Testing the Human Backdoor: Organizational Response to a Phishing Campaign

Testing the Human Backdoor: Organizational Response to a Phishing Campaign

To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:J.UCS (Annual print and CD-ROM archive ed.) 2019-01, Vol.25 (11), p.1458-1477
Hauptverfasser: Mihelic, Anze, Jevscek, Matej, Vrhovec, Simon, Bernik, Igor
Format: Artikel
Sprache:eng
Schlagworte:
cyber-attack
Identity theft
Phishing
social engineering
spear phishing
Spyware
Target marketing
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1477
container_issue 11
container_start_page 1458
container_title J.UCS (Annual print and CD-ROM archive ed.)
container_volume 25
creator Mihelic, Anze
Jevscek, Matej
Vrhovec, Simon
Bernik, Igor
description To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it is a wide-spread way to hack information systems of organizations and many notorious cyberattacks started with some sort of a human exploitation. To fill this void, we conducted a case study in a large Central European manufacturing company Manco (fake company name) and observed the targeted employees' and IT department staff's response to a phishing campaign. Even though the IT department staff reacted very fast (their procedures started fifteen minutes after the first phishing e-mail was sent), results suggest significant data leakage and a high potential for successful malware installation. The observed click rate was 69.4 percent and real personal data submission rate was at least 49.0 percent. The average response time of targets (i.e., time between sending the phishing e-mail and visiting the phishing website) was 20 minutes, from 25 seconds to 203 minutes. The results suggest that a phishing campaign can be successful even if the targeted organization's response time is very short. Also, the phishing campaign may not be effective only due to the susceptibility of targets but also due to the investigative techniques of the first responders.
doi_str_mv 10.3217/jucs-025-11-1458
format Article
fullrecord <record><control><sourceid>gale_PQ8</sourceid><recordid>TN_cdi_gale_infotracacademiconefile_A777671561</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><galeid>A777671561</galeid><doaj_id>oai_doaj_org_article_b47eef172651448eb9277e2e1bd988c8</doaj_id><sourcerecordid>A777671561</sourcerecordid><originalsourceid>FETCH-LOGICAL-c348t-146bd5e826092a92bfa323d3ac97836bcbc2fdb1406897c39a394d362905248a3</originalsourceid><addsrcrecordid>eNo9kU1Lw0AQhhdRsFbvHvMHUvcr--GtFrWVQkUqeFsmm026tcmWZHvQX29iS5nDDC8z77zwIHRP8IRRIh-2B9ulmGYpISnhmbpAI6y5SoUW6vI8Z1_X6KbrthhTIbQaobe166JvqiRuXDI_1NAkT2C_ixDax2TVVtD4X4g-NLBLPly3D03nkhgSSN43vtsMlzOo9-Cr5hZdlbDr3N2pj9Hny_N6Nk-Xq9fFbLpMLeMq9uFEXmROUYE1BU3zEhhlBQOrpWIit7mlZZETjoXS0jINTPOCCapxRrkCNkaLo28RYGv2ra-h_TEBvPkXQlsZaKO3O2dyLp0riaQiI5wrl2sqpaOO5IVWyqrea3L0qqBf900ZYgu2r8LV3obGlb7Xp1JKIUkmSH-AT88hgvXRnQMQbAYQZgBhehCGEDOAYH81jHs9</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Testing the Human Backdoor: Organizational Response to a Phishing Campaign</title><source>DataCite</source><creator>Mihelic, Anze ; Jevscek, Matej ; Vrhovec, Simon ; Bernik, Igor</creator><creatorcontrib>Mihelic, Anze ; Jevscek, Matej ; Vrhovec, Simon ; Bernik, Igor</creatorcontrib><description>To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it is a wide-spread way to hack information systems of organizations and many notorious cyberattacks started with some sort of a human exploitation. To fill this void, we conducted a case study in a large Central European manufacturing company Manco (fake company name) and observed the targeted employees' and IT department staff's response to a phishing campaign. Even though the IT department staff reacted very fast (their procedures started fifteen minutes after the first phishing e-mail was sent), results suggest significant data leakage and a high potential for successful malware installation. The observed click rate was 69.4 percent and real personal data submission rate was at least 49.0 percent. The average response time of targets (i.e., time between sending the phishing e-mail and visiting the phishing website) was 20 minutes, from 25 seconds to 203 minutes. The results suggest that a phishing campaign can be successful even if the targeted organization's response time is very short. Also, the phishing campaign may not be effective only due to the susceptibility of targets but also due to the investigative techniques of the first responders.</description><identifier>ISSN: 0948-695X</identifier><identifier>EISSN: 0948-6968</identifier><identifier>DOI: 10.3217/jucs-025-11-1458</identifier><language>eng</language><publisher>Verlag der Technischen Universität Graz</publisher><subject>cyber-attack ; Identity theft ; Phishing ; social engineering ; spear phishing ; Spyware ; Target marketing</subject><ispartof>J.UCS (Annual print and CD-ROM archive ed.), 2019-01, Vol.25 (11), p.1458-1477</ispartof><rights>COPYRIGHT 2019 Pensoft Publishers</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c348t-146bd5e826092a92bfa323d3ac97836bcbc2fdb1406897c39a394d362905248a3</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>315,781,785,1895,27929,27930</link.rule.ids><linktorsrc>$$Uhttps://commons.datacite.org/doi.org/10.3217/jucs-025-11-1458$$EView_record_in_DataCite.org$$FView_record_in_$$GDataCite.org</linktorsrc></links><search><creatorcontrib>Mihelic, Anze</creatorcontrib><creatorcontrib>Jevscek, Matej</creatorcontrib><creatorcontrib>Vrhovec, Simon</creatorcontrib><creatorcontrib>Bernik, Igor</creatorcontrib><title>Testing the Human Backdoor: Organizational Response to a Phishing Campaign</title><title>J.UCS (Annual print and CD-ROM archive ed.)</title><description>To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it is a wide-spread way to hack information systems of organizations and many notorious cyberattacks started with some sort of a human exploitation. To fill this void, we conducted a case study in a large Central European manufacturing company Manco (fake company name) and observed the targeted employees' and IT department staff's response to a phishing campaign. Even though the IT department staff reacted very fast (their procedures started fifteen minutes after the first phishing e-mail was sent), results suggest significant data leakage and a high potential for successful malware installation. The observed click rate was 69.4 percent and real personal data submission rate was at least 49.0 percent. The average response time of targets (i.e., time between sending the phishing e-mail and visiting the phishing website) was 20 minutes, from 25 seconds to 203 minutes. The results suggest that a phishing campaign can be successful even if the targeted organization's response time is very short. Also, the phishing campaign may not be effective only due to the susceptibility of targets but also due to the investigative techniques of the first responders.</description><subject>cyber-attack</subject><subject>Identity theft</subject><subject>Phishing</subject><subject>social engineering</subject><subject>spear phishing</subject><subject>Spyware</subject><subject>Target marketing</subject><issn>0948-695X</issn><issn>0948-6968</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>PQ8</sourceid><sourceid>DOA</sourceid><recordid>eNo9kU1Lw0AQhhdRsFbvHvMHUvcr--GtFrWVQkUqeFsmm026tcmWZHvQX29iS5nDDC8z77zwIHRP8IRRIh-2B9ulmGYpISnhmbpAI6y5SoUW6vI8Z1_X6KbrthhTIbQaobe166JvqiRuXDI_1NAkT2C_ixDax2TVVtD4X4g-NLBLPly3D03nkhgSSN43vtsMlzOo9-Cr5hZdlbDr3N2pj9Hny_N6Nk-Xq9fFbLpMLeMq9uFEXmROUYE1BU3zEhhlBQOrpWIit7mlZZETjoXS0jINTPOCCapxRrkCNkaLo28RYGv2ra-h_TEBvPkXQlsZaKO3O2dyLp0riaQiI5wrl2sqpaOO5IVWyqrea3L0qqBf900ZYgu2r8LV3obGlb7Xp1JKIUkmSH-AT88hgvXRnQMQbAYQZgBhehCGEDOAYH81jHs9</recordid><startdate>20190101</startdate><enddate>20190101</enddate><creator>Mihelic, Anze</creator><creator>Jevscek, Matej</creator><creator>Vrhovec, Simon</creator><creator>Bernik, Igor</creator><general>Verlag der Technischen Universität Graz</general><general>Pensoft Publishers</general><general>Graz University of Technology</general><scope>PQ8</scope><scope>DOA</scope></search><sort><creationdate>20190101</creationdate><title>Testing the Human Backdoor: Organizational Response to a Phishing Campaign</title><author>Mihelic, Anze ; Jevscek, Matej ; Vrhovec, Simon ; Bernik, Igor</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c348t-146bd5e826092a92bfa323d3ac97836bcbc2fdb1406897c39a394d362905248a3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>cyber-attack</topic><topic>Identity theft</topic><topic>Phishing</topic><topic>social engineering</topic><topic>spear phishing</topic><topic>Spyware</topic><topic>Target marketing</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Mihelic, Anze</creatorcontrib><creatorcontrib>Jevscek, Matej</creatorcontrib><creatorcontrib>Vrhovec, Simon</creatorcontrib><creatorcontrib>Bernik, Igor</creatorcontrib><collection>DataCite</collection><collection>Directory of Open Access Journals</collection><jtitle>J.UCS (Annual print and CD-ROM archive ed.)</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Mihelic, Anze</au><au>Jevscek, Matej</au><au>Vrhovec, Simon</au><au>Bernik, Igor</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Testing the Human Backdoor: Organizational Response to a Phishing Campaign</atitle><jtitle>J.UCS (Annual print and CD-ROM archive ed.)</jtitle><date>2019-01-01</date><risdate>2019</risdate><volume>25</volume><issue>11</issue><spage>1458</spage><epage>1477</epage><pages>1458-1477</pages><issn>0948-695X</issn><eissn>0948-6968</eissn><abstract>To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it is a wide-spread way to hack information systems of organizations and many notorious cyberattacks started with some sort of a human exploitation. To fill this void, we conducted a case study in a large Central European manufacturing company Manco (fake company name) and observed the targeted employees' and IT department staff's response to a phishing campaign. Even though the IT department staff reacted very fast (their procedures started fifteen minutes after the first phishing e-mail was sent), results suggest significant data leakage and a high potential for successful malware installation. The observed click rate was 69.4 percent and real personal data submission rate was at least 49.0 percent. The average response time of targets (i.e., time between sending the phishing e-mail and visiting the phishing website) was 20 minutes, from 25 seconds to 203 minutes. The results suggest that a phishing campaign can be successful even if the targeted organization's response time is very short. Also, the phishing campaign may not be effective only due to the susceptibility of targets but also due to the investigative techniques of the first responders.</abstract><pub>Verlag der Technischen Universität Graz</pub><doi>10.3217/jucs-025-11-1458</doi><tpages>20</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 0948-695X
ispartof J.UCS (Annual print and CD-ROM archive ed.), 2019-01, Vol.25 (11), p.1458-1477
issn 0948-695X
0948-6968
language eng
recordid cdi_gale_infotracacademiconefile_A777671561
source DataCite
subjects cyber-attack
Identity theft
Phishing
social engineering
spear phishing
Spyware
Target marketing
title Testing the Human Backdoor: Organizational Response to a Phishing Campaign
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-13T22%3A02%3A50IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-gale_PQ8&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Testing%20the%20Human%20Backdoor:%20Organizational%20Response%20to%20a%20Phishing%20Campaign&rft.jtitle=J.UCS%20(Annual%20print%20and%20CD-ROM%20archive%20ed.)&rft.au=Mihelic,%20Anze&rft.date=2019-01-01&rft.volume=25&rft.issue=11&rft.spage=1458&rft.epage=1477&rft.pages=1458-1477&rft.issn=0948-695X&rft.eissn=0948-6968&rft_id=info:doi/10.3217/jucs-025-11-1458&rft_dat=%3Cgale_PQ8%3EA777671561%3C/gale_PQ8%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_galeid=A777671561&rft_doaj_id=oai_doaj_org_article_b47eef172651448eb9277e2e1bd988c8&rfr_iscdi=true