Security Questionnaires and Wiki’s are all well and good: they tick the auditors boxes and teach those who already have a vague comprehension of security an extra thing or two… but, they fail at reinforcing their teachings. To most they are yet another painful administration exercise that you unwillingly undertake on a regular basis. They are completed, yet people still consistently fall for the same tricks. So, is there any way to begin reinforcing the basic principles that we are forever trying to shove down the throats of staff?

Well… yes. You could hack your entire company and then rub it in their faces. Although, that might not go down so well with the HR department – making it a career limiting exercise. But, there is definitely a balance that can be achieved.


I’ve developed a framework that allows for the automated distribution of phishing campaigns, and accurate, non-offensive measurement of victim responses. The framework consists of two main components:

  • Campaign Manager: Produce unique links for a list of defined email addresses, embedding them into an HTML template to send via email to each address. Access is controlled via Forms Authentication and IIS IP and Domain Restrictions.

the management page

a sample email

  • Hit Collector: An encrypted piece of Javascript is used to form an XMLHttpRequest to POST the query string to an ASHX handler, which decrypts the string to retrieve the email address and add it to an XML file (previewed in the screenshot of the management page) for review by the campaign operator. This replicates what a genuinely malicious page may do, where the Javascript is instead used to serve up malware.

html of the landing page

the landing page 

To make this as effective as possible a legitimate company name was used and a relevantly named domain was registered to provide some credibility. A rule was also created on our mailserver to catch any outgoing mail to the domain, allowing review of it.

I sent the campaign out at 08:30 on a Monday morning, a time when people are likely reading through the many emails that arrived over the weekend – meaning they are perhaps more careless and vulnerable. At 13:00 a follow-up email was sent to all staff informing them of the test, it’s results and their implications.


Whilst I cannot share the exact results of this specific exercise, it’s fair to say there’s plenty of room for improvement. However, feedback from participants has been extremely positive. Most did not know exactly how easy it was to be delivered malware – which is exactly what I wanted to not only illustrate, but develop a natural behavioral defense against.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s