'Good' phishing tool uncovers weakest staff links

09 May 2008 03:47 PM

Tags: e-mail, phishing, security, tippingpoint, danchev, staff, attack, weakest

A US-based security consultancy plans to release software next month that it claims will help employers launch ethical phishing attacks against their own employees.

The phishing software is designed to test how susceptible staff or customers are to phishing attacks, according to its maker, Intrepidus Group.

The company claims on its Web site the software allows security testers to pull content from other sites and drop it as a phishing e-mail, add e-mail addresses, set up attack schedules, and then track which staff are the weakest links.

Credit: Intrepidus Group

Results, such as how many people clicked on the e-mail, how many entered data as a result of it, and who did not respond are sent back to the tester.

Want to know more?

For all the latest news, analysis and opinion on security, click here

According to the Sans Institute, governments have already resorted to targeting their own staff with phishing attacks to highlight weak points in their security.

Late last year, Salesforce.com's staff fell victim to a targeted phishing attack, resulting in customer details being leaked.

Independent security consultant Dancho Danchev fears there could be an unintended side-effect: phishers could learn from the business-like manner used in the phishme.com module.

"I guess the bad guys can in fact learn from the good guys standardising approach and metrics mentality applied," he said.

But phishers are likely to already have these tools, said David Endler, TippingPoint DVLabs' director of security research — a greater risk is a staff member who has access to the software using it for their own malicious purposes.

"If you're putting the tool in the hands of an administrator, there is a risk because any tool is a double-edge sword," he told ZDNet.com.au.

"What I hope is that they do not release the tools to outside world, but instead host it and automate it behind the scenes, so if someone was to click a link in a spoofed e-mail it would go to their site, to show that they might be a victim."

Intrepidus Group declined ZDNet.com.au's request for an interview.

Talkback (0)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 0 comments

Be the first to comment on this article!

Latest Videos

Play now

Searching for Flash files
Adobe Systems has announced it's partnering with search giants Google and Yahoo to increase the quality of sea… Watch it now
Planet CNET: Robot wars!
Sports, Gates and Gears -- Club Builder
HTC Touch Diamond
More videos »

Blogs

I'm a celebrity, don't back me up
Celebrity comes with its perks — free alcohol, better-looking partners, lots of holiday time — and disadvantages — constant media intrusions, being forced to appear in films with Eddie Murphy for the long-term good of your career, and having to do mindless radio interviews with angry men who've been awake since 4am.
Lies, damned lies and telco stupidity
Earlier this month, Telstra put out a press release trumpeting that it's come up with a new phone coaching service to help people who are "bamboozled" by their mobiles. Another excellent example of wrongheaded thinking from the mobile industry.
Dear carriers: More walking, less talking
Sometimes, a well-placed and well-timed letter can make all the difference. Other times, it can make no difference at all — and even hurt your case. This week's missive by the Competitive Carriers' Coalition, I would suggest, falls into the latter category.
More blogs »