Yesterday, It was the first time that I heard the expression “Social Engineering” in Belgian public media! If this topic came in the news, you can imagine that something weird (or juicy from a journalist perspective) happened. The Flemish administration had the good idea to test the resistance of their 15K officials against a phishing attack. As people remain the weakest link, it sounds a good initiative right? But if it was disclosed in the news, you can imagine that it was in fact … a flop! (The article is available here in French)
The scenario was classic but well written. People received an email from Thalys, an international train operator (and used by many Belgian travellers), which reported a billing issue with their last trip. If they did not provide their bank details, their credit card will be charged up to 20K EUR. The people behind this scenario have not thought about the possible side effects of such a massive mailing. People flooded the Thalys customer support center with angry calls, others simply notified the Police. Thalys, being a commercial company, reacted about the lack of communication and the unauthorized usage of their brand in the rogue email.
I already performed the same kind of social engineering attacks for customers and I know that it’s definitively not easy. Instead of breaking into computers, we are trying to break into humans’ behavior and their reactions can be very different: fear, shame, anger, … I suppose that the Flemish government was working with a partner or contractor to organize the attack. They should have to follow the following rules:
- Warn your users about ahead phishing attempts
- Restrict the target to a limited set of properly chosen people (based on their position, location, team, …)
- Start with easy phishing attempts then grow in complexity
- Do NOT use external or copyrighted material (or ask permission – they will maybe be glad to help)
- Remain in the context of the target (sending a mail from a C-level is often very successful)
- Do not use links to official websites but redirect to a landing page where people will learn about the exercise and why they get there.
- Be constructive and do not publish people’s name on a wall-of-shame!
But a few hours ago, while driving back to home and thinking about this bad story, I realized that this proves once again the big differences between defenders and attackers! Attackers are using copyrighted material all the time, they build fake websites or compromize official ones to inject malicious payloads in visitors’ browser. They are sending millions of emails targeting everybody. On the other side, defenders have to perform their job while defending their ass at the same time! And the recent changes like the updated Waasenaar arrangement won’t help in the future. I’m curious about the results of this giant test. How many people really clicked, opened a file or communicated their bank details? That was not reported in the news…