Photo via Colin/Wikimedia Commons (CC-BY-SA)
Let's say there's a hacker who wants to worm his or her way into your organization's computer systems. How long, on average, would it take for the hacker to compromise your email server? According to a report released on Tuesday by the cloud-based cybersecurity firm Duo Security, the answer is about 25 minutes.
Six weeks ago, Duo launched Duo Insight, a free web-based tool that organizations can use to test phishing campaigns on their employees and volunteers.
Phishing is a tactic used by hackers that involves sending an email designed to trick victims into clicking on a link that results in the installation of malware or the prompting of the affected user to enter his or her username and password credentials into a web form going right back to the attacker.
In the weeks since Duo launched Insights, the company has been collecting information about how the approximately 400 organizations that have used the tool have fared. The results were not particularly encouraging.
Of the more than 11,500 phishing emails sent out via Duo Insight, 31 percent of users clicked on a link that could have led to the installation of a virus that compromised their organization's computer systems. Instead of leading to the installation of malware, the links led to prompts for users to enter their login information, which they did 17 percent of the time.
All in all, it typically only took about 25 minutes after the commencement of a Duo Insight campaign for at least one person in a targeted organization to click on a phishing link or to enter their login info.
Duo Insight works by letting an organization enter its domain name and a list of email addresses for users it's interested in testing. The tool will then dig through publicly available information about which third-party services that company employs. If, for example, Duo Insight finds the organization is using a certain cloud storage provider, it will send employees an email with a link from a fake service reminiscent of that provider—albeit one that takes care never to specifically replicate another company's branding.
Duo R&D Engineer Jordan Wright added that if the document supposedly being shared had a particularly enticing title, like “bonuses_2016.doc” and came with a note reading, “Here are the new bonuses for 2016, take a look, let me know what you think," it was even more likely for a target to click on.
Wright noted that Duo doesn't pay much attention to the open rate for the emails sent out by Duo Insight, instead preferring to focus on the percentage of users who clicked a link or entered their credentials.
“For 99 percent of cases, just opening up the email will not be the attack vector,” he told the Daily Dot. “We've seen cases where there are vulnerabilities in mail clients. There is one that came out in Microsoft's Outlook not so long ago, where just opening up the email could be enough to get compromised. But it's hard or businesses to tell people not to open their email. We consider clicking the link to be the attack vector that we care about.”
Duo found that 62 percent of people getting its phishing emails were using browsers that hadn't been updated to the most recent versions. Those findings are worrisome because, typically, the most important task accomplished by browser updates is closing vulnerabilities hackers can exploit to gain control of a user's system. Wright said the best thing people can do to keep themselves safe is to keep all their software patched to the most recent set of updates.
At the organizational level, the key is to keep everyone on the same page when it comes to phishing emails. “You have to build a collaborative security environment,” Wright said. “We want to ... help administrators enable a culture ...[where people feel comfortable] coming to admins saying, 'Hey I got this phishing email' and that they did or didn't click on it. They just want admins to be aware of it. That's the single biggest thing that organizations can do—have that early alert. That comes in the form of good communication and good dialog between security and employees of the organization.”
“Too often we focus just on finding the people who clicked on the emails, sending them to some training and hoping that fixes it,” he continued. “Instead, we want admins to reward the employees that alert them to the emails being sent out. That's one of the biggest things that an organization can do is build up that dialog where employees can say, 'I saw this was happening, just wanted you to be aware of it.' That lets admins ... triage it, measure it, and respond to it.”