Reverse Phish


(reddc) #1

What happens when your own users start phishing other users in the organization? Risky business for those that get caught but most won’t because of your “soft inside”. It used to be an “inside job” of embezzlement but now it’s identity theft and no one will ever know. How would you detect it? Is it already happening? Are your employees harvesting and selling contact information, calendar information or even network access? Social engineering is easier when you get paid to help the phisher!


(Edwin Eekelaers) #2

Anyone here sending fake stuff will face the wrath of me & my management + HR…
That’s why i have asked my CIO if he agrees with the phish test i’d like to do but till now no answer.


(Daniel Ndiba) #3

How would you identify a reverse phisher?


(Chuck Kissel) #4

I have some experience with this. Not saying that I did it but as an exercise because we believed that some users or devices can send internal emails that would bypass many security measures.
All tips are assuming you are using Exchange or Lotus Notes and not some cheap freebie Linux email server.

  1. Lock Down Connectors: Block incoming emails from untrusted sources. Outlook authenticates with the server and allows access. Devices should be whitelisted by IP to allow sending of emails (Fax, MFP, server applications, etc).
  2. Monitor Outgoing Emails: I personally monitor weekly large bulk emails leaving my work place. Looking for emails that have more than 5 recipients. I only see subject line and number of attachments. But if I see an email with a subject like “Free Data” and butt loads of excel sheets with “Customer Numbers” leaving that is a red flag.
  3. Monitor User Activity: Any large institution would have some sort of logging system. Some advanced systems can alert on unusual activity.
  4. Limit Mass Email groups: Do not allow users to send out an email to the entire org with a click of a button. Limit the number of users that can use the “All_Employees” and “Everyone” distro groups in email.
  5. Limit User with Send As Permission: I Hate and Loathe giving someone the ability to send as someone else. So should every Network/Exchange Admin Ever. Make it impossible to give someone Send As rights by having them sign out permission letters and approval signatures before giving anyone this type of permission.
  6. Disable Command Prompt and Powershell: Using these prompts is a way to send emails that look like they are coming from someone else. Telnet and $Email* commands can be learned and ran by batch files. Whitelisting Authorized IPs can help with stopping this.
  7. Oldest Trick in the Book: Big Brother scare tactic. On a persons first day they will usually sign things like employee handbooks to read, benefit related items and a User Computer Guide. Put the words “We monitor all computer related activity through computer metrics and manually monitor user activity” all over those items and say it to users as well. If you don’t have a User Guide, write one up. Employees are using company property, so privacy is well… up to the boss.
  8. Educate: Just like above do the same for the more likely victims. Tell people “Never” to give out passwords under any circumstance, even to IT helpdesk. Place and say this to them in the first day handouts or training.

Just like real phishing there is no way to stop someone from sending a simple email to someone else internally asking for a password, because they need it for what ever reason.


(Will Jeansonne) #5

Great security tips, Chuck! Keep em’ coming!!

Will Jeansonne
Community Manager