With the advent of phishing frameworks, more companies are able to test their staff for the dangers of phishing themselves. Either a DIY approach is adopted by the organisation, or quite often the support of a paid phishing portal can assist in circumventing in-house technical deficits. When budgets or other issues make professional input prohibitive for your company, it could be a much-needed chance for your in-house IT staff to learn something new and get stuck into the phishing challenges they face head-on. These smaller setups can offer a great insight into how your organisation responds to a simulated phishing email. But it's not that easy when thinking big and certainly not without its risks. The simple DIY approach actually starts to unravel and could even end up being quite damaging to your company and your staff's perception of phishing awareness training.
Phishing at scale requires a new approach, almost every element has to be re-considered. For The AntiSocial Engineer Limited, it was the start of AntiPhish. A service designed to offer UK Government, public sector and large private organisations a glimpse at phishing employee numbers exceeding 50,000+ employees.
AntiPhish At Scale
Infrastructure and Data Security
Consultant ran campaigns and Government approved data centres.
Campaign Design and Email Delivery
Realistic emails, delivered in bulk, in a professional manner.
Statistics and Reporting
Be sure to understand your campaign and the risks. Our clear reports help you understand millions of unique data points.
So you decide to spin up a little Amazon VPS and try out a phishing framework on your colleagues. Almost cute in comparison to the infrastructure of a real life national phishing campaign. In the wild, the term 'infrastructure' is used loosely. Malicious phishers compromise a myriad of organisations and use the compromised servers and email accounts to send phishing emails. They mix in bot-nets that are capable of sending emails on their behalf too. It's not just the complicated nature of malicious phishing campaigns that see success, it's the concept of a distributed, ever-changing attack platform - one that is hard to defend against. They are often faced with errors, browser warnings, complaints and have to be agile in order to be effective.
When considering the infrastructure of a campaign at scale, we can learn a lot from nefarious actors. Infrastructure has to be extensive and it has to migrate and redeploy in an instant, sometimes mid-campaign should you encounter a problem. New IP's, new servers, new techniques, new domains, new emails templates are needed on the fly to keep things going.
We can use our expertise to do just this. In fact, we have got things so smooth we found that with AntiPhish we can close down a server, scrub data and migrate mid campaign in about one minute. It is important to think of a phishing campaign as a traditional web service, scaling should incorporate some more traditional elements such as load balancing and redundancy. This can be the difference of your infrastructure assisting you or hindering your campaign.
Here is where it gets interesting when working at scale, often you are presented with the challenge of manually keeping this operation running smoothly. But data security has to keep up with this new desire for scale! The importance of securing dynamic infrastructure remains a priority. The contact details of your staff are normally provided, but are they flying through cloud services in different countries? Data security should be paramount. Conducting phishing assessments is about securing the organisation, not opening it up to unforeseen risks from your contractor or unknown third parties. Often you have no option to bring services in-house to control data protection to a standard you are happy with. Is your phishing simulation using a third party SMTP service? well, you've got to bring that into your control. Do you want analytics for your campaign? well, you've got to bring that technology in-house too. You can only really control the servers under your own roof and it's this approach we have seen to give us the edge in dealing with the legal or data protection concerns in a large organisation. We have got data security to the point we can work with 'OFFICIAL-SENSITIVE' data in our phishing environments.
So we have managed to overcome some of the hurdles associated with phishing at scale, but we have to now consider content. A large campaign could see 100,000 emails going out per week, over several months. Have you considered a small department all receiving the exact same email at the same time? The overall objective of the organisation should steer phishing email designs and creativity. The email's pretext should be aligned with the educational elements in the campaigns too. Here we need to create a large subset of templates and unique, creative content. It's unlikely everyone in your organisation is going to be onboard as well, so content has to pay consideration to the opinions of a larger audience - including sign off from the board.
You have set up a phishing server on some top end infrastructure, obsessed about how you will keep it all safe and secure and made sure your content is top notch... but now it's time to start thinking about email delivery.
Here is where you will find the interesting challenge of strategically delivering several thousand phishing emails. The shortsighted will start to fight against the phishing preventions organisations have used to defend themselves for years, rate limiting, spam folders, email gateways and network proxies will be a challenge. Whitelisting only gets you so far! The challenges you will face can get very technical.
You can add the exceptions to your organisations email policies, but good luck explaining to Spamhaus about the 3000 emails inbound to a government department that are getting blocked. They aren't sympathetic and you will find with scale comes greater problems in this area. We have had to personally befriend and ensure we are on speaking to terms with the biggest names in email filtering to ensure needless blocks and hassles are resolved quickly. This is suplimentary to working with a client ensuring their systems are doing what they are supposed too. Sometimes the campaign is fully educational and focussed on awareness so whitelisting can assist the process. Other times we test in a 'blackbox' fashion and without prior whitelisting or data and you really can find many an evening explaining why your version of malware.exe is actually begign and intended to help the company.
Stats and reporting
When Phishing a small number of people, life is easy. You sent 10 phishing emails and 2 people clicked. Inexperience will trick you into thinking you have a 20% click rate. However larger campaigns require a richer set of metrics. Take the prior scenario as an example, you may have sent 10 emails but only 3 were received, 2 people clicked - the click rate is currently closer to 66%. Now 7 users need emails to be dispatched again. Everything needs to be tracked using a database of interactions. Later we can add additional sources of information to the statistics - proxy logs have been particularly useful in this area to confirm clicks on the office network.
All too often when scaling a campaign people can be tricked into believing the stats without further analysis, this can be quite dangerous and lead you to into a false sense of security or cause an un-needed panic. In a smaller phishing campaign, the results might never leave the same room. At scale consideration for the fact, your data is likely to be interpreted by a host of scientists, psychologists and network administrators. Your Excel spreadsheet will simply not cut it at this point.
"It is clear that knowledge and experience has been developed through practical application of techniques and this will help the YHROCU on a very productive journey with regards to protecting vulnerable businesses. I look forward to continuing this engagement into other projects."
- DC Chris Spinks, YHROCU