Re: Testing the user community

From: Mister Coffee (live4java@stormcenter.net)
Date: Wed Jan 31 2007 - 17:42:48 EST

• Next message: Vural KOYUSTU: "RE: Password cracker required"
• Previous message: Paul Melson: "RE: Testing the user community"
• In reply to: webmaster@absolutenetworks.biz: "Testing the user community"
• Next in thread: Thor (Hammer of God): "Re: Testing the user community"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

webmaster@absolutenetworks.biz wrote:
> We all know our weak link but how do you identify just how weak they are? I
> think it's time to pen test my user community and have a couple ideas to gather
> statistics on just how nonaware they really are. Maybe a simple phishing scam
> and bogus email with a fake virus attachment that emails me when it's opened so
> I can track how many folks actually opened it. Has anyone ever done this
> before? I can't find any information about it on the web.. thoughts and ideas
> anybody?
>
> Many thanks
>
> Kurt
I've seen a number of these done where the users are sent an email with
some kind of hook and either a low impact (but real) trojan or a simple
'phone home' trojan as you suggest above. I suppose the deciding
factors are how obvious a hook you want to use, how much your local
legal department will buy into it, and what kind of trojan you'll need
to attach to get through your local AV/Anti-spam filters.

Impersonating your local tech support department or a company exec will
probably net you a very high percentage of users, but will risk
seriously impacting the trust they have in those sources (a "real" bad
guy won't care, but it's probably not worth risking the support
department's reputation for the improved hit rate). Using some kind of
well designed banking or on-line purchase hook can be very effective,
but can also lead to people to panic and cancel credit cards or what
have you. Very painful to explain to the user community when they find
out it was a test. You could always try something topical, like an
offer for free tickets to a local sports team, movie, whatever.

You can always try a cut-and-paste from a phishing/spam you find in the
wild.

Finding a trojan to attach and get through your mail system is a
separate exercise. I'd just make sure you have a green light from
whatever management legal decides need to sign off.

Cheers,
L4J

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Vural KOYUSTU: "RE: Password cracker required"
• Previous message: Paul Melson: "RE: Testing the user community"
• In reply to: webmaster@absolutenetworks.biz: "Testing the user community"
• Next in thread: Thor (Hammer of God): "Re: Testing the user community"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:34 EDT