Phishing experiment sneaks through all anti-spam filters

Phishing experiment sneaks through all anti-spam filters

Summary: A recently conducted ethical phishing (New study details the dynamics of successful phishing) experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.The experiment emphasizes on how small-scale spear phishing campaigns are capable of bypassing anti-spam filters, and once again proves that users continue interacting with phishing emails.

SHARE:
125

A recently conducted ethical phishing (New study details the dynamics of successful phishing) experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.

The experiment emphasizes on how small-scale spear phishing campaigns are capable of bypassing anti-spam filters, and once again proves that users continue interacting with phishing emails.

More info on the methodology used:

"This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox. The phishing link can be identified in the HTML source code below.

The Phishing site was based on the Linkedin sign in page. The form action was changed so that the user would be redirected to a subsequent page on our site. No usernames or passwords were collected during this assessment. All targeted users were contacted before the phishing email was sent, and were expecting a Linkedin invitation from Bill Gates."

A similar study was conducted by ethical phishing vendor PhishMe.com in March this year, pointing out that based on the 32 phishing scenarios tested against 69,000 employees, people are less cautious when clicking on active links in emails than when they are requested for sensitive data. This behavior is not surprisingly cited by PhishCamp as a possible opportunity for the introducing of blended threats, similar to known cases where phishing and scareware sites were also serving client-side exploits.

With the average price for a thousand active Gmail, Yahoo Mail and Hotmail accounts decreasing due to the economies of scale achieved by the vendors of CAPTCHA-solving services, and the numerous tools available at the spammer's disposal to take advantage of these accounts, in the long-term all spammers will start abusing the already established DomainKeys trust among the most popular free email service providers.

What's the success rate of spam and phishing emails hitting your inbox? What about your corporate email? Also, do you believe that ethical phishing is most constructive way of building awareness on phishing attacks, or do you think that it drives innovation in the wrong direction by attempting to gather click-through metrics instead of advising users to avoid interacting with such emails in general?

TalkBack.

Topics: Collaboration, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

125 comments
Log in or register to join the discussion
  • Not mine.

    My e-mail address is not known to spammers and
    I haven't received spam ever since my Hosted
    Exchange provider uses a Barracuda Spam Filter.

    Sorry, you can't take advantage of my trust
    unless I know you for years -- even decades. :)

    And by the way, please mind your feelings as
    I'm about to say this: you're a fool if you
    interact with a phishing e-mail. :)
    Grayson Peddie
    • Does deleting something or marking it as spam count as "interaction"?

      [b]
      [/b]
      AzuMao
      • Nope.

        If you click in that link in an e-mail, then
        you're only interacting inside the e-mail message.
        You're interacting with your e-mail [b]system[/b]
        by marking your e-mail message as spam or delete
        it.
        Grayson Peddie
    • yeah ... and mine isn't known by them either ...

      yeah ... and mine isn't known by them either ... because it doesn't exist...

      all your "they don't know it" relies on, is either never sending email, never having an email address to begin with, or having a fairly small scope of persons emailed. Barracuda or not, and obviously if you're this smug about your email, you've forgiven all the bad sides and incorrectly trapped or bounced mail thanks to that barracuda...

      I could be as smug as you ... whoops, then when I first started posting here (zdnet), I didn't know that they used my email address as the site wide, fully visible, user name ... learned that, bitched at cnet & zdnet for the practice, and things changed.

      I didn't have spam problems for the longest time ... until I started emailing people outside my self. Yeah, you read that correctly..

      I've had customers that are highly intelligent using stupid passwords, and their hotmail account gets cracked. I've had friends that let a friend of a friend sit at their computer at home to check their email and surf for movie times, only to have my friend's pc become infected, and thus addresses exposed.

      I've had close friends and family forward emails of mine on to others ... without removing my email address from the body of the forward..

      All of these are ways your email address gets around, without a spammer having to crack at you personally. So being smug about "they ain't got me yet" is just a fools folly. The more you email, the more you forward, the more surface area is exposed. Sooner or later they have your address. And they may already have your address, but your precious barracuda is good enough at blocking legitimate spam.. what else is it blocking though.. ;)

      And thinking of the smartass reply of ?well if barracuda blocked it I didn?t want it? is again, just a fools response without knowing the full scope of what?s been denied. We all have a concept of what?s missing, but unless you?re getting daily notices, and dutifully going through them you can?t be 100% sure that something, even one message, didn?t get blocked incorrectly.
      TG2
      • Two words: Private e-mail.

        [b] [/b]
        Grayson Peddie
        • Two words ain't enough..

          perhaps you could explain such a counter intuitive statement. I've been using hotmail for almost a decade and still almost no junk mail.

          What do I need with this?

          I may get two or three every day or so, some days none.

          I do agree with this article however; as using the ego of the kind of crank heads that post on this blog; they are so full of themselves, the type phishing scam noted would work like a charm I would think. The bigger the ego, the harder they fall.
          JCitizen
          • I don't fall for phishing scams.

            I don't get any spam through my mail filter and
            I do not have any blacklist -- only whitelist
            of e-mail addresses. It's working since about a
            year now.

            Oh, and by the way, even though I don't have
            such ego like you described, even those with
            high amounts of ego can minimize the chance of
            falling for such scams -- that is, if their e-
            mail address is not well-known and visible to
            spammers. I'm not using common mail domains,
            such as @live.com or @gmail.com. Not even
            though ISP.
            Grayson Peddie
          • Just keep in mind..

            ..that whitelisting only works if the spam doesn't
            spoof an address on your whitelist.
            AzuMao
          • White Listing doesn't work for salesmen

            Whitelists are alright for some people but if you need to receive legit email from strangers, whitelists don't work well. Sure you could use a challenge response but as a salesman do you really want your clients to have to deal with that. You will definitely lose some over it.
            codeguy007
          • Hotmail & spam

            I too have a hotmail account as my main email, and I get virtually no spam. I occasionally get a desired message in my junk mail box but that's rare. Having a web-based main email address be it hotmail, gmail, yahoo or whatever does make me independent of ISP and if my personal PC dies I haven't lost all the emails that were stored on it.
            "You should back up your emails" I hear you cry. I'd like to know how many members of the public who aren't highly PC literate would know how to. It's not as if Outlook (which many users use) or Outlook Express makes it easy to find where emails are stored, so even if you have a good backup regime, the chances are that email will not be backed up.
            Or do you know better???
            JohnOfStony
          • I make sure...

            my clients know how to do it; the rest can go Phish! HA! =)
            JCitizen
          • If you're emails are important to you at all..

            ..then surely you can be assed to at least click
            on that little bar at the top of your browser,
            type "plz how i can backup my hotmail stuff!?" and
            hit enter.
            AzuMao
    • I can't believe how awesome you are

      Can I be your friend, and can you show me the ways of Spam immunity?

      Thanks in advance.
      tikigawd
      • And stupid

        I can;t believe how stupid you are either!
        cne@...
        • I can;t believe it either!

          [b]
          [/b]
          AzuMao
    • Barracuda?

      My problem with Barracuda isn't its efficiency in spam detection but (out of the box) the number of false positives. There are whole banks of perfectly legitimate email addresses it rejects completely. i.e. I think just like many others it relies on 3rd party black lists, and therefore is as accurate as they are.
      dgrainge
    • WOW! How shocking.

      To be honest why would you use a link in an email? If you want to be secure never follow links, go direct to the site, never open anything but text and don't let loons near a PC.

      Let's face it most Executives don't know their security protocol. I would also point out that they usually have a problem turning a PC on mind looking after the data they are giving freely. Look at all the top secret information lost by Governments around the world.

      Sod them, they deserve to be had over. Let them get back to paper and leave the PC to people who know how to keep themselves, and their business safe(ish).

      Take care all.
      Horus418
    • Have fun with that!! Grayson

      http://www2.sandbox.google.com/search?hl=en&source=hp&q=Grayson+Peddie&btnG=Google+Search&aq=f&oq=&aqi=

      Please use a name that is anonymous if you want some semblance of security online. I hope Orlando is nice this time of year. Take care of you and your online persona.
      Horus418
  • and what egzactly did that experiment achieve?

    "No usernames or passwords were collected during this assessment."

    so what the point?
    ljenux-23043766007667558234416105604265
    • What indeed?

      This just proves you can fool all of the people some of the time.
      dmgroves