09:00 AM
Connect Directly

The Real Reason Phishing Works So Well

New Duo Security study shows many companies don't update browsers and operating systems - a first line of defense.

Tests prove that people just keep clicking on malicious links and attachments: in a new study from Duo Security based on its free phishing assessment tool, nearly one-third of users clicked the link in a phishing email sent by Duo’s internal team.

Worse still, 17% entered their user name and password, which would have given a real attacker the keys to corporate data.

The real-world data comes from the Duo Security’s Duo Insight, a free tool that lets organizations run internal phishing simulations. The data also showed that a phishing campaign that took just five minutes to execute via the tool could lead an attacker to corporate data within 25 minutes, according to Duo Security.

Since Duo Insight’s launch last month, around 400 companies have used the tool; in its report, Duo pulled results from 11,542 users who received a phishing email campaign from their companies.

“The tool tells companies which devices have operating systems out of date, who clicked on an email on a test, who clicked on a link and who entered credentials,” says Jordan Wright, R&D engineer at Duo Security,

Most successful phishing attacks are the result of endpoint problems, not credential issues, he notes. In fact, the Duo study found that on average, 62% of respondents were using out-of-date browsers. And on average, 68% used out-of-date operating systems.

“Attackers have created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser,” Wright said. “These exploit kits can download malware or ransomware to a device, and steal credentials and information stored on the device.”

Duo offers these four tips for preventing phishing attacks: 

Run simulation campaigns internally to understand the company’s risk. Companies need to understand that the internal campaigns are not “one-and- done” events. To be effective, they must be run continuously so that over time, the company can see improvement. Typically, a system administrator is notified via email that a test will be under way, and it’s suggested that companies tell staff that as part of their security program they will run periodic tests to determine how susceptible the company is to phishing attacks.

Educate the staff. Wright says that it’s very important for companies not to focus too much on the people who clicked. Don’t single out anyone in a negative light. And in many ways, it’s more important to focus on the people who notified corporate IT. The drills are meant to build a collaborative environment in which the staff works closely with IT. Another point to remember: Just because somebody clicked on one test doesn’t mean they won’t click on a subsequent drill. So shy away from singling out those who clicked; it can happen to anyone.   

Keep all operating systems, browsers, and Flash and Java program up-to-date. Wright says that it’s highly unlikely for an attacker to penetrate a browser or operating system that’s been updated. The attacker would need a zero-day attack to penetrate an updated OS or browser, and they are much more expensive and unusual. Phishers (aka attackers) typically go for the low-hanging fruit of those who don’t upgrade their systems.

Reward employees for catching a phish. Some companies offer financial rewards or gift cards, or just simply recognize users at a corporate event or a special email. Try to create a climate in which the employees want to be the first to notify IT of a phishing incident.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.