I’ve noted a significant rise in the number of phishing and malware attacks I’ve received in the last few weeks. With open source phishing tools like GoPhish available to anyone for free, it’s more important than ever to train your employees and be more diligent about where you go online.
I’ve included two of the most recent messages I’ve received to remind you to be very diligent when you are going through your e-mail.
- The fake fax/purchase order – This attack sends an unexpected message that has an interesting title, like “Incoming fax message” or “purchase order” from an unexpected sender. An example of one of these appears below.
Note that this message is from a service I’ve never heard from, and the fax number of the sender (+1 659-802-3681) is from an area code that doesn’t exist, and the CSID (fax header) is from Massachusetts. Also note that the attachment is an HTML file – and it probably has some bad stuff in it.
Lesson: If the message looks odd, verify its validity with the sender. If you can’t determine the sender, don’t open it.
2. The portal login – This attack sends a message which purports to be from a portal, but the real objective here is to get you to visit a site you shouldn’t visit and make it look like a legitimate website you use. In the screen capture below, I’m allegedly being sent a PDF file from a CPA firm in Washington State which is a “proposal”. Since I don’t do business with the firm, I have to assume that it’s bogus, and I should ignore it. It’s probably a bogus e-mail, linking to a bogus website, with a malware-laden file awaiting me.
This kind of attack is easily perpetrated with free, open source software – because I’ve personally set up the software needed for this in Linux. The application, GoPhish, is designed for security professionals to use when testing their employees, but can also easily be used by fraudsters trying to get access to your e-mail accounts.
While I didn’t click on the link to the OneDrive site, I fully expect that it would have had malware on it or would have tried to trick me entering my legitimate username and password into a fake website. There are a number of free tools which will help you set up fake websites in GoPhish, and it is trivial to use this tool to retrieve the credentials entered by victims.
The bottom line here is that the bad guys are getting better, and it’s becoming easier than ever for criminals, teenagers, and “script kiddies” to use open source software to gain access to your confidential data.
If you’re interested in training your employees and testing your vulnerability against phishing and other e-mail attacks, the following services offer employee training programs for a reasonable price:
- Cofense (PhishMe)
- Proofpoint (Wombat Security)
- Infosec Institute
- SANS Institute
- Inspired eLearning
You can also see reviews at the Gartner Group’s website online.