Customer A - Dropbox. Issued to: Report date:

Size: px

Start display at page:

Download "Customer A - Dropbox. Issued to: Report date:"

August Taylor
5 years ago
Views:

1 Customer A - Dropbox Issued to: example@example.com Report date:

2 Example - dropbox Table of Contents Overview 3 Summary 3 Findings 4 User Activities 5 Over time 5 Activity bands 5 Activity following campaign launch 6 Browser data 7 Browsers, platform and plugins distributions 7 Vulnerable browsers and plugins 9 Comparing vulnerable and safe users 11 Appendices 13 User lists 13 Opened Mail Users 13 Remote Images Enabled Users 17 Clicked Link Users 18 Credentials Submitted Users 21 Vulnerable Users 22 Per User Reports 25

3 x x x Overview This is a Phish5 campaign "Example" using live data. The report begins with a summary of the campaign, then provides descriptive graphs and statistics related to the campaign. In the appendices are listed full records for all users affected by the campaign. Summary Name: Example - dropbox Description: drop box 500 ID: 2432 Approach: Dropbox File Share Report date: :05 Campaign created: :20 Campaign ends: :05 Mailing started: :18 Mailing ended: :55 Options Include in aggregate stats: Browser security: Notify mailbox: Notify on: Yes Yes phish5@example.com click post State Campaign state: Ended Targets: 492 Mails sent: 482 Phishing website URL: dropbox.com.ssl-sec.com Landing page: Yes Auth page: Yes 3 of 86

4 Findings 144 users opened the mail (29.9%) 45 users had enabled remote loading in their clients (9.4%) 125 users browsed the phishing page (26.0%) 35 users gave away credentials (7.3%) 1. The number of phishing links clicked exceeds the NetUtils average across all customers by 23.8% above the baseline of 21.0%. 2. The number of credentials posted exceeds the NetUtils average across all customers by 21.3% above the baseline of 6.0% users had remote images enabled, which lets phishers or other scammers detect when s have been opened. Consider disabling remote image loads across your organisation's mail clients users clicked on links and browsed the site. Merely browsing the site opens the user up to potential drive-by attacks, and there were targets in this campaign that had vulnerable browsers or plugins users provided credentials. This is concerning since even a single set of credentials can provide a foothold that is widened to further access users were vulnerable to browser or plugins issues. This is concerning since even a single compromised browser can provide a foothold that is widened to further access. Vulnerable browsers and plugins should be subjected to mandatory automatic updates. 7. No users had been previously phished. 8. The first phished credentials were collected 17m after the campaign launch. 4 of 86

5 User Activities Each campaign is centered on a target list of potential victims. Once the campaign is launched, we record each activity by every victim. Over time This graph shows user activity over the lifespan of the campaign and helps determine what happened at each point in time that the campaign was running. All activities are shown, even repeated events. It is very typical to see a flurry of activity early in the campaign, and as time goes on the counts' rate of increase slows. User Activities Activity bands This table shows the time taken for a given percentage of users to have performed an activity since the start of the campaign (the 'First' column shows the time to the very first recorded instance of that activity.) First 20% 40% 60% 80% 100% Remotes 31m Clicks 17m 23.7hr Posts 17m of 86

Activity following campaign launch These two graphs shows three types of user actions recorded over the first 24 hours of the campaign, and over the entire campaign.

6 Activity following campaign launch These two graphs shows three types of user actions recorded over the first 24 hours of the campaign, and over the entire campaign. Only the first action per user is displayed, as subsequent repeats by them don't significantly change their risk profile. Time 0 is when the campaign was launched. Activity in First 24 Hours Activity in Entire Campaign This graph shows when users were active each day, and indicates those times that users appear to be most susceptible to attacks. Time of Day Activity (UTC) 6 of 86

Browser data As users react to the phishing mails by opening the mails and visiting your phishing website, we record information about their browsers.

7 Browser data As users react to the phishing mails by opening the mails and visiting your phishing website, we record information about their browsers. Browsers, platform and plugins distributions The graphs below show the breakdown of browser vendors and platforms amongst your victims who visited the phishing site. Browser Distribution Platform Distribution 7 of 86

8 The graph below shows the total split of plugins amongst all users. Plugin Distribution 8 of 86

9 Vulnerable browsers and plugins Narrowing the data further, we come to vulnerable browsers and plugins. The pie charts and tables below show how the population of users with vulnerable browsers and plugins are made up. Vulnerable Browser Distribution Name Count Pct Internet Explorer % Safari % Firefox % Chrome % Total % 9 of 86

10 Example Vulnerable Plugin Distribution Name Count Pct Shockwave % Java % AdobeReader % QuickTime % Flash % Silverlight % WindowsMediaPlayer % Total % 10 of 86

11 Comparing vulnerable and safe users The bar graphs below compare the vulnerable browser and plugin groups to their safe population equivalents. Browser Comparison Plugin Comparison 11 of 86

12 Conclusion The findings of the Dropbox campaign reveal that 30% of the tested recipients (144) opened the phishing . Simply opening an from an unknown sender has the potential of resulting in the insertion of a virus or spyware application. 9% of recipients (45) had remote loading of images enabled. This can result in the potential for malicious applications to be downloaded within the image file (known as drive by downloads ). Again this has the potential of resulting in the insertion of viruses or spyware/trojan applications. While this is deemed of lower risk this is still a potential threat. 26% of recipients (125) clicked a link within the and browsed the phishing page; clicking links from unknown s and browsing unknown pages can lead to the insertion of spyware and command and control applications, this is particularly true where remote loading of images is enabled. 26% is higher than the observed average of 21%, activity of this nature should be considered high risk. 7% of recipients (35) posted their credentials. The leaking of credentials is the number one method of gaining access to systems. Additional security measures and end user training should be considered to help counter this type of activity. 7% is higher than the observed average of 6%. Any activity of this nature should be considered very high risk. Please discuss these findings with your account manager. Our technical specialist can support you and help mitigate the risks to your organisation. 12 of 86

FAQ. Usually appear to be sent from official address

FAQ. Usually appear to be sent from official address FAQ 1. What is Phishing Email? A form of fraud by which an attacker masquerades as a reputable entity in order to obtain your personal information. Usually appear to be sent from official email address