09:00 AM
Connect Directly

The Real Reason Phishing Works So Well

New Duo Security study shows many companies don't update browsers and operating systems - a first line of defense.

Tests prove that people just keep clicking on malicious links and attachments: in a new study from Duo Security based on its free phishing assessment tool, nearly one-third of users clicked the link in a phishing email sent by Duo’s internal team.

Worse still, 17% entered their user name and password, which would have given a real attacker the keys to corporate data.

The real-world data comes from the Duo Security’s Duo Insight, a free tool that lets organizations run internal phishing simulations. The data also showed that a phishing campaign that took just five minutes to execute via the tool could lead an attacker to corporate data within 25 minutes, according to Duo Security.

Since Duo Insight’s launch last month, around 400 companies have used the tool; in its report, Duo pulled results from 11,542 users who received a phishing email campaign from their companies.

“The tool tells companies which devices have operating systems out of date, who clicked on an email on a test, who clicked on a link and who entered credentials,” says Jordan Wright, R&D engineer at Duo Security,

Most successful phishing attacks are the result of endpoint problems, not credential issues, he notes. In fact, the Duo study found that on average, 62% of respondents were using out-of-date browsers. And on average, 68% used out-of-date operating systems.

“Attackers have created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser,” Wright said. “These exploit kits can download malware or ransomware to a device, and steal credentials and information stored on the device.”

Duo offers these four tips for preventing phishing attacks: 

Run simulation campaigns internally to understand the company’s risk. Companies need to understand that the internal campaigns are not “one-and- done” events. To be effective, they must be run continuously so that over time, the company can see improvement. Typically, a system administrator is notified via email that a test will be under way, and it’s suggested that companies tell staff that as part of their security program they will run periodic tests to determine how susceptible the company is to phishing attacks.

Educate the staff. Wright says that it’s very important for companies not to focus too much on the people who clicked. Don’t single out anyone in a negative light. And in many ways, it’s more important to focus on the people who notified corporate IT. The drills are meant to build a collaborative environment in which the staff works closely with IT. Another point to remember: Just because somebody clicked on one test doesn’t mean they won’t click on a subsequent drill. So shy away from singling out those who clicked; it can happen to anyone.   

Keep all operating systems, browsers, and Flash and Java program up-to-date. Wright says that it’s highly unlikely for an attacker to penetrate a browser or operating system that’s been updated. The attacker would need a zero-day attack to penetrate an updated OS or browser, and they are much more expensive and unusual. Phishers (aka attackers) typically go for the low-hanging fruit of those who don’t upgrade their systems.

Reward employees for catching a phish. Some companies offer financial rewards or gift cards, or just simply recognize users at a corporate event or a special email. Try to create a climate in which the employees want to be the first to notify IT of a phishing incident.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml