“Check out these kitties! :-)” read emails featuring the photo of a Turkish Angora cat with a purple mohawk, sent to nearly two million cubicle dwellers so far. It includes an attachment or link promising more feline photos. Those who click get a surprise: stern warnings from their tech departments.
The Dr. Zaius email is a simulated cyberattack. It is among the ploys companies are using to dupe employees into committing unsafe computing as a way to train them not to be so easily fooled.
Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.
“It’s a gotcha service,” says Tom DeSot, executive vice president at Digital Defense Inc. of San Antonio, whose 10 confidence-men-for-hire—”ethical hackers” in cyber-lingo—craft attacks to exploit employees’ human failings. Their objective, he says, isn’t to get anybody fired or in trouble, but rather to help everyone learn the techniques malicious hackers also use.
Back in 2005, New York state twice sent 10,000 employees and contractors a “phishing,” or deceptive, email urging them to divulge passwords on a linked website. The first time, 15% fell for it, but the second time, only 8% did, says Will Pelgrin, who ran the test as the state’s chief information-security officer at the time and is now chief executive of the Center for Internet Security in East Greenbush, N.Y.
PhishMe Inc., the Chantilly, Va., company that created the Dr. Zaius emails and other fake phishing attacks that companies can use for tests, says clients have used its services to teach a lesson to 3.8 million employees.
Ryan Jones, who leads a half-dozen ethical hackers for a Chicago digital-security company, Trustwave Holdings Inc., likes to drop thumb drives and CDs in the bathrooms, driveways and nearby coffee shops of companies that hire him. Often, he will attach the company’s logo, a competitor’s logo or a label that reads “confidential.”
Almost without fail, an employee will find one of the decoys and stick it in a computer. “It starts off as curiosity,” he says. “It is kind of the same reason people watch reality TV: They want to see what else is going on in people’s lives.”
Mr. Jones‘ devices contain software that takes over computers, hijacking built-in cameras to snap photos of the employees.
To identify security weaknesses, his arsenal includes in-person breaches, in which he bluffs his way into offices for access to sensitive systems. Mr. Jones keeps a closetful of costumes, including package deliverymen and fire marshal. He has successfully used crutches to persuade sympathetic people to open locked doors.
Once inside, he has weaseled into data centers, warehouses and executive suites. While a co-conspirator made a scene in an office lobby, he once followed closely behind an employee who unlocked a door. Then Mr. Jones set up wireless microphones and cameras in conference rooms.
Mr. Jones studies sleight-of-hand magicians and con men. “You have to watch people,” he says, which helps “make you appear that you belong—verbally, physically and socially.”
These ethical hackers take advantage of the virtual deadly sins of office life.
Envy and curiosity, for example, are the sins at the heart of an appeal in one of PhishMe co-founder Aaron Higbee’s most potent email lures this year. First, an employee gets an email purportedly from a senior manager, with an attachment on potential bonuses for a number of people. Then comes another email attempting to “recall” the first.
“That piques curiosity,” he says of recall messages. Opening an attachment or link in the message launches PhishMe’s software. The right thing to do with this phishing expedition, as with others, is to check with the sender or corporate IT about the suspicious message.
Mr. Higbee, who each week helps craft two new fake emails that companies use, says there is one universal weakness on email: “We always recommend they start with cute cats,” he says. The Dr. Zaius trick has worked on 48% of recipients, says Mr. Higbee, the real-world owner of Dr. Zaius (the cat’s real name, after a simian character in the movie “Planet of the Apes”).
Brian Fees is chief financial officer of CedarCrestone, an Alpharetta, Ga., tech firm that hired San Francisco-based MAD Security to do quarterly hacks on employees. Last summer, the team turned on him.
It plotted a hook Mr. Fees couldn’t resist: a pressing email from his CEO. “We went through their website and figured out who one of their key clients was, and then set up a fake email chain,” says MAD managing partner Michael Murray.
Sure enough, Mr. Fees opened the faux email and clicked on a link—that took him to a sham website. “Just as soon as I did, I knew I shouldn’t have,” says Mr. Fees, who quickly unplugged his ThinkPad from the network and called his security team.
Shortly, he learned he had been duped.
Mr. Fees says he is now sensitive to “how much more vulnerable” he is to responding to an attack when it appears to come from someone he works with most often.
Ethical hacking has hazards. For those who try to physically breach a client’s offices, a wrong turn can lead to an encounter with security, so most carry a “get out of jail free” letter from the client.
Hacks can spin out of control. In 2010, the Air Force tested employees at Andersen Air Force Base in Guam with an irresistible offer: the chance to work on a nearby shoot for a “Transformers 3” movie. They just had to visit a website that asked for sensitive information.
The ruse was so convincing that some forwarded the message off-base and posted it to Transformer fan sites. After media reported the supposed event, base officials quashed the rumor with a statement that they hoped the incident “will show that all individuals need to be careful about the real danger of phishing.”
The effectiveness of such efforts are a point of contention among security experts. Bruce Schneier, chief security technology officer of U.K. telecommunications operator BT Group BT.A.LN -1.14%PLC, ignited a recent conversation on the topic with a blog post that said security awareness is a waste of money. “We should be designing systems that won’t let users choose lousy passwords and don’t care what links a user clicks on,” he wrote.
Still, it is a lesson some employees don’t forget.
Since Digital Defense did a round of phishing and physical-breaching at the People First Credit Union in Allentown, Pa., last year, employees have been giving everyone the skeptical eye, says Vice President Susan Phillips.
“They accosted a pizza delivery guy the other day,” she says. “They over-reacted…But I’m not going to say any of that is bad.” (Credits: Written by Geoffrey A. Fowler for the Wall Street Journal, Photos – Aaron Higbee).
The Master of Disaster