Phishing
Phishing is very popular with attackers to gain initial access to a corporate network in order to steal confidential information and then spread. Although everyone is affected by this type of attack, in practice few users are properly aware of the pitfalls to avoid and the best practices to follow.
In order to respond to this threat we offer four types of phishing campaign:
- Phishing mail
- Targeted USB Phishing
- Anonymous USB Phishing
- WI-FI Phishing
The list of collaborators targeted by the campaign is established by the sponsor. After determining the context of the campaign in collaboration with the sponsor, our teams are responsible for the technical implementation of the campaign: booking of domain names, installation of collection servers, engineering of the various documents required, creation of scenarios and dummy sites.
For each type of campaign we silently collect statistics on the actions carried out by the targeted people, here are some examples:
- Reading mail
- USB stick connection
- Connection to the dummy terminal
- Office document opening
- Macro execution
- PDF document opening
- Software execution
- Password sending
The exact list of statistics collected depends on the type of campaign and the configuration of the client workstations of the targeted employees. For more information, contact us.
Email phishing
A personalized e-mail is sent to all employees designated by the sponsor. This email contains the visual elements characterizing the targeted organization and encourages the user to open the attachment (Office document with or without macro, PDF documents) and to click on an external link. This link redirects to a domain name reserved for the campaign that hosts a dummy site.
Example of a campaign: an e-mail inviting you to participate in a draw, to answer a survey or even simulating the mistaken sending of a confidential document (pay slip of a VIP member, financial document, etc.).
Targeted USB Phishing
A personalized USB key is sent by post to all employees designated by the sponsor. This USB key is accompanied by an explanatory letter reusing the visual elements of the targeted organization. Several documents are present on the USB key in order to encourage the user to send his password via the software provided for this purpose.
Example of campaign: provision of a secure USB key (the user is invited to enter their password in order to encrypt their new corporate USB key).
Anonymous USB Phishing
USB keys are deposited in different premises of the target organization: openspace, meeting room, cafeteria, parking lot. Various documents on these USB keys encourage the user to open them in order to find the owner of the USB key: CV, vacation photo, confidential documents, etc. This type of campaign is often accompanied by a targeted USB phishing campaign.
Example of campaign: deposit of USB keys in the car park containing information from the Works Council.
Wi-Fi phishing
After a study phase of existing WI-FI our teams install, in collaboration with the sponsor, WI-FI terminals in the premises around the targeted organization. These aim to imitate the legitimate WI-FI access points by using the same SSID or by using a conventional SSID (for example WIFI-GUESTS). This WI-FI equipment is deployed taking care not to disturb the existing network and ensuring that it is transparent to the collaborators. At the end of the campaign, statistics are collected on the number of registered connections and when possible on the number of users who have connected using their password (WI-FI EAP or authentication portal).