Category: Junk and Phish

Stop Clickers with Stickers! Security Awareness improvement for FREE!

Let’s see now, over the last several years working in IT Security and Security Awareness a few things have become crystal clear;

  1. Technologies are super easy to patch, you just need a process and a little buy-in.  After patching the risk is minimal.
  2. People can’t be patched, even though sometimes we really wish they could be.   After security awareness training the risk is still present, albeit hopefully minimized a degree.
  3. People need to be aware of security at all times, it has to become part of the business culture. Worrying about end users is what keeps me up at night–our business is one click away from losing brand reputation, money, private information or even (swallow hard) the IT Security guy’s job.  Generic security awareness is not good enough.

What if we security practitioners could keep security on the minds of employees all the time?  What if there was an easy way to keep people focused and thinking about the dangers of phishing emails, malicious websites and generally being more pro-security?   Sounds great right?  Where do I sign up?    Haha!  If it were only that easy!

Combining that need with some of the motivators I’ve experienced over the years gave me an idea;  What if the ‘free stuff’ phenomenon could actually drive down my phishing click rate?  Jeez…if it worked it would solve one of my main problems with security awareness, (the ‘awareness’ part for about 10% of end users)   and do it in a way that is positive all around!    Although in it’s infancy, I’ve been experimenting with this new method of ‘security through free stuff’.  Here’s how it works;

At security and IT conferences, I collect as much schwag (free promo materials) as I can, looking especially for the nice stuff (no offense to the pen-peddlers, but you guys really gotta up your game).  You know, Tshirts, cool laptop stickers, flashlights, rocketbooks, light sabers and other geeky stuff and gadgets.  Sign up for it all!  (then screen your calls for the next year…)  Then when I get back to the office, I give that stuff away like it were Aunt June’s fruitcake–but only after sneaking in a learning experience to unknowing end-users.   For example:

A recent email I sent to the IT group — ‘You can win this new cloud shaped stress ball, laptop sticker, pair of earbuds and a multi device charger if you answer the following question:   “According to Verizon’s 2017 Data Breach Executive Report ,  what percentage of breaches were caused by weak or stolen passwords?”‘

Have the target audience send you the answer and raffle the schwag, keep track of the names in a txt file, then paste them in and randomly select a winner on a random selector site like http://www.miniwebtool.com/random-name-picker/      In this case there are actually two answers, although they are very close to each other–probably a rounding error!   But for those who give two answers, you have to assume they read the article fairly closely.  winning…Winning…..

Another idea is to have people reply with one security issue they have noticed in their work environment, and have each offer a possible solution to mitigate it.   This could work great for an IT team, because we all know of one area or another where there is a hidden risk that others may not be aware of.  It also give the security guy information into the inner working of every IT employee, including the risks and potential threats in their environment.  Mmuuhhaahahah!  Now you are getting it, right?

The great thing about this is it’s fun, it’s free and it disarms those people who are already grumpy about security by giving them something of apparent value for FREE!  The psychology behind this is fascinating.  Check out Rick Paulas’s column entitled “The Strange Effects of Free Stuff; How the allure of free tricks your mind into accepting irrational options”   In that article he talks about the ‘Zero Price Effect’.

“When people are offered something for free, they have this extreme positive reaction that clouds their judgment.”

Haha!  Clouds their judgment!  Hey, if that helps someone to NOT CLICK something, I’m all for it!

 

Hey y’all…If you’ve made it this far, maybe you’ve got an idea or two to share!  Share your ideas and suggestions below!  Or if you would just like to send me some schwag and help the cause, contact me privately: nerd at nerdosaur.com!

 

Add a Report Phishing Button in Outlook

Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!

 

PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations.   The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking.  Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages.   I wanted the same thing for my security program, but we didn’t contract with PhishMe,  so I needed another solution.   I didn’t want to enlist a developer to create an Outlook add-in button, so  I came up with a relatively easy solution.   If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise.   Below are the steps you can use to reproduce a  ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails.   It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.

 

  1. Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at  https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

  1. Open Outlook and verify you now see the junk options in the ribbon.

Outlook phish button

 

 

 

 

 

  1. phishing outlook button 3Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab.  Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.

 

 

 

 

4. Next, select the  ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button.    Rename it and give it an icon of your choice.  Now you should have a new icon in your main mailbox view that you can use to report junk.  By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy  (bcc) an email address of your choice.  the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message.   This works great for sending to an IT department or a security operations center (SOC).

outlook phish 4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Your Outlook ribbon should now look similar to this:

outlook phish button toolbar

 

 

How to report phishing to your IT department across the enterprise.  If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key.  (Typical registry hack warning here, don’t do this if you don’t know what you are doing…)  You can also copy the following lines and create your own .reg file, I’ll leave that up to you.   Replace the email address in the code with the address that will get a copy of the message.

“Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”phishy@yourdomainhere.com”

 

 

  1. (Optional) Open up an email in outlook.  Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too.  Now repeat steps 3-6 to create a button in the mail-read view if you choose.

 

  1. Now that you have created the new buttons, test them to make sure they work using an email address of your choice.

 

  1. If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice.  Make sure the following three requirements are met on your PC’s and you should be good to go:
    1. Verify that the junk email reporting add-in is installed.
    2. Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
    3. From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI  in C:\Users\%username%\AppData\Local\Microsoft\Office\     These files contain the ribbon info that you just created.  You can copy them to the user’s profiles, overwriting the files that are currently there.   *note, this may delete previously created custom ribbons if they exist.   It may be a good idea to rename the old files first.
    4. Restart outlook

I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in.  These instructions will work with Windows 7 and office 2010, and 2013.    It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails.  It also empowers the end-user.  They are now becoming part of the solution, instead of part of the problem.

I really like to hear from you!  Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!

 

 

Scams, Junk, and Phish

I run across a lot of spam, junk and phishing emails.  Sometimes I do a google search and try to see if any other organization gets the same type of phishing messages, because I like to know if it’s a broad campaign or targeted.  Well, here are a few that I’ve seen recently, hopefully I can return the favor.  There is also a great service called ‘phishtank.com’ that allows you to submit questionable phishing messages and members vote on them.   It’s a great way to see what is out there to prepare yourself or your employees for future phishing attacks.

From the domain “takemynumber.com”.   I’m not sure what the scam is, but they definitely want a response: 

Hello) My name is Olga. I live in Moscow.

I found out your page on the Internet and I was curious about you.
Tell me, please, what are you doing now and how do you spend your life in general?

In fact, you’re interesting to me as a personality, and I want to communicate with you in the future.

Please answer me, i’m waiting.

 


From a gmail account…..I’ll bet I know where this one is going: 

Dear Friend,

Complement of the day to you and your love ones

I hope my email will arrive to you at good time.
My name is Dr.Abdirizak Suwaidi-Ali. From Damascus Syria.
I am now 64 years old and retired. I was former personal investor & financial consultant advisers to
a Top Politician here in SYRIA.

Why I’m contacting you is to know if we can have a personal conversation.
Whatever truth you may brief me will be highly recommended.
Tell me more about your country, how good it will be to invest in your country.
Such as buying of properties, or real estate and some tourist places or any profitable investment venture that will yield good profit.

I will appreciate whatever result you may brief me.
Do let me know your idea and knowledge regarding this or any other profitable investment venture you may suggest.I have the total of US$22,300,000.00 that I deposited in South east Asia and I am willing to order the transfer of the money to you for investment if you’re interested with my proposal.

In my next mail I will explain the full details of the project and interest, and then we reach an agreement on what will be your share from the money or investment.I shall tell you more about myself when I read from you.
You may as well tell me little more about yourself when replying.

Looking forward to your early reply
Thanks and best regards
Dr.Abdirizak Suwaidi-Ali
Damascus,Syria: 6:15 AM.

 


From a yahoo.co.uk email address.  Too bad I’m not reliable or trustworthy or I would have responded:

Attn:  Sir

Apologies for the manner at which i am approaching you.I am a reputable Fund Manager with one of the worlds largest investment companies. I handle all our Investors Capital Project Funds which enabled me to divert 1.2% of Investors Excess Return Capital Funds to our Magellan Trust Funds Account where any one can be presented to claim the funds.Total sum of, forty five Million, Seven Hundred and Forty Five Thousand British Pounds (45,745,000.00)BP has been diverted, representing 1.2% of Excess Return Capital Funds from the Investor Capital Project Funds for 2010/2011 fiscal year.

I need a reliable and trustworthy person with whom I can work this deal out so that we can claim the funds as mentioned above. There is no risk attached and the funds in question can never be dictated or traced. Be informed that i will handle the expenses that may be required in this business deal.

Sincerely,

Anthony


More fun stuff:

Dear email@yourdomainhere.com,

Recently we received some notifications regarding your account:, which might be due to recent changes made in your email or irregular login attempts on your account.

We will ensure that we block your account if we do not hear from you. Please kindly click the link below to stop this attempts and reclaim your account.

 

Continue verification <http://www.agriculturabiologicodinamica.com/tmp/godaddy/index.php?login=email@yourdomainhere>               

Thanks,

The Email Team

This email has been sent from an unmonitored email address. Please do not reply to this message. We are unable to respond to replies.

2015 Email Administrator Inc. All Rights Reserved. | Privacy policy <http://www.agriculturabiologicodinamica.com/tmp/godaddy/index.php?login=email@yourdomainhere.com>


from instant@chase.com (obviously spoofed since domain is legit).  Grammar not-so good…

Dear Customer,

This is to inform you that on 22th June, 2015, We will discontinue support on your account and security.

If you choose not to update your account on or before 30th June, 2015, you will no longer have access to your account

Take a minute to update your account for a faster, safer and full-featured. 
 

Click Here To Update Your Account Now   (points to chasepluse.com when you hover over the link)
Thank you for being a valued customer.

 

Sincerely
Online Banking Team

 

I’ve seen a lot of these lately, all have zipped attachments with an .SCR file in them that, according to virustotal.com, are infected with Zusy malware.   This one had the subject:  Perfect Work!

Congratulations ! You will gain a 35% rake-off for the last sale. Please view the these materials to get to know the total sum you’ve taken.

Every day you show that you are the major force of our team in the world of trade. I am sublime and grateful to get such a capable and able dependent. Keep up the great work.

With best wishes.

Michelle Pearson Director


 

This one was very similar to the last, again had the same attachment with a renamed scr file zipped up.

We talk few days ago. We have thought about your concepts how to refine company’s production and financial revenue. Your offers sound very inspiring and we definitely need such a genius like you. We believe your programs are workable and need to implement them. Applied are our increase graphs and processes guide. Please look through them and if you will have any questions ask about it. In addition write a brief program thereby we will confer about the details of every paraghaph./r/n We are looking forward to your reply ASAP !

From Mark Zirolli <MZirolli@controlmod.com>  

Has a zip file called donation.zip attached to the email

We are dedicated to fostering new talents and we believe that your abilities and initiatives are really noteworthy.
To help you we would like to offer a donation of $1000. See the attached to find out the check.

 


 

From: darren <darren@qepvno.com>

Subject: Agnes Bogan direct infrastructure representative

This spam message contained a zip file with an exe file called “implemented client-driven software.exe” that contained some sort of virus according to virustotal.com

The aim of this e-mail letter is to let you know that, according to nonpayment, your bank account has been placed on credit hold status, and will stay on so until your balance will be completely settled up.

Your attention to this question is extremely encouraged. Kindly check out the attached and write to us as soon as you can.

Sincerely Yours,

Collection service