Best Social Engineering (Phishing ) Attacks?

I have to give a presentation on social engineering (phishing) computer attacks. I suppose I will use PowerPoint.

I am unable to quickly find some stories of really clever, very amusing phishing attacks.

Anyone got a source?

I’m not sure that it’s phishing, but it’s social engineering:

https://boards.straightdope.com/sdmb/showthread.php?t=859017

Google spear phishing.

The go-to place for cybersecurity is Krebs on Security:

Might be worth looking into the antics of Kevin Mitnick. He managed to get a wiretap put on the LEOs that were trying to catch him. https://www.mitnicksecurity.com/site/news_item/kevin-mitnick-genius-or-figure-of-one-of-the-most-famous-hackers-in-history

We have an IT security expert here. He was Bayard, but recently changed his username to Defensive Indifference.

You should probably PM him with a link to this thread

Bruce Schneier has an interesting, exotic example:

Another vulnerability which is kinda-sorta phishing:

XKCD Be sure to hover your mouse over the comic.

Is there a way to hover on a phone?

Chrome/Android

I don’t know if it is still considered “clever”, but one hears stories of attackers leaving USB drives in the parking lot of a place they want to attack, and eventually some schmuck employee will pick one up and plug it into a work computer just to see what is on it.

You won’t find ‘clever’ or unique ones.

They are intended to be ordinary, boring things. Things that people will click on and respond to without thinking. So much effort is put into making them look as much like ordinary communications as possible – using the logo, color scheme, typestyle of your bank, making the return address look like a bank one, etc. Every thing they can do to make it look as normal as possible.

You should point out in your presentation the mundane ordinary-ness of phishing attacks. Just like regular fisherman, they try very hard to make the bait look just like a normal meal.

Wasn’t that how the Stuxnet attack got through?

I recently got an e-mail to the effect of “We accepted your request to delete your Google account. If this is in error, please click here.” Not exactly unique, but I suspect that’s an effective tactic - panic can cause people to be less careful and act irrationally.

I get loads of bills from Itunes which say that if it is an error - please click here.

I got a new one today claiming to be from “The Government Gateway”. The [genuine] Government Gateway is a government portal that deals with pension and tax queries. It is reckoned to be pretty secure. The spoof email said I was owed £512.49 in underpaid pension and I should click a link to arrange payment.

[Use this link, then click the sup[/sup] text.](https://m.xkcd.com/1694/)

Thank you all.

Thanks!

Fake phishing by an organization’s own IT department, to train or test employees, has a huge advantage in that the creators of the fake phishing e-mail have long familiarity with the organization’s internal processes.

I’ve only been taken in by one phishing attempt in my life so far – it was a fake phishing e-mail my own workplace sent out to test us. They used all the correct fonts, logos, departments, and format – the only difference was a period in the wrong place in the e-mail address of the sender.

What really got me was they referred to an upgrade that the IT department had pushed out the day before. Sure, actual malicious phishers might have been able to assume that a Windows update would be pushed out by our internal IT on a specific date, I guess. But it felt like our IT folks using insider knowledge to trick us was something of a low blow.

We’ve encountered a few scam attempts at work that went further than they logically should have. The first one was from someone impersonating the President of our company and emailing our CFO. It was a very short and quick conversation and I’m still puzzled about how far it went.

**Imposter Company President: **Pete, are you at your desk?
CFO: Yes.
Imposter Company President: I need you to wire me $50,000 asap.
CFO: Ok, I will send it now. Where should I send it to?
**Imposter Company President: **Please send it to _______________
CFO: I’m processing it now.

*At this point the CFO thought that he should confirm the sketchy money transfer with our President. The bank was eventually able to reverse the transaction since the phishing attempt was uncovered quick enough. *

Another one that happened just recently went like this:

Imposter Company President: Glenn, Let me know when you are available. There is something i need you to do. I am going into a meeting now, so just reply my email.
Department Supervisor: I am available now.
Imposter Company President: Can you get this done ASAP? I need a couple of gift cards. There are some clients we are presenting the gift cards. How quickly can you arrange these gift cards because i need to send them out in less than an hour. I would provide you with the type of gift cards and amount of each.
Department Supervisor: Absolutely – I can go right now and get them. Just let me know what you need.
Imposter Company President: The type of card i need is Apple iTunes gift cards. $100 denomination, I need $100 X 20 cards. You might not be able to get all in one store, you can get them from different stores. When you get the cards, Scratch out the back to reveal the card codes, and email me the codes. How soon can you get that done? Its Urgent.
Department Supervisor: I can go right now! Should I contact Nancy to get the company Credit Card?
Imposter Company President: You can use cash or your own Credit Card and will be reimbursed.

At this point he contacted the Presidents assistant regarding reimbursement just before he left to get the gift cards.

I got one of these from an Imposter CEO. It got as far as “Please send it to” because the next bit didn’t make any sense as it wasn’t a supplier or any company we appeared to do business with.

Yep. For some reason, these seem to frickin’ work. I warn my users about entering their usernames and passwords into things, and they’re good about it – but we’ve been subjected to the ones above, and maybe once a month they fall for it. I… just don’t get I it. .:(:frowning:

As a Realtor, someone who is accustomed to getting documents from title companies and banks, even ones I haven’t worked with before or weren’t expecting, recently I am getting emails telling me that my financial documents are ready, just click here. Since I often have documents ready, it is tempting to accept their claims.

I think the most successful phishing attempts are ones that are narrowly targeted, such as these, targeted to financial agents. The average person wouldn’t be as easily fooled.