'Good' phishing tool uncovers weakest staff links
A US-based security consultancy plans to release software next month that it claims will help employers launch ethical phishing attacks against their own employees.
The phishing software is designed to test how susceptible staff or customers are to phishing attacks, according to its maker, Intrepidus Group.
The company claims on its Web site the software allows security testers to pull content from other sites and drop it as a phishing e-mail, add e-mail addresses, set up attack schedules, and then track which staff are the weakest links.
Credit: Intrepidus Group
Results, such as how many people clicked on the e-mail, how many entered data as a result of it, and who did not respond are sent back to the tester.
According to the Sans Institute, governments have already resorted to targeting their own staff with phishing attacks to highlight weak points in their security.
Late last year, Salesforce.com's staff fell victim to a targeted phishing attack, resulting in customer details being leaked.
Independent security consultant Dancho Danchev fears there could be an unintended side-effect: phishers could learn from the business-like manner used in the phishme.com module.
"I guess the bad guys can in fact learn from the good guys standardising approach and metrics mentality applied," he said.
But phishers are likely to already have these tools, said David Endler, TippingPoint DVLabs' director of security research — a greater risk is a staff member who has access to the software using it for their own malicious purposes.
"If you're putting the tool in the hands of an administrator, there is a risk because any tool is a double-edge sword," he told ZDNet.com.au.
"What I hope is that they do not release the tools to outside world, but instead host it and automate it behind the scenes, so if someone was to click a link in a spoofed e-mail it would go to their site, to show that they might be a victim."
Intrepidus Group declined ZDNet.com.au's request for an interview.