A quick look at spear phishing via surveys

895 views
773 views

Published on

Copy of my article ‘A quick look at spear phishing via SurveyMonkey’ that originally appeared at www.infosecisland.com/documentview/20594-A-Quick-Look-at-Spear-Phishing-via-SurveyMonkey.html

Written by Ben Rothke

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
895
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A quick look at spear phishing via surveys

  1. 1. A quick look at spear phishing via SurveyMonkey by Ben RothkeIn Social Engineering: The Art of Human Hacking, author Christopher Hadnagy writes that whenperforming a social engineer test, sometimes the easiest way to get information is to simply ask for it.In recent months, a lot of people seem to have been taking that approach as I have gotten manysurveys from anomalous sources asking penetrating questions. This is in line with what a spearphishing attack does.According to PhishMe, Inc., once in an employee’s inbox, there is a 60% probability that an untrainedstaff member will miss all of the indicators that the email is in fact a scam and will click on a hyperlinkor open a file attachment within the email. There is no technology filter or screener that can stop that60% from clicking.The surveys I received came from SurveyMonkey and Zoomerang. Note that both companies havesince merged.The underlying problem is that many people who respond to these surveys are oblivious to what isgoing on and think that their answers are confidential and anonymous. That may be the case when alegitimate survey is done, but when a phisher is using the system, that is simply not the case.Here is a quick example of how this attack is done.Signing up for a free SurveyMonkey account is quick, easy and free.
  2. 2. Once the account is created, you can then create a survey. Notice this one goes out to but 1 user,which is precisely the nature of a spear phishing attack.The unsuspecting user then gets this email:The link takes them to the site which asks them these 5 questions:1. Do you find it difficult to remember all of your corporate passwords?2. How many passwords are you required to remember for corporate systems?3. Of all your passwords, enter the one which you think is the best? (Such as sljkf2875$^ orCook#paper)4. Of all your passwords, enter the one which you think is the worst? (Such as password or LALakers)
  3. 3. 5. Do you think your Chief Security Officer would be interested in our software tool that is bothinexpensive and offers bullet-proof security protection?Questions 1, 2 and 5 were there simply for an air of legitimacy. Questions 3 and 4 were the spearphishing questions. Since this was sent to 1 person, the following shows us that the target answeredthe survey.We can then analyze the report and extract the data.
  4. 4. We now know that this persons best password is NYGiantsrock and their worst is HRpassword. Twopasswords, just for the asking, without a lot of effort. The spear phisher will use this indispensableinformation in their attack.ResultWhat this brief exercise demonstrates is that surveys can easily be used in the guise of a spearphishing attack.SurveyMonkey responses can in some cases be anonymous and secure, but the answer is that it is upto each survey creator to decide if they want to collect responses anonymously, or to capturerespondents’ personal information.What matters most is that an attacker won’t follow the rules.
  5. 5. RecommendationsThe most effective way to counter phishing and spear phishing is via an effective information securityawareness program that educates users on how to identify and avoid a well-crafted spear phishingemail.As part of a corporate security awareness program, users should be cautioned against answeringsurveys around proprietary and/or confidential corporate information, or any personal information.Users need to understand that since SurveyMonkey can’t guarantee the anonymiztion of theanswers, they should have zero expectation of privacy.Ben Rothke is an information security manager and the author of Computer Security: 20 Things EveryEmployee Should Know.

×