? According to notification,

spk_1:   10:48
I mean, in our world, we live this stuff and so were very suspicious of little details For most people that are really are maybe not into computers, like we are sure they're gonna be fooled by that, really?

spk_0:   10:59
And and and something that you can see in this one. Um, something that that we do, um, in our organization, which is something that you know, It's a feature that we offered toe all of our clients Is this option to add this flag in the email that tells us when an email is coming in from outside? So, um, you know, seeing that flag there makes me think you maybe that is suspicious. That normally wouldn't appear on this type of email or an e mail that comes from Ingram asking me toe set up a wire transfer if that had a flag in it. Okay, that's not right. That thing shouldn't be there because it didn't come from the right side came from the inside. So

spk_2:   11:42
So So because this is so convincing. What? What can people do to notice that it's not a legitimate message

spk_0:   11:50
when you when you look at the links like I can mouse over the link and I can see OK, this is not going to, you know, this is not going to the place where it should be going. This is going to a different domain. It's going in this case, that's going to an I P address, which it shouldn't happen in any Microsoft mail. Um, also, you know, just the fact that it looks kind of suspicious we use teams. If I got an email from Ingram and I was suspicious of balance, I would probably just Pochman teams and say, Hey, did you see me something? And, you know, he'd be like, No. And I'd be like, Okay, maybe I should report this message to myself. Since you know, I'm the one that's gonna look at him any

spk_1:   12:29
you I tend to send you a lot of

spk_0:   12:31
you doing clever messages a lot, you know, And that's I I appreciate that some of someone's actually one of the examples that I have here is something that I received from you. And then I went in and tweaked it a little bit. When I sanitized it for you

spk_1:   12:42
gets the road wins, I'm always like HASA Really good. Almost got me almost jam.

spk_2:   12:47
Ah, if I could just go back one second Something important that you said when you get a suspicious message Ah, you contact the person that said that you think sent the message and verify that they did or did not. Sure send it totally, however, what? You, uh what you did, How you did that is important because you did not reply to that email and ask him, Hey, this is really from you

spk_0:   13:12
know, it's the Senate through team.

spk_2:   13:14
You had to send it through an alternative method, so you would either have to call in Graham or you would have to hit him up on teams or some other method other than responding to that email because you're responding to the fishing person and not responding to him

spk_0:   13:28
and people. Since since I do since I'd, you know, manage a lot of the fishing campaigns stuff something that happens here a lot is whenever somebody gets a fishing message, they immediately contact me to be like, Yeah, like it's the curse. Hey, did you, uh are you trying to fish me again? You didn't give me this time