a quick look at spear phishing via surveys
DESCRIPTION
Copy of my article ‘A quick look at spear phishing via SurveyMonkey’ that originally appeared at www.infosecisland.com/documentview/20594-A-Quick-Look-at-Spear-Phishing-via-SurveyMonkey.html Written by Ben RothkeTRANSCRIPT
A quick look at spear phishing via SurveyMonkey
by Ben Rothke
In Social Engineering: The Art of Human Hacking, author Christopher Hadnagy writes that when
performing a social engineer test, sometimes the easiest way to get information is to simply ask for it.
In recent months, a lot of people seem to have been taking that approach as I have gotten many
surveys from anomalous sources asking penetrating questions. This is in line with what a spear
phishing attack does.
According to PhishMe, Inc., once in an employee’s inbox, there is a 60% probability that an untrained
staff member will miss all of the indicators that the email is in fact a scam and will click on a hyperlink
or open a file attachment within the email. There is no technology filter or screener that can stop that
60% from clicking.
The surveys I received came from SurveyMonkey and Zoomerang. Note that both companies have
since merged.
The underlying problem is that many people who respond to these surveys are oblivious to what is
going on and think that their answers are confidential and anonymous. That may be the case when a
legitimate survey is done, but when a phisher is using the system, that is simply not the case.
Here is a quick example of how this attack is done.
Signing up for a free SurveyMonkey account is quick, easy and free.
Once the account is created, you can then create a survey. Notice this one goes out to but 1 user,
which is precisely the nature of a spear phishing attack.
The unsuspecting user then gets this email:
The link takes them to the site which asks them these 5 questions:
1. Do you find it difficult to remember all of your corporate passwords?
2. How many passwords are you required to remember for corporate systems?
3. Of all your passwords, enter the one which you think is the best? (Such as sljkf2875$^ or
Cook#paper)
4. Of all your passwords, enter the one which you think is the worst? (Such as password or LALakers)
5. Do you think your Chief Security Officer would be interested in our software tool that is both
inexpensive and offers bullet-proof security protection?
Questions 1, 2 and 5 were there simply for an air of legitimacy. Questions 3 and 4 were the spear
phishing questions. Since this was sent to 1 person, the following shows us that the target answered
the survey.
We can then analyze the report and extract the data.
We now know that this persons best password is NYGiantsrock and their worst is HRpassword. Two
passwords, just for the asking, without a lot of effort. The spear phisher will use this indispensable
information in their attack.
Result
What this brief exercise demonstrates is that surveys can easily be used in the guise of a spear
phishing attack.
SurveyMonkey responses can in some cases be anonymous and secure, but the answer is that it is up
to each survey creator to decide if they want to collect responses anonymously, or to capture
respondents’ personal information.
What matters most is that an attacker won’t follow the rules.
Recommendations
The most effective way to counter phishing and spear phishing is via an effective information security
awareness program that educates users on how to identify and avoid a well-crafted spear phishing
email.
As part of a corporate security awareness program, users should be cautioned against answering
surveys around proprietary and/or confidential corporate information, or any personal information.
Users need to understand that since SurveyMonkey can’t guarantee the anonymiztion of the
answers, they should have zero expectation of privacy.
Ben Rothke is an information security manager and the author of Computer Security: 20 Things Every
Employee Should Know.