Experience Of Phishing In Wales

thank you very much good morning everyone we are living in a world where other companies are running behind next generation security technologies right practically speaking we all know that the current technology or the next generation technology we own about not there yet to protect us from the cyber threats coming from from the cyber from the attackers right so with that thought what we need to understand is security or cyber security is a shared responsibility my name is Emilia Pereira I'm a lecturer working at University of South Wales I'm leading the not to fish project and jack-jack tabash is joining with me for the session he is working as the Signet senior technical developer for our not

to fish project and I would be really grateful for besides community giving us the opportunity to talk about something closer to our heart which is about this project that we have initiated 12 months ago and it's new but we'll look at what we got to tell you in the slides right now we all know what is phishing means I'm not going to talk about the deficient definition of about phishing we also know phishing is a threat right but the biggest question we have is its impact right now according to the statistics it's been proven that phishing is the number one reason for cyber security breaches happen over the last 12 months now what we really need

to think is why this phishing really works right basically sending emails is free right anyone can send emails attackers can send sheer amount of phishing emails to thousands of targets within a few minutes right and also according to the data bridge survey that it's been done by Department of Sports and Culture Media 2019 that they have identified nearly 89 percent of businesses in UK are using email as the primary communication method to talk to their clients right and nearly 85% of charities are using email as their primary communication method right so which means we have a bigger threat landscape right and it also means that just about anyone with the email could be a target right and also why phishing

actually exploits the natural human vulnerabilities right such as emotion right or impatience right those type of things or when it comes to those type of things right people forgot about all of those things that they learn about security or whatever the technical controls that you have implemented in your organization might not be enough to stop them clicking on on that fishing link right now this has been proven by the phishing exercises that we have ran over the last couple of months as you can see right more than fifty percent of the participants right clicked on this fishing link within or less than sixty minutes of the exercise that we have initiated right so it's scary because

people just wanted to click on the link right and we also identified right we also identified now people they really want to know what's inside this link right some people actually said okay we just clicked on the link but we didn't submit anything right it's funny because you really don't know what's inside the link right now the problem is how are we teaching to people to not to click on the links right now terrian Regional organized crime unit came to us a couple of years back and they said well we have this problem right could you please come up with a solution right for this now the concern is main concern there is to us is right can we can we

give this product for free for the small medium scale organizations in Wales right so we actually had a look into a couple of open-source products right and then we decided okay right we could come up with a solution right and we are not going to compete it with anyone right because there are plenty of products in the market well the only shoes they are really expensive right can we do something for the community so we developed this product called not to fish which actually run the phishing campaigns and also analyze the vulnerabilities on the people that actually needs training and it also provides the training for those people right so it's merely as I said it's

really new right it's only six months old and it's young right we have fished nearly 500 individuals so far which includes public sector private sector law enforcement and legal finance engineering all of those people all sectors we managed to cover so far and there are a couple of companies already showed their willingness to contribute for this exercise now based on the statistics that we have collected we can say that nearly 21% right in each and every organization is vulnerable osm is vulnerable for a phishing attack now you might wonder right it's just 21% what does that means it's not a huge number right but the important thing is right what's inside within this 21 percent right so let's go

and have a look what we got inside this 21 percent in order to do these exercises right we have created couple of scenarios some of these scenarios actually closer to the real-world incidents right it's not just India sending one phishing email right but also creating a full phishing attack right which means we initially sent one phishing email to number of people and then depending on their request we may create a landing page or via normally use of a default landing page and then within not within a time window we send the second phishing email linking to the first email now in this case what it says is it says there's a training required to be done and it asks people

to enroll right and then after a certain amount of time we send a second email telling that there's a data breach happen because of the first email right now this is how things are happening in the cyber space because some people already know there's an ongoing phishing attack right because of that whoever not did not click on the link could go and click on the second link right so we managed to capture some interesting data by doing this right it's it's really important to identify these weaknesses it's not exploiting one person doing just sending an email so so creating these type of scenarios okay so let's have a look what we got for you we have identified 8:00 to 10:00 a.m.

right is the most vulnerable time period for a phishing attack right as you can imagine people are normally checking their emails in the morning right and as usual right people see lot of emails or maybe at least five to six e mails in the inbox waiting for them to read right and they're quite hard to start their job site so they just open the emails and just quickly read those things right and as a result there's a high potential that if somebody target this time window that they could achieve a higher number of victims right and also we have identified that about 30% of the management right in organizations are vulnerable for these type of attack

vectors and this include directors CEOs right any sea level jobs right CIO CEOs etc and senior managers mid-level managers right now the question you need to ask is right it's just just about 30% right but imagine how much of the information they keep on their hand about the organization right if they don't care about these type of things and if they lose these credentials so if they given this credentials for somebody else right basically they are giving a free pass for attackers right and now if you actually talk at take a look at the topic that we put into this presentation the experience in running phishing campaign in sales right so this is called veiling right targeting the high

profile people in organizations and also now this is bit trickier I'll try to make it simplify as much as possible right in my scenario I told you that we have used to phishing emails can you remember that right now in this case we have identified that the number of uses right clicked on the second link in the second phishing email right most of them are clicked on the first phishing email well which is nearly 88% right which means whoever clicked on the second link also clicked on the first link right so this is this is the problem we have and there are these type of people really need something to understand what they're doing right and

this is another interesting finding now we ran these phishing exercises over the summer right especially we targeted the school vacation time period right and there was a reason for that we wanted to identify how many people are checking their emails while they are on the way on the annual leave right and it's easier to figure it out because the in the inbox or a couple of inboxes that we have used for this phishing exercise we received automatic responses right and mentioning that they are away for certain period of time which is fine right and then we verified these automatic responses with the client after the exercise so they confirm that definitely these people were aware when

we were doing the exercise and now 18 percent of people check check their emails while they are away right now the thing you need to understand here is right they might not be in the country they might be in somewhere else right they clicked on a phishing link okay they might not know what they have done when they come back right all the data that they got or whatever the information that they have given been already stolen right and then they actually complain these things to their organization Stephanie it's too late because attack already know how long they are away from the organization because it's setting their automatic responses right so we actually raise this as another

interesting figure for those organizations to encourage people to be aware of these type of things when they are going away and 16 uses out of 500 it's not a bigger amount but these guys right they clicked on the phishing email more than twice or three times right so it's it's really when we saw this we wanted to figure out why people are clicking on the links why are the serial flickers right and then we find out that they wanted to open this phishing link using their desktop maybe if using the iPhone or maybe the iPad etc so we didn't ask them to do any test cases for us right opening our phishing page but then we actually tried to contact those

people and ask why did they clicked on the link right so the answer was really interesting they said that they just wanted to they said that they may they knew it is a phishing email but they wanted to go and click and have a look what's in there right it's not funny because if that link contains something automatically downloading into that machine right who's gonna help them right I mean these type of things is really serious and as you can see right now can we actually control right these type of people by implementing the next-generation security technology we are talking about right simply well the answer is no right it could be achieved in to a certain extent but it's about

the attitude right about the security hygiene right now only way we can improve this is why our security awareness training now in our platform so what we have done we have identified these individuals and we have enrolled everyone into our training platform but before we enroll the door training platform what we have done is we ask from the companies that whether their employees know about how to report the phishing email right because reporting is very important right it stops a damage right or undergoing damage right now in question most of the time we had was no right only thing they'd do is they'd normally ring to iti helpdesk or to a person that they know to report this email right but

it's not how it should be done it needs to have a proper email address and a contact number so what we have done we have created this email right and we disseminated this email five days before or phishing campaign when we were doing it for those organizations now you might ask this question from us that is there a impact of sending these emails five days before of exercise well the answer is we haven't noticed any statistical significance on doing this before we running the campaign which means clickers are still clickers right they did not care about this but what we have noticed is there's a significant increment on reporting phishing emails correctly and I'll talk about that later

on we also created posters for people or for those organizations with common phishing indicators and we let them to put these reporting details in the future poster that we have created it's actually a soft copy and they can put that information in the post and they can print it and they can have it they're all in areas people where they work so people can actually see this why and then we have identified nearly seventeen percent people successfully reported the phishing email according to the way villa's and it also tell us that 83 percent of people did not report it correctly right this 83% means the people who clicked on the email right now talking about the training we have developed an

interactive training material for them with both English and Welsh it's only 30 minutes training module and people have done this and we have received a very good feedback from people and which includes identifying suspicious emails and we have created virtual inboxes for people to go and try these things and they can go and look at the main subjects and they can look at the same details and actually they can go and how all the links as well right and then we also encourage them to go and delete or keep so those are the actually responses it encouraged people to do that in the practice right and we also created a knowledgebase for public uses because if

they are not coming from a company they should be able to not understand what this phishing means at how to protect from phishing attacks so under not the fish website you can visit to this knowledge base it covers the general things about phishing and how to identify phishing attacks and how would you respond to a phishing attack and also we have included other free resources coming from third parties such as CP and I and CSC Google those quizzes everything we have included in here and we recently we have released our training platform for public under learn dot South Surrey learn dot not to fish dot coder to UK which is accessible for anyone by asking Rick by sending a

request to us so you don't need to be a company now there are new things happening in the phishing attacks so we need to be aware of that we are actually trying these things are fishing campaigns as much as possible attackers are using various evading techniques such as show lived URLs phishing site might not be live more than 48 hours right and they use dynamic DNS and use proxies to host phishing websites and also there's a spike in using HTTPS for phishing now it's because of the things like let's encrypt people can easily create HTTP based phishing websites so clearly this is where the fishing is going now and also things like obfuscation such as a

striker technique which actually what it does is normally when you are creating a fishing link sorry a link in the HTML code we got this head chef tag right so we need to put that in the HTML code in the base tracker technique what the attacker does is he use a different tag whole base hash ref by doing that he can split the link into multiple levels which means if the spam filter does not know how to resemble the link it pasts the link and it basically fast the email to the inducer right especially office365 if they're running office365 without any protection right this is a vulnerability right and we have tried this in certain test cases and we know

that it works all right right quickly go through with these challenges that we have noticed now as you can see right taxonomy of a phishing attack is really complex it's not just emails phishing can happen in many ways right smishing or sending SMS test fishing right fishing right ringing people and ask about phishing attacks right so you ask about information and when you actually inter connect these things you can see that the bigger picture right there is no solution available in the market which can accommodate to all of these phishing attack vectors and the moment and we understand the problem but we are trying to make our security awareness tighten that's the only way we can do at

the moon but in the maybe future we could try to implement other things linked to our platform and we have noticed a significant lack of engagement in completing training as you know training is the most difficult part right and we have seen when companies asked us to do this phishing campaigns they are quite interested about know who is clicking the image but they're not interested about who is actually completing the training once they clicked on the link right it's not the solution if they are not Rickett get trained right and we we have clearly seen management support right is is very important for these type of things because in certain cases company directors directly involve with us on

completing this training and we had a good numbers and at the same time when we did not get the support from the management it ended up with lower number of training completions and also reporting as I said reporting should be straightforward right users need to know what to do when they see a phishing email I know we have created though I encourage uses to create email reporting email addresses and we create posters for them to get that information but we really need to make it straightforward by creating a fishing button to report it and currently we are working on it on the system especially something like fish reporter add-on which is available in github you can

actually download it right it's not owned by anyone you can actually customize the code and it then forward that fishing email to the destination you are specifying as an attachment once you configure this correctly it is appearing in the outlook outlook ribbon so people can straightaway report fishing right so this is something we are actually trying to implement in our side as well but if you don't have anything you can try this one it's a good solution and credential harvesting so this is the bottleneck we have at the moment right our system is capable of capturing credentials due to the compliance and previous issues most of the organizations they don't want us to capture their employees credentials

right but I'm but but my opinion is right if we if we could capture their credentials and if we show that we have their credentials we could have a better training completion rate because people really understand the risk rather than just clicking on links I think we probably will need to push this little bit forward and currently we are working on it with terian regional organized crime unit right finally so this is what we have received as the feedback from one of the company directors and we have actually received good feedbacks and the improvements from different employees and from other public and private sector organizations so the product is pretty new however for next three years this is

going across the rails for public and private sector organizations so if you are interested just drop us an email and we will actually enroll you for this and you can have a look it's completely free there is nothing we are going to charge but we are going to have limits when you are running phishing campaigns because we really don't want to jeopardize other's businesses and we are not going to compare it with any other business right here so with that note we are going to finish the talk I hope you enjoyed the session and again I'm really grateful for the besides community for us to giving this opportunity to address you in this conference thank you

[Applause]

okay does anyone have any questions yes that's true yeah I think it's a very good question all right so the question was what are the challenges we have when we wanted to when we wanted to capture the credentials of the people when we're actually running these campaigns in the companies right now the challenge is due to GDP our and other privacy laws they are quite concerned about credentials right and they just wanted to make sure that these credentials because people you are using the same username and probably the password for many accounts right so though they ask people to change their passwords they are quite concerned about what about if they don't change the passwords in the other

accounts right so they don't want to accept that risk therefore it is very difficult for us to go into that Avenue yet however from our end what we can do is we can actually show the password because we can actually capture it in the plaintext if you want to but when we actually storing it we can encrypt the password or we can show the number of characters in the password it's not a problem from our sides actually it's the client to decide whether they want it to come in to that level or not hope I answered fill answered for question you are so in short it's more of legal challenge than technique challenge alright thank you very much

everyone [Applause]