Of course, unless the user has received some security awareness training why wouldn’t they give their username and password to someone who says they are working in IT support, especially if the IT manager (who’s name could be dropped in the telephone call) has authorized this as part of a major fictitious incident? In some companies it is common practice for the IT support team to ask users for their password to resolve support cases more quickly, which makes users even more likely to give away their password when asked for it.
If all this seems unlikely to catch your well-trained users out, perhaps a more focused and targeted phishing attack may be more effective. This modus operandi is surprisingly proficient and has the potential to harvest more usernames and passwords from even the most savvy of users.
At first glance, the technicalities involved in setting up a phishing attack may appear a bit complicated but for the technically adept it should not take more than a couple of hours. After harvesting a number of user names and email addresses from the Internet the only task left is to send off some emails, and wait for a bite! In a recent project for a client, within 24 hours 10% of the users emailed had supplied their username and passwords to our bogus website. Could you be sure you or your users would not do the same?
Without security aware users it is unlikely that this type of attack would even be noticed. The main indicators that the users could have picked up on were the fact that we used a http site and that the survey website was hosted on an external server with the link being in the form of http://IPAddress/itsurvey.html. Worryingly, however, if a company has any cross site scripting problems on their web server it would be possible to use a link with the real company web site address in it rather than just an IP address.
If further justification were required that security awareness training should be implemented it is recommended as part of many security standards including ISO 27001 and the payment card industry standard PCI. Both standards mandate that staff shall be aware of information security threats and issues and shall be equipped to support organizational security policy.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.