Christopher Hadnagy - Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

Cary Caffrey

Social engineering. Those two words have become a staple in most IT departments and, after the last couple years, in most of corporate America, too. One statistic states that more than 60 percent of all attacks had the human factor as either the crux of or a major piece of the attack. Analysis of almost all of the major hacking attacks from the past 12 months reveals that a large majority involved social engineeringa phishing e-mail, a spear phish, or a malicious phone call (vishing).

I have written two books analyzing and dissecting the psychology, physiology, and historical aspects of con men, scammers, and social engineers. And in doing so, I have found that one recent theme comes up, and that is e-mail. Since its beginning, e-mail has been used by scammers and social engineers to dupe people out of credentials, money, information, and much more.

In a recent report, the Radicati Group estimates that in 2014 there was an average of 191.4 billion e-mails sent each day. That equates to more than 69.8 trillion e-mails per year.

E-mail has become a part of life. We use it on our computers, our tablets, and our phones. In some groups of people that I've worked with, more than half the people have told me that they get 100, 150, or 200 e-mails per day!

In 2014, the Radicati Group stated that there are 4.1 billion e-mail addresses in the world. Using that figure and a calculator, I discovered that the average is almost 50 e-mails per person per day, every day of the year. Because we know that not every single person in the world gets that many messages, it is not inconceivable to think that many of us receive 100, 150, or even 250 e-mails per day.

As people get more stressed, as workloads increase, and as the use of technology reaches an all-time high, the scam artists, con men, and social engineers know that e-mail is a great vector into our businesses and homes. Mix that with how easy it is to create fake e-mail accounts, spoof legitimate accounts, and fool people into taking actions that may not be in their best interests, and we can see why e-mail is quickly becoming the number-one vector for malicious attackers.

When we are not running social-engineering competitions at major conferences like DEF CON, and Michele is not fighting with students (real story, I swear), we travel the globe to work with some of the biggest and best companies on their security programs. Even companies that know what they are doing and have robust programs for security awareness and protection are still falling victim to the threat of phishing.

We wrote the pages of this book with that experience in mind. We asked ourselves, How can we take the years of experience in working with some of the world's largest companies and help every company put a plan into action to make the most of phishing education?

Michele and I started to develop a program that we implemented in a few places. The program is simple but powerful. It involves using the very tools that are used against us to empower us. We know that this concept is not something we invented. After all, there are more than a handful of companies right now selling phishing services to legitimate organizations. Many users of those productslarge companieshave come to us and said things like, We have been using this tool for a year, but our click ratios are still super high. What can we do?

Before I answer that, let me tell you a story. I remember when I was buying my first home. My wife and I were super excited as the closing approached. (We were going to own a home!) So I did what all men who own a home do: I bought some more tools. I went to Home Depot and bought a beautiful set of cordless tools, a saw, a drill, a jigsaw, and some other miscellaneous tools.

I brought them into my house the first day and found the perfect spot on the shelves in the basement for that toolbox. There it sat for a year. Then all of a sudden I had to cut something. I was so excited; I finally got to use my new tools! I got the toolbox and pulled out the circular saw. I read all the instructions, including something like, Ensure you are using the proper blade for the material you are cutting.

I looked at the blade, thought, Yep, looks sharp, and cut my board. It worked. I still had all my limbs and appendages, the board was cut, and the saw didn't blow up. This process continued for a couple hours when all of a sudden the saw started jamming; it stopped cutting. I charged the batteries and did the finger-touch test to the blade and thought, Ouch, still sharp. Frustrated, I determined the tool was at fault. Stupid saw; must be defective.

Then a friend came over to help me out. He took one look at the saw and said, Um, dude, why are you cutting 24s with a fine-tooth blade?

A what-toothed what? I replied.

My friend shook his head, and then he gave me an education on blades.

Why do I tell you this humiliating, emasculating story other than to point out my utter lack of manliness? To prove this point: Owning tools does not make you a builder!

Phishing tools are no different than construction tools. Just buying the tool doesn't make you secure, and it doesn't make you able to educate others on the phishing problem.

So, back to the program Michele and I were developing: We started to analyze phishing and security awareness programs and discoveredas many other serious security professionals have determinedthat many of them were useless.

No, security awareness is not useless. I'm not so nave and silly to say that we don't need awareness. But the style and method of awareness training just wasn't working. Seriously, raise your hand right now if you ever paid attention all the way through a 30- or 60-minute DVD presentation on security awareness. Okaythe one guy in the backyou can put your hand down. But as I suspected, barely a hand is raised.

People tune out training if it's not interactive and quick. Marketers know this; they tell us to make websites interesting, fun, interactive, and to the point. Why should education be anything less?

We started to come up with a plan to make the phishing portion of our clients' security awareness interactive, interesting, and, most of all, not too lengthy. That is why this book had to be written; we wanted to answer a few questions:

• How serious is phishing?
• What psychological principles play a part in phishing?
• Can phishing really be used as a successful part of your security awareness education?
• If so, how can a company implement that?
• Can any size business create a serious phishing education program?

We sat down and outlined a book on phishing, defined our program, and formalized our methodology. We then gave a lot of thought to whether we wanted to release this to the public; after all, it took us years of work to develop our method. After we started to see how it was helping so many of our clients, we decided to write the book. On first approach, though, it seemed like a phishing book wasn't of much interest to manyat least not until the events of 2014, when phishing dominated the front pages again and again during real hacking events. Phishing is being used in attacks every day; phishing service providers are popping up every month; and companies all over the globe are jumping on the bandwagon to start phishing education programs.

Michele and I hope that this book will help you on your quest to protect yourself and your company against malicious phishers. We want to take you on the journey we went through in getting ready to write this book.