Invented by Alin Irimie, Wendy Bartlett, David Austin, Knowbe4 Inc
The Knowbe4 Inc invention works as followsThe method includes identifying the campaign in a database, which contains the parameters. It also includes storing the campaign with the parameters.
Background for Systems and Methods for Performing or Creating Simulated Phishing Attacks and Phishing Campaigns
It can be helpful to simulate phishing attacks against an individual or group of individuals in order to extract information from the device they use. In a phishing attempt, sensitive information is obtained, such as credit card numbers, usernames and passwords. This can be done maliciously, by posing as an official entity. A malicious attachment or link to a website that executes malicious code when the webpage is accessed, or prompts a user to run a malicious program may be used to send an email to a victim. The malicious actions can be harmful to the device that the email activated or malicious data collection.
A simulated attack can test the ability of a security or user system to detect phishing attempts and prevent malicious behavior. A simulated campaign of phishing attacks may target, for instance, a large group of users such as employees in an organization. A phishing campaign can be conducted by a neutral or friendly party to the intended target. In one type, a phishing attempt is made using phishing techniques. The information obtained is not used for malicious purposes, but is part of the process to detect security weaknesses. A simulated phishing attempt can reveal weaknesses in security infrastructures that are meant to protect devices and users from computerized attacks, such as phishing. This can also reveal a lack in knowledge and/or vigilance in users or groups of users in order to minimize the risk of such attacks. A security manager can then pinpoint the specific problems that need to be addressed and bolster security as necessary. For example, a simulated phishing attempt can be carried out by a security manager. A security manager or a third-party acting on behalf of one can perform a simulated phishing attack.
The following is a method for performing simulated phishing. The email contains a link that leads to a website. Emails can be masked as emails from parties known to the recipient or they can simply appear to come from unknown parties. Emails can be designed to make them appear interesting and offer or promise things like: Access to a useful piece of software, knowledge about a money-making scheme, or an interesting bit of news may be offered. The target of the simulated phishing test has failed if they click the link and visit the webpage. A record is created, along with user information, that the target was associated with.
The present disclosure presents new tools to perform nuanced, simulated phishing. These tools enable simulated phishing campaigns to go one step further by including a number of possible ‘failures? actions. This allows a more nuanced look at how unprepared or lax the target is to respond to phishing.
In simulated phishing campaigns, it can be helpful to give a campaign manager control and configuration over how the campaign is carried out. The disclosure provides tools to perform tailored nuanced simulated attacks.
The present disclosure allows for the configuration, control and automation running of simulated phishing campaigns. A simulated phishing campaign can be configured by an administrator. This includes different types of attacks that target different users. The present disclosure allows for different phishing campaigns to be launched and targeted at different users or the same user using different exploits and attacks. The present disclosure allows for fine-grained control and configuration of campaign parameters, including type, content and targets. The present disclosure allows for granular control and configuration to an administration that manages these campaigns, and their execution.
In an implementation, the user interface of a server for campaign management may allow a manager of a phishing simulation to control specifics of the campaign. The campaign manager can decide to use an exploit, like a Java app, as part of the campaign. The campaign manager can also select which data will be collected by the Java app, depending on the limitations of that application. Upon receiving the input from a campaign manager, a campaign management server can start a simulated campaign with multiple simulated attacks. Sending one or more messages to the campaign target can be used to perform phishing attacks. The target of the campaign message may click on a phishing hyperlink embedded within it. A click of this kind may cause the browser or application on a device owned by the target campaign to open an exploit webpage. The exploit webpage can notify the server of the campaign manager directly or indirectly that the link was clicked. The exploit webpage may ask the campaign target to run a data-collection application (?DCA?) downloader. The DCA downloader may be accepted and executed by the campaign target. The DCA Downloader can request from a server a location to download DCA Install Files. The server may provide the location, and DCA downloader can retrieve DCA files directly or indirectly. Installing a DCA can be done by executing the DCA install files. The DCA can collect data on the campaign target, and then transmit this data to an exploit servers which will process it and send the data back to the campaign management server.
In some implementations, “a method for setting up a simulation phishing campaign based on at the least a type exploit” includes receiving via a program running on a processor coupled with memory, specification of multiple parameters for the campaign. The plurality parameters include at least the identifier for the campaign and the identification of the users to whom the campaign should be sent. The method also includes, as part of the plurality parameters, specifying a type exploit for the campaign, and one or more data types to be collected via the type exploit. The method also includes storing the campaign with the plurality parameters in a database by the manager, and identifying the stored campaign by a server simulation to create a fake phishing message to be sent by email to the users using the parameters.
In some implementations, receiving a specification of multiple parameters also includes receiving, through the campaign manager, a specification of multiple parameters that identify a campaign’s start time, duration, and frequency.
In some implementations, receiving a specification of a number of parameters also includes receiving via the campaign manager of the plurality parameters, a choice of a simulated email template that will be used to create the simulated email.
In some implementations, the receiving of the specification of the plurality parameters also includes the receiving of the selection of the group of users to identify users via the campaign manager.
In some implementations, selecting a type exploit is done by receiving, through the campaign manager, the choice of a variety of different types.
In some implementations establishing a particular type of exploit also includes receiving via the campaign manager a selection of types of data that can be collected from any or all of the following data types: user information (including network information), system information, and Light Directory Access Protocol.
In some implementations, receiving identification of an user group for those users who interact with the simulated email to cause navigation via the landing page via the link is also included in the method.
In some implementations, the system for creating a simulated attack using a phishing campaign based on an exploit of at least one type includes a program that runs on a processor connected to memory. The campaign manager receives a specification for a plurality parameters of a campaign of an simulated phishing, wherein the plurality includes at least a campaign identifier and identification of users that should be sent the campaign. The campaign manager can also establish as parameters for the plurality, a type exploit and one or more data types to be collected via the type exploit. It will then store the campaign with the plurality parameters in a database. The system also includes a simulation service configured to identify the stored campaign in the database and create a simulated email to be sent to the email accounts of users using the plurality parameters of the campaigns.
In some implementations the campaign manager can also be configured to receive the specification for the multiple parameters that identify a campaign’s duration, frequency, and start time.
In some implementations the campaign manager can be configured to accept, for a plurality of parameters that are selected, a template for a simulated email phishing to be used to create the simulated email phishing.
In some implementations the campaign manager can be configured to accept a list of selected users in order to identify users.
In some implementations the campaign manager can be configured to select the type of exploit out of a variety of different types.
In some implementations, campaign managers are configured to select the type of data they want to collect. These include user information, network data, system data, and Light Directory Access Protocol.
In some implementations, a campaign manager can be configured to accept the identification of an existing user group into which users who interact with the simulated email to cause navigation via the link will be added.
Click here to view the patent on Google Patents.