Your SlideShare is downloading. ×
A quick look at spear phishing via surveys
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

A quick look at spear phishing via surveys

594
views

Published on

Copy of my article ‘A quick look at spear phishing via SurveyMonkey’ that originally appeared at www.infosecisland.com/documentview/20594-A-Quick-Look-at-Spear-Phishing-via-SurveyMonkey.html …

Copy of my article ‘A quick look at spear phishing via SurveyMonkey’ that originally appeared at www.infosecisland.com/documentview/20594-A-Quick-Look-at-Spear-Phishing-via-SurveyMonkey.html

Written by Ben Rothke

Published in: Technology, Design

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
594
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A quick look at spear phishing via SurveyMonkey by Ben RothkeIn Social Engineering: The Art of Human Hacking, author Christopher Hadnagy writes that whenperforming a social engineer test, sometimes the easiest way to get information is to simply ask for it.In recent months, a lot of people seem to have been taking that approach as I have gotten manysurveys from anomalous sources asking penetrating questions. This is in line with what a spearphishing attack does.According to PhishMe, Inc., once in an employee’s inbox, there is a 60% probability that an untrainedstaff member will miss all of the indicators that the email is in fact a scam and will click on a hyperlinkor open a file attachment within the email. There is no technology filter or screener that can stop that60% from clicking.The surveys I received came from SurveyMonkey and Zoomerang. Note that both companies havesince merged.The underlying problem is that many people who respond to these surveys are oblivious to what isgoing on and think that their answers are confidential and anonymous. That may be the case when alegitimate survey is done, but when a phisher is using the system, that is simply not the case.Here is a quick example of how this attack is done.Signing up for a free SurveyMonkey account is quick, easy and free.
  • 2. Once the account is created, you can then create a survey. Notice this one goes out to but 1 user,which is precisely the nature of a spear phishing attack.The unsuspecting user then gets this email:The link takes them to the site which asks them these 5 questions:1. Do you find it difficult to remember all of your corporate passwords?2. How many passwords are you required to remember for corporate systems?3. Of all your passwords, enter the one which you think is the best? (Such as sljkf2875$^ orCook#paper)4. Of all your passwords, enter the one which you think is the worst? (Such as password or LALakers)
  • 3. 5. Do you think your Chief Security Officer would be interested in our software tool that is bothinexpensive and offers bullet-proof security protection?Questions 1, 2 and 5 were there simply for an air of legitimacy. Questions 3 and 4 were the spearphishing questions. Since this was sent to 1 person, the following shows us that the target answeredthe survey.We can then analyze the report and extract the data.
  • 4. We now know that this persons best password is NYGiantsrock and their worst is HRpassword. Twopasswords, just for the asking, without a lot of effort. The spear phisher will use this indispensableinformation in their attack.ResultWhat this brief exercise demonstrates is that surveys can easily be used in the guise of a spearphishing attack.SurveyMonkey responses can in some cases be anonymous and secure, but the answer is that it is upto each survey creator to decide if they want to collect responses anonymously, or to capturerespondents’ personal information.What matters most is that an attacker won’t follow the rules.
  • 5. RecommendationsThe most effective way to counter phishing and spear phishing is via an effective information securityawareness program that educates users on how to identify and avoid a well-crafted spear phishingemail.As part of a corporate security awareness program, users should be cautioned against answeringsurveys around proprietary and/or confidential corporate information, or any personal information.Users need to understand that since SurveyMonkey can’t guarantee the anonymiztion of theanswers, they should have zero expectation of privacy.Ben Rothke is an information security manager and the author of Computer Security: 20 Things EveryEmployee Should Know.

×