For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.
在过去的六个月中,我一直在编写钓鱼邮件并将其发送给成千上万的无辜人员,并对结果进行分析。 这是我所学到的。
(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)
(免责声明:这仅用于教育和授权测试目的。请不要违反法律,这不是很好。)
My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.
我的受害者不知道我是谁,为什么我要窃取他们的登录凭据,或者我怎么做。 他们是信任,勤奋的人,他们只想做好工作并回家照顾家人。
Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.
幸运的是,我不是罪犯。 我发送的电子邮件是经过授权的网络钓鱼模拟测试。 他们旨在测试我们的员工以及他们对通过电子邮件形式呈现给他们的各种情况的响应。
网络钓鱼模拟和意识培训 (Phishing Simulation and Awareness Training)
With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.
通过网络仿冒,我们可以衡量人们对实际攻击的敏感程度,为上钩的人提供及时的培训,并衡量我们整体培训策略的有效性。 没有任何网络钓鱼意识培训能够达到100%有效的效果,但是如果我们可以稍微提高警惕的水平,我们的状况就会比以前更好。 无论我们做什么,人们总是会被骗。 甚至我,甚至你。
At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.
在工作中,我们雇用人员的依据是他们向客户提供产品和服务的能力,而不是根据他们区分真实电子邮件和恶意电子邮件的能力。 网络钓鱼模拟是一个有用的工具,但是为了保护我们的员工,我们在工具箱中还需要许多其他工具。 诸如多重身份验证(MFA),电子邮件过滤和安全的Web网关(过滤代理)之类的东西。 意识培训需要成为我们深度防御方法的一部分。
我写网络钓鱼电子邮件的经验 (What I Learned Writing Phishing Emails)
Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.
撰写网络钓鱼电子邮件是一项文案写作任务,而不是创造性的写作任务。 创意写作是一门艺术。 文案写作是一门科学。 撰写网络钓鱼电子邮件更像是撰写销售和广告材料,而不是通常与网络安全相关的任何内容。 诱使我们购买产品和服务,在国外预订假期或订阅电子邮件列表的那些事物,都是使我们单击网络钓鱼电子邮件中的链接并放弃我们的登录凭据的事物。
Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.
广告文案是影响人们对书面文字采取明确行动的科学。 撰稿人通过同情读者和发挥情感的能力而有效。 他们使用心理工具,例如感知权威的力量,我们对损失厌恶的自然偏见,在即将到来的截止日期之前的错误紧迫感以及许多其他工具。 最终,编写有效的网络钓鱼电子邮件与说服某人升级智能手机或购买新车无异。
With that said, this is what I’ve learned so far:
话虽如此,这是我到目前为止所学到的:
1.语境为王 (1. Context is King)
People respond well when an email matches the context of the mailbox it lands in. That is, work-related in the corporate mailbox, personal in the Gmail mailbox. Emails in the work mailbox pretending to be from HR or IT have a significantly higher conversion rate than those pretending to be from another company the reader buys personal products from. Even if they are legitimate customers of that service, if it isn’t ‘work’ at work, they’re not that interested.
当电子邮件与它所到达的邮箱的上下文匹配时,人们会做出很好的响应。也就是说,公司邮箱中与工作相关,而Gmail邮箱中与个人相关。 假装来自HR或IT的工作邮箱中的电子邮件的转换率比假装来自读者购买个人产品的另一家公司的电子邮件的转换率高得多。 即使他们是该服务的合法客户,即使不是“工作”在工作,他们也不会那么感兴趣。
The inverse is true for ‘work’ emails landing in a personal mailbox. If all you get is shopping offers and Facebook updates, an unexpected email about ‘your expense claim’ isn’t going to be taken seriously. An update from ‘The Facebook Security Team’ however has a much better chance of succeeding. Make your phishing emails match the context of where they are sent.
反之适用于登陆个人邮箱的“工作”电子邮件。 如果您获得的只是购物优惠和Facebook更新,那么关于“您的费用索赔”的意外电子邮件将不会受到重视。 但是,“ Facebook安全团队”的更新有很大的成功机会。 使您的网络钓鱼电子邮件与发送电子邮件的上下文匹配。
2.重要的是您按什么时间发送 (2. It Matters What Time You Press Send)
As studies by email marketing companies have shown, the time of day a recipient receives an email drastically affects the effectiveness of the email. 8 am — 10 am and 3 pm — 4 pm is widely accepted as the most optimum times for the average person working a 9–5 but work patterns at your company could skew this. Find out what shifts people are working before you set the delivery schedule and adapt accordingly.
电子邮件营销公司的研究表明,收件人一天中收到电子邮件的时间会严重影响电子邮件的有效性。 对于通常工作9–5的普通人来说,上午8点至上午10点以及下午3点至下午4点是最理想的时间,但是您公司的工作方式可能会使其偏离。 在设置交货时间表并进行相应调整之前,请先了解人们的工作变化。
If a mail isn’t opened in the first 10 minutes to 1 hour it probably never will be. We’re looking for the highest open rate possible as if emails aren’t read the results of our test will be skewed due to smaller sample size. As any statistician will tell you, the bigger the sample size and more proportionately representative of the population it is, the higher your confidence level is of the results. If you email 10,000 people and only 3 read it, it will be impossible to infer anything from it. If 8,600 people read it, that’s a different story. Make sure your phishing email is at the top of the reader’s mailbox when they open it to check emails.
如果在前10分钟到1个小时内未打开邮件,则可能永远不会打开。 我们正在寻找可能的最高开放率,因为如果未阅读电子邮件,则由于样本量较小,我们的测试结果将出现偏差。 正如任何统计学家都会告诉您的那样,样本量越大,代表的总体比例越大,您对结果的置信度越高。 如果您向10,000个人发送电子邮件,而只有3个人阅读,则不可能从中推断出任何内容。 如果有8600人阅读,那就完全不一样了。 打开阅读器以检查电子邮件时,请确保您的网络钓鱼电子邮件在读者邮箱的顶部。
3.设置严重后果的截止日期 (3. Set a Deadline with Severe Consequences)
If you email someone pretending to be HR and demand a response within the next 2 hours or the reader won’t get paid… there’s a strong possibility that they’ll do what you ask. Self-preservation (getting paid) trumps company preservation (not getting hacked) almost every time when people believe it’s real.
如果您通过电子邮件发送假装为HR的人员,并要求在接下来的2小时内做出答复,否则读者将无法获得报酬……很有可能他们会按照您的要求去做。 当人们相信真实的时候,自我保护(获得报酬)比公司的保护(而不是被黑客入侵)要重要。
If you’re pushing a fake promotion with big discounts, make the offer expire in 4 hours or at midnight. If you’re pretending to be someone’s boss, implicitly threaten them with a disciplinary of they don’t get done on time. The shorter the deadline the more effective it can be. It works by invoking a fear of scarcity (time) and fear of loss which clouds our judgement, also known as the amygdala hijack. Make sure you add a deadline that your desired action must be completed by, near enough to cause a slight panic, but far away enough to not expire before they can activate it. If your victim doesn’t read the email until after the deadline and nothing happens, the game is up.
如果您要推出大折扣的假促销,请使优惠在4小时或午夜到期。 如果您假装成为某人的老板,请隐瞒威胁他们不要按时完成工作。 期限越短,效果越好。 它通过唤起对稀缺性(时间)的恐惧和对损失的恐惧而起作用,这使我们的判断蒙上阴影 ,也被称为杏仁核劫持 。 确保您添加了必须完成所需动作的截止日期,距离必须足够近,以引起轻微的恐慌,但又要足够远,以至于不会过期,然后他们才能激活它。 如果您的受害者直到截止日期之后才阅读电子邮件,但没有任何React,则说明游戏正常。
4.行动受害者更容易上钩 (4. Mobile Victims are Easier to Hook)
People using mobile devices are much easier to phish. The limited screen size reduces a lot of the protections that come with the desktop environment. People are often distracted and more inclined to simply do what they’re asked, especially with a threat of loss if they don’t respond in time.
使用移动设备的人更容易被网络钓鱼。 有限的屏幕尺寸会减少桌面环境附带的许多保护措施。 人们通常会分神,更倾向于简单地执行所要求的事情,尤其是如果他们不及时做出回应,就会有损失的危险。
Mobile browsers and mail apps can’t show all of the usual telltale signs that a website or email is not as it seems. The responsive view of a webpage abstracts away a lot of the details. A small screen showing yet another login form is just an inconvenience that they need to fix before they can get back to doing whatever they were trying to do while commuting to work or eating their lunch.
移动浏览器和邮件应用程序无法显示所有常见的迹象,表明网站或电子邮件并非如此。 网页的响应式视图抽象出许多细节。 一个显示另一个登录表单的小屏幕只是他们的不便,他们需要修正后才能回到上班或吃午饭时想做的事情。
While corporate devices often are configured and forced to use secure, filtering, web access gateways (proxies), mobile devices today typically are not. This bypasses all of the protection that the desktop environment receives through the proxy and leaves it all down to their browser and their judgement. Ensure phishing pages are responsive and look like the real sites they pretend to be. Just as web developers are becoming more mobile-first in their development cycles, be mobile-first in your phishing tests.
虽然通常将公司设备配置为强制使用安全的,过滤的Web访问网关(代理),但今天的移动设备通常没有使用。 这绕过了桌面环境通过代理获得的所有保护,并将所有保护权交给了他们的浏览器和判断。 确保网络钓鱼页面具有响应能力,并看起来像它们假装的真实网站。 就像网络开发人员在其开发周期中变得越来越以移动为先一样,在网络钓鱼测试中也要以移动为先。
5.权限授予访问权限 (5. Authority Grants Access)
If you pretend to be a peer or a supplier you’ll have greater difficulty convincing someone to take action than if you pretend to be someone higher in their food chain. Their boss, CEO, the police or government, etc. are all common authority figures which can be used. Writing phishing emails from authority figures invokes fear of retribution for not complying. When combined with a short deadline the effectiveness increases.
如果您假装自己是同伴或供应商,那么说服某人采取行动比假装自己的食物链上的某人要困难得多。 他们的老板,首席执行官,警察或政府等都是可以使用的普通权威人物。 从权威人士那里写网络钓鱼电子邮件会引起人们对不遵守规定的报复心理。 当与较短的截止日期结合使用时,效率会提高。
Carrot and stick are two approaches when crafting a phishing email. When the promise of a reward won’t work, try the threat of reprisal from someone with power over the victim.
制作网络钓鱼电子邮件时,胡萝卜和木棍是两种方法。 如果奖励的诺言行不通,请尝试对有权控制受害者的人进行报复的威胁。
6.并非所有回复都出现在工具的结果中 (6. Not All Responses Appear In Your Tool’s Results)
On several occasions, I’ve had people contacting HR or IT trying to stop them from doing whatever I’ve said ‘they’ would do. Most phishing simulation toolkits track sent emails, delivered emails, opened emails, number of links clicked and how many times, and when credentials are entered into phishing pages. What they can’t see is the worried phone calls and emails that go to the authority figures you’re pretending to be.
在某些情况下,我让人们联系HR或IT,试图阻止他们去做我说过的“他们”会做的事情。 大多数网络钓鱼模拟工具包会跟踪已发送的电子邮件,已传递的电子邮件,打开的电子邮件,单击的链接数以及多少次,以及何时在网络钓鱼页面中输入凭据。 他们看不到的是担心的电话和电子邮件,这些电子邮件和电子邮件发送给您假装的权威人士。
These are also useful metrics as although the victim might not have given you their login details, they were still convinced your email was legitimate. Try to find a way to capture or record reports to other departments and include these in your reporting as they are still indications of compromise. “Please don’t delete all my files” could just as easily have been the leak of a password.
这些也是有用的指标,尽管受害者可能没有提供您的登录详细信息,但他们仍然确信您的电子邮件是合法的。 尝试找到一种方法来捕获或记录发送给其他部门的报告,并将其包括在报告中,因为它们仍然表明存在妥协迹象。 “请不要删除我的所有文件”就像泄露密码一样容易。
7.真正的网络钓鱼攻击看起来像网络钓鱼模拟测试 (7. Real Phishing Attacks Look Like Phishing Simulation Tests)
When you’re running phishing simulation campaigns it is important to inform your operations teams of what you’re doing. Subject lines and senders addresses are critical as without that your tests blend in with the real attacks coming in every day. Best case, your tests will be blocked and removed from mailboxes by the Ops team, skewing results and detracting from your efforts. Worst case the Ops team will assume real emails are your tests and allow them to reach end-users with disastrous consequences.
在运行网络钓鱼模拟活动时,重要的是将您的操作告知运营团队。 主题行和发件人地址很关键,因为没有这种情况,您的测试就会与每天发生的实际攻击相融合。 最好的情况是,您的测试将被Ops团队阻止并从邮箱中删除,从而歪曲结果并减少您的工作量。 最糟糕的情况是,Ops团队将以真实的电子邮件作为您的测试,并让他们接触最终用户,造成灾难性的后果。
When your phishing simulation emails are written well they look just like the real thing — that’s the whole point. Ensure that those who need to know are informed of tests ahead of schedule so that they don’t interfere. Likewise, don’t inform those who don’t need to know otherwise your testing isn’t going to be effective.
当您的网络钓鱼模拟电子邮件编写得当时,它们看起来就像真实的东西—就是重点。 确保提前通知需要通知的人员,以免干扰。 同样,也不要通知那些不需要知道的人,否则您的测试将不会有效。
8.人们写出看起来像网络钓鱼的可怕电子邮件,但并非如此 (8. People Write Awful Emails That Looks Like Phishing, But Aren’t)
Once you start testing on a regular basis, people get really paranoid. People suspect foul play When genuine but unexpected emails come from internal or trusted third parties. Then they delete them or refer them to the IT Security team for investigation. The more awfully written, the more likely they are to be perceived as phishing.
一旦您开始定期进行测试,人们就会变得非常偏执。 人们怀疑犯规行为是来自内部或受信任的第三方的真实但意外的电子邮件。 然后,他们将其删除或将其转给IT安全团队进行调查。 写得越厉害,就越有可能将其视为网络钓鱼。
Your phish-aware employees are now looking for emails with spelling mistakes, bad layouts, images with paragraphs of text on them, random-looking senders addresses, and more. Work with other departments to ensure that unexpected emails come with an advanced warning. Try to preempt the “this is bad” reaction and ensure legitimate actions are performed as expected. After all, you’ve invested a lot of time into raising awareness, don’t be surprised when you get what you wanted.
您具有网络钓鱼意识的员工现在正在寻找拼写错误,布局错误,带有文字段落的图像,发件人地址随机的电子邮件等等。 与其他部门合作,以确保意外的电子邮件带有高级警告。 尝试避免“这是不好的”React,并确保按预期执行合法的操作。 毕竟,您已经花费了很多时间来提高意识,当您获得想要的东西时不要感到惊讶。
9.不要过度 (9. Don’t Overdo It)
With phishing simulation tests there is a balance to be found. We want to test people frequently enough that “is this real or trying to trick me?” becomes a regular thought when opening email, but not so often that we create numbness through overstimulation. When employees do fall for a phish be sure to provide training there and then. Supplement this with appropriate and engaging training on a regular basis. For repeat offenders, a slightly stronger approach is needed to ensure behaviour improves, but don’t stress them too much. Spotting a phish isn’t their main job, it’s ours. We’re here to help people, not beat them down.
通过网络钓鱼模拟测试,可以找到一个平衡点。 我们想对人们进行足够频繁的测试,以“这是真实的还是在欺骗我?” 在打开电子邮件时成为常规的想法,但并没有那么频繁,以至于我们通过过度刺激而变得麻木。 当员工确实喜欢钓鱼时,请务必在此进行培训。 定期对此进行适当和有吸引力的培训,以补充这一点。 对于屡犯者,需要采取一种稍微强一点的方法来确保行为得到改善,但不要对他们施加太大压力。 发现网络钓鱼不是他们的主要工作,这是我们的工作。 我们在这里帮助人们,而不是打败他们。
Originally published at https://craighays.com on December 6, 2019.
最初于 2019年12月6日 发布在 https://craighays.com 。
翻译自: https://medium.com/swlh/9-things-ive-learned-writing-phishing-emails-5239f4be6f4e
2253
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
