A recent ethical phishing experiment shows a surprising 100% success rate on bypassing anti-spam filters. The experiment highlights how simple, small-scale spear-phishing campaigns easily bypass corporate security filters and that users continue to take the bait.

This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

While this particular research-project was mainly intended to document the (in)effectiveness of anti-spam filters in protecting against this kind of attack, it goes on to illustrate other vulnerabilities.  Just visiting the phishing site may provide enough information, obtained from the browser’s User Agent headers, to launch a targeted attack.

Specifically, we are interested in the IP address, the OS, Browser, and any plug-ins installed on the client. This information could be used in a multi-layered attack. We have scripts that read this USERAGENT information, and direct the targeted user to specific application pages.

An example of this could be if we had setup and tested a specific client exploit for Win XP and IE 6. Based on this exploit, we could direct only users with Windows XP AND IE6 to a specific page. If they don’t have this specific OS/Browser combo they will be sent to another page. This is invaluable in increasing the chance of exploit success. It works by setting up the exploit (Browser, OS) then, redirecting a targeted user to this page.

This case reiterates that continued user education is a key part of a comprehensive security policy. You may even consider running your own internal phishing campaign to assess current exposure and help raise awareness within your organization.