A recent spear phishing experiment led to half of a targeted audience reaching a specifically designed landing page in 48 hours.
Trusteer admitted that it picked 100 LinkedIn users, created a new identity and sent a fake job alert. It said: “Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with our victim's company.
“We included a big button ‘View [friend's name] new Title' and we also included the friend's photo. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.”
It confirmed that the targets were people it knew, including friends and family, who it estimated to be fairly educated about security. They were asked for their permission to take part in a security experiment that would not in any way put them at risk, without telling them what it was testing and how.
The message was sent to all 100 subjects on a Tuesday morning and within 24 hours, 41 subjects had reached the landing page. Within 48 hours 52 subjects had reached the landing page and within seven days, 68 subjects had clicked through.
Trusteer said that the total time invested in building this project was 17 hours. It approached the 32 subjects who did not reach the landing page and asked why they did not click on the link. Sixteen said they had not seen the email, seven said they usually do not read LinkedIn updates, while nine said that the update was not interesting enough for them to click the link.
Mickey Boodaei, CEO of Trusteer, said: “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer, but in this case education did not prevent the attack.
“The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business.”