As I asked students to write phishing emails
- Teacher, I picked up a good password, which can not be in the dictionaries.
Yin Fu Wo nodded.
“I typed it in Google,” continued the Sysadmin, “and made sure that there is no such combination on the Web.
- Now it is.
I am a graduate student and teach virology at the university.
Half a year ago, before the beginning of the fall semester, I was given a whole stream of fifth-year students - 45 people with different experiences, interests and life positions. Even then, I thought that this was a good basis for some kind of scientific experiment. Two months later, I thought of everything and asked the students to write phishing emails.
')
Under the cut, what came of it, what it was for them, and some analytics about the work of popular mail services. And the letters themselves, of course.
Caution, a lot of screenshots.
Do not engage in phishing. Formally, this is a fraud, it is prosecuted under article 159.6 of the Criminal Code of the Russian Federation. Laboratory work was carried out under controlled conditions, the letters were sent to pre-prepared boxes, access to which is available only from the author of the post.
All characters are fictional, all coincidences with real people and organizations are random. All logos, trademarks and names belong to their respective owners.
I immediately realized that there would be nothing interesting in sending emails to my personal mail - there would be boring spam, from which there is no use and educational value. Students had to understand why they were doing it (spoiler: to know how to defend themselves) and what could be the approach to any person.
Therefore, before giving the assignment, I gave a lecture on targeted attacks, social engineering and phishing, showed examples and explained that any person is vulnerable.
And once again reminded of criminal liability for fraud.
I came up with three characters. Each of them works somewhere, is interested in some things and experiences weaknesses. All three from different cities, of different ages and with different life values (at least, I thought about it when I wrote them).
Of course, for various reasons, these three use different mail services - from Google, Yandex and mail.ru. They have different spam filters, and it was interesting to understand where is better.
It's time to introduce the characters.
Mazaeva Olga Venediktovna, 53 years old, accountant, LLC Vector, Voronezh. Mail to mail.ru, mazaeva1964@inbox.ru.
Vladislava O. Petrichenko, 21 years old, office manager at Astek, Tomsk. Mail - zlatovladka@yandex.ru.
Andrei Pimanov, 26 years old, tester at Alphabetic Issues, St. Petersburg. Mail - ultradoter9000@gmail.com.
Naturally, simply giving descriptions of people and their e-mail would not be enough for a full-fledged laboratory work, so I formulated the conditions. I bring them without changes.
In the report I asked to attach the texts of the letters, received logins and passwords, and analytics about why the letters turned out to be exactly like that. Otherwise, the students had complete creative freedom.
I also gave students a few links with useful info and waited.
For a start it is worth saying that links in almost all letters work and lead to sites of varying degrees of roasting.
The first batch of letters came in a week. Give the floor to the authors.
He scolded the authors on the topic of sending screenshots, but counted letters.
The authors received the credit of the first of the entire stream.
For obvious reasons, the article will not be able to enter 135 letters and their detailed description. Also, I do not attach links to phishing sites - mainly for ethical reasons.
So, there were a lot of letters, but we must sum up some intermediate result. Next, in which direction the students thought and which letters came most often.
The most remarkable - under the spoilers.
The accountant Olga Mazayeva received 11 letters from her favorite game in Odnoklassniki and 5 more letters about the free or almost free placement of the fives for photos of school friends.
Still, they tried to warn her about different FTS, 1C, Sberbank and Odnoklassniki security service.
As expected, the most difficult for the students were letters to the paranoid tester Andrew. Basically, of course, the difficulties were due to the Google Mail spam filter, but the students themselves came up with fewer attack vectors here than in other cases.
Andrew received countless letters from Steam, about ten from Aliexpress and other Chinese stores, and a couple more from Google. The most tasty, suddenly, from the Sam Susam airsoft club, see under spoiler.
Vladislav fell in love with all the students. She carefully sent links to dating sites that are suitable for the type of partners and even the promotional code on Photoshop to edit photos was even more pleasant.
In general, probably, should, but no.
Gmail coped best of all - 13 out of 38 letters were in the Spam folder. The Google Mail has filtered letters "similar to those that we have already blocked," and those that "contain things characteristic of phishing emails."
In the second place out of three Yandex - he filtered out the disappointing three letters. Unfortunately, Yandex does not indicate the reason for blocking in the mail interface.
On mail.ru spam got a single letter.
If you remember what successful letters looked like, I would not call the work of all three services good. And even a certain percentage of filtered emails from gmail does not solve the problems with phishing and targeted attacks. Attackers can pretend to be anyone and, knowing very little about you, will gain access to your accounts.
I think that the laboratory work was a success. After the conversation, students understand (or pretend that they understand) how to protect themselves from phishing and why they should not do this in real life - fraudsters face a real prison sentence under article 159.6 of the Criminal Code of the Russian Federation. I have warned students many times about this in lectures and practical exercises. Do not do that.
How to defend?
Many thanks to the students who participated in this experiment. See you at the exam :)
And thanks to all the others for reading to the end. Do not be fooled.
Yin Fu Wo nodded.
“I typed it in Google,” continued the Sysadmin, “and made sure that there is no such combination on the Web.
- Now it is.
I am a graduate student and teach virology at the university.
Half a year ago, before the beginning of the fall semester, I was given a whole stream of fifth-year students - 45 people with different experiences, interests and life positions. Even then, I thought that this was a good basis for some kind of scientific experiment. Two months later, I thought of everything and asked the students to write phishing emails.
')
Under the cut, what came of it, what it was for them, and some analytics about the work of popular mail services. And the letters themselves, of course.
Caution, a lot of screenshots.
A warning
Do not engage in phishing. Formally, this is a fraud, it is prosecuted under article 159.6 of the Criminal Code of the Russian Federation. Laboratory work was carried out under controlled conditions, the letters were sent to pre-prepared boxes, access to which is available only from the author of the post.
All characters are fictional, all coincidences with real people and organizations are random. All logos, trademarks and names belong to their respective owners.
I immediately realized that there would be nothing interesting in sending emails to my personal mail - there would be boring spam, from which there is no use and educational value. Students had to understand why they were doing it (spoiler: to know how to defend themselves) and what could be the approach to any person.
Therefore, before giving the assignment, I gave a lecture on targeted attacks, social engineering and phishing, showed examples and explained that any person is vulnerable.
And once again reminded of criminal liability for fraud.
Dramaturgy
I came up with three characters. Each of them works somewhere, is interested in some things and experiences weaknesses. All three from different cities, of different ages and with different life values (at least, I thought about it when I wrote them).
Of course, for various reasons, these three use different mail services - from Google, Yandex and mail.ru. They have different spam filters, and it was interesting to understand where is better.
It's time to introduce the characters.
Mazaeva Olga Venediktovna, 53 years old, accountant, LLC Vector, Voronezh. Mail to mail.ru, mazaeva1964@inbox.ru.
Dislikes modern technology. Sometimes he plays Pirates Treasure on his son-given phone. Able to press buttons in 1C, but, in general, with a computer on you.
In the past, she worked as a financier at the NGO “JOUL” In the 90s, the plant was bought by a western investor, and the staff was reduced. She has an account in Odnoklassniki, sometimes she puts five friends with her childhood friends for money.
Vladislava O. Petrichenko, 21 years old, office manager at Astek, Tomsk. Mail - zlatovladka@yandex.ru.
After the semester of computer science in the second year, I’m now sure that the work of the system administrators is much easier than hers. Of course, all day long to play tanchiki and sometimes poke the cables pulled out by stupid accountants. Masterfully processes your selfies in Photoshop - replaces wallpaper with flowers on Malta. This is her first job, so she only learns to copy documents using the COPY button on the MFP, and not by scanning and printing. Vladislav is registered on thirteen dating sites, because he is waiting for the man of his dreams, and not a limp rag.
Andrei Pimanov, 26 years old, tester at Alphabetic Issues, St. Petersburg. Mail - ultradoter9000@gmail.com.
Paranoid and liberal. Recently I transferred all my data to Google Drive, and passwords to Google Smart Lock, because the old account on mail.ru, as he said, “was hacked by a bloody gebny”. Obsessed with airsoft, a regular participant in Sam Susam club tournaments. I bought 458 games in Stim, I played only at 6. Every week I go to the post office for packages from Chinese online stores. I ordered a laptop on Girbest and I'm terribly proud of it.
Naturally, simply giving descriptions of people and their e-mail would not be enough for a full-fledged laboratory work, so I formulated the conditions. I bring them without changes.
Laboratory conditions
Conditions
- Letters must really be sent to the specified mailboxes. If you use specially created mailboxes, after sending, send a list of addresses with your surname and group number.
- It is believed that the characters open letters on work computers during work hours.
- When writing, you need to use the individual characteristics of the characters. By default, it is considered that a letter written to anyone without details is not counted.
- The purpose of the attack is access to the internal network or to the data (mail, calendars, archives, financial information) of the organization in which each of the characters works. Lower priority in obtaining personal data of characters.
- From whom, under what pretext and how the attack will be made, remains at your discretion. Using add. means (scripts, documents with macros, software) goes to offset if there is a suitable legend.
- Spam emails do not count.
In the report I asked to attach the texts of the letters, received logins and passwords, and analytics about why the letters turned out to be exactly like that. Otherwise, the students had complete creative freedom.
I also gave students a few links with useful info and waited.
Read letters
For a start it is worth saying that links in almost all letters work and lead to sites of varying degrees of roasting.
The first batch of letters came in a week. Give the floor to the authors.
Letter to Olga Mazaeva
Creating this letter, we focused on the interest of our addressee in the game “Pirates' Treasures” and in receiving the so-called “OK-s” in the Odnoklassniki network. In addition, we took into account the well-known fact that people like to participate in various promotions, while receiving something completely free of charge.
Letter to Vladislav Petrichenko
Creating a letter for this addressee, we used the company-employer as an imaginary sender, used the company logo of the company, which added to our recipient confidence in the "reliability" of the phishing letter. In addition, we again used social engineering techniques, including a message about a lottery in our letter, making a ticket for participation in a ticket to Malta, our favorite, adding a counter on the phishing site that reduces the remaining number of prizes being played.
Letter to Andrey Pimanov
Based on the addressee’s paranoid data regarding the security of their data, the subject of the letter was to choose an improvement in Google’s data protection system, namely the inclusion of two-step authentication. However, when creating a letter, there were problems, the Gmail services, recognizing content similar to their own in our letter, sent email to spam all the time. In order to resolve this issue, we had to make a screen of a letter compiled by us, insert a screen into the email being sent, and attach a link to our phishing site to it.
He scolded the authors on the topic of sending screenshots, but counted letters.
The authors received the credit of the first of the entire stream.
Doubtful analyst
For obvious reasons, the article will not be able to enter 135 letters and their detailed description. Also, I do not attach links to phishing sites - mainly for ethical reasons.
So, there were a lot of letters, but we must sum up some intermediate result. Next, in which direction the students thought and which letters came most often.
The most remarkable - under the spoilers.
Olga Mazaeva
The accountant Olga Mazayeva received 11 letters from her favorite game in Odnoklassniki and 5 more letters about the free or almost free placement of the fives for photos of school friends.
Still, they tried to warn her about different FTS, 1C, Sberbank and Odnoklassniki security service.
Hot letters
Pressure on the sick. How to put estimates if the account is blocked? And there all life, messages, girlfriends, that's all. Of course, no one in official letters makes such huge buttons, it is rather a reception from sites selling Unique All-World Courses. But it works, apparently.
If you are responsible for security in your company, tell employees that banks will never send any confirmation of corporate financial information to personal mail.
Here, of course, the author went overboard with the amount of the translation. If it were ten times less, the potential harmful effect could be ten times more.
Never do such things in real life, please.
How not to join former colleagues? Click, enter password, hijacked account.
Another example of the impact allegedly from the support of the product that a person uses every day. Never download any of these letters, but rather call the person responsible for security and warn them.
Mail.ru has kindly transferred this email to the Registrations folder to make sure everything is fine. All is not well. Do not enter any confirmation codes for transactions that you have not done, and erase such letters.
Try a new version of the product. Try it! Try it !!! There is a new rating system! Not from 1 to 10, but from 1 to 12 .
The devil is in the details. The author of the letter copied Mazaev from Googledoc, so the font did not match. And again - update the software. Which one Yes, it does not matter, just update. By the way, following the link is carefully written by the student educational keylogger.
Pressure on the sick. How to put estimates if the account is blocked? And there all life, messages, girlfriends, that's all. Of course, no one in official letters makes such huge buttons, it is rather a reception from sites selling Unique All-World Courses. But it works, apparently.
If you are responsible for security in your company, tell employees that banks will never send any confirmation of corporate financial information to personal mail.
Here, of course, the author went overboard with the amount of the translation. If it were ten times less, the potential harmful effect could be ten times more.
Never do such things in real life, please.
How not to join former colleagues? Click, enter password, hijacked account.
Another example of the impact allegedly from the support of the product that a person uses every day. Never download any of these letters, but rather call the person responsible for security and warn them.
Mail.ru has kindly transferred this email to the Registrations folder to make sure everything is fine. All is not well. Do not enter any confirmation codes for transactions that you have not done, and erase such letters.
Try a new version of the product. Try it! Try it !!! There is a new rating system! Not from 1 to 10, but from 1 to 12 .
The devil is in the details. The author of the letter copied Mazaev from Googledoc, so the font did not match. And again - update the software. Which one Yes, it does not matter, just update. By the way, following the link is carefully written by the student educational keylogger.
Andrey Pimanov
As expected, the most difficult for the students were letters to the paranoid tester Andrew. Basically, of course, the difficulties were due to the Google Mail spam filter, but the students themselves came up with fewer attack vectors here than in other cases.
Andrew received countless letters from Steam, about ten from Aliexpress and other Chinese stores, and a couple more from Google. The most tasty, suddenly, from the Sam Susam airsoft club, see under spoiler.
Hot letters
Customs now need a TIN, so the letter may work. Go figure out what's behind the order number, when several packages arrive every week. There is a version that in Aliexpress not such tongue-tied copywriters, but here it's a matter of taste.
Winner in the "Letter that Google will never write to you." The link is not hidden, there is no corporate layout (even with a screenshot of the finished letter), the text is hastily compiled. Good day!
A letter as a letter. Much more fun where the link leads (do not enter anything there!).
Christmas sale in the incentive for those who are and can.
Good. With a package of constituent documents and a tax certificate, of course, they went too far, but it also looked like an ordinary letter. There is no link and, if you don’t think about it, you can accidentally send something wrong.
Definitely my favorite letter. Everything is good here: it is written in human language, it does not try to disguise itself as popular sites, and there are pleasant little things in the text that give care. Imaginary, of course. Be alert!
Customs now need a TIN, so the letter may work. Go figure out what's behind the order number, when several packages arrive every week. There is a version that in Aliexpress not such tongue-tied copywriters, but here it's a matter of taste.
Winner in the "Letter that Google will never write to you." The link is not hidden, there is no corporate layout (even with a screenshot of the finished letter), the text is hastily compiled. Good day!
A letter as a letter. Much more fun where the link leads (do not enter anything there!).
Christmas sale in the incentive for those who are and can.
Good. With a package of constituent documents and a tax certificate, of course, they went too far, but it also looked like an ordinary letter. There is no link and, if you don’t think about it, you can accidentally send something wrong.
Definitely my favorite letter. Everything is good here: it is written in human language, it does not try to disguise itself as popular sites, and there are pleasant little things in the text that give care. Imaginary, of course. Be alert!
Vladislav Petrichenko
Vladislav fell in love with all the students. She carefully sent links to dating sites that are suitable for the type of partners and even the promotional code on Photoshop to edit photos was even more pleasant.
Hot letters
To impersonate the security services of your organization is a favorite trick of fraudsters. Formal style, document in attachment. No need to go anywhere, download and watch.
Just a very funny letter, although, formally, the methods of social engineering are used. It is a pity that the service is not called "I agree!". This is your business idea # 9402.
When you send phishing emails to many people at once and confuse headlines, and then you ask to sign a consent, imposing a letter with a picture. Please note: if the whole letter is one big link, most likely you are written by my student. You can safely delete.
I have only one question: how did the authors select a photo for the letter? Not a word in the report, and I would even read a separate post on this topic.
Here the stolen Astek logo appeared again, but the authors are different. Everything is just very good here, the main thing is to try it out.
Vladislav wants to Malta, and here such an offer for a penny. Urgent, urgent buy.
In addition, the site has:
The only letter I first believed. Even knowing that this is a controlled test box, and that nothing from mail.ru can come here. At the last moment caught his hand, which led the mouse to the link. Please do not be like me.
To impersonate the security services of your organization is a favorite trick of fraudsters. Formal style, document in attachment. No need to go anywhere, download and watch.
Just a very funny letter, although, formally, the methods of social engineering are used. It is a pity that the service is not called "I agree!". This is your business idea # 9402.
When you send phishing emails to many people at once and confuse headlines, and then you ask to sign a consent, imposing a letter with a picture. Please note: if the whole letter is one big link, most likely you are written by my student. You can safely delete.
I have only one question: how did the authors select a photo for the letter? Not a word in the report, and I would even read a separate post on this topic.
Here the stolen Astek logo appeared again, but the authors are different. Everything is just very good here, the main thing is to try it out.
Vladislav wants to Malta, and here such an offer for a penny. Urgent, urgent buy.
In addition, the site has:
The only letter I first believed. Even knowing that this is a controlled test box, and that nothing from mail.ru can come here. At the last moment caught his hand, which led the mouse to the link. Please do not be like me.
- What about spam filters? They should filter this, right?
In general, probably, should, but no.
Gmail coped best of all - 13 out of 38 letters were in the Spam folder. The Google Mail has filtered letters "similar to those that we have already blocked," and those that "contain things characteristic of phishing emails."
In the second place out of three Yandex - he filtered out the disappointing three letters. Unfortunately, Yandex does not indicate the reason for blocking in the mail interface.
On mail.ru spam got a single letter.
If you remember what successful letters looked like, I would not call the work of all three services good. And even a certain percentage of filtered emails from gmail does not solve the problems with phishing and targeted attacks. Attackers can pretend to be anyone and, knowing very little about you, will gain access to your accounts.
findings
I think that the laboratory work was a success. After the conversation, students understand (or pretend that they understand) how to protect themselves from phishing and why they should not do this in real life - fraudsters face a real prison sentence under article 159.6 of the Criminal Code of the Russian Federation. I have warned students many times about this in lectures and practical exercises. Do not do that.
How to defend?
- Do not open links, do not download or run files from emails if you are not sure.
- Do not enter your personal data - logins, passwords, card numbers and any other information - on foreign sites. If you have the slightest suspicion, close the page.
- Enable two-factor authentication for your accounts. This can be sms, biometric authentication or confirmation on a mobile device.
- If a dubious letter came to corporate email, tell the admin or security service about it. There is a possibility that someone is conducting a targeted attack on the company.
- Be carefull. No one will accidentally send you a letter with an annual financial report or salaries of company employees.
Many thanks to the students who participated in this experiment. See you at the exam :)
And thanks to all the others for reading to the end. Do not be fooled.
Source: https://habr.com/ru/post/345496/
All Articles