The Australia Post employees have stopped responding to the internal phishing campaigns which are designed to test the staff security awareness and then the organisation’s infosec team thought they had to shake things up.
Eight months ago, the team sent out one of their commonly used bi-monthly phishing drives and more than half of the people who fell for the fake email said that they were not at all stressed about this fallout.
A further 43 percent of this same group said they are confident that they would never fall for a phishing attack – but they still did. While a growing number of others said that they knew they are being phished, but they decided to click on the fake link anyway “for the lulz”.
And all of the staff who clicked on the link, which took the staff to the training materials on how to spot the phishing, abandoned the training in less than 30 seconds.
AusPost infosec awareness specialist Adam Janik said “No matter what we gave them to click on, they knew they’d mucked up and went ‘I’m out’,” during the ACSC 2017 conference this week.
Enter the ransomware
The users are less aware of this kind of attacks but it is growing in severity and scale, according to Janik and Fuzy.
The infosec team has decided to create their own fake version of ransomware to get to the staff’s attention and take home some real, tangible risks which can eventuate if the staff are not careful about what they click on.
The custom-built ransomware application are used on low-level keyboard hooks to capture keys users would press to exit the program, and then locks them into ransomware screen.
The warning screen itself was designed to be intimidating, coloured in black and red with a skull and crossbones, and Russian translation. It ran for 18 seconds before taking users to training material.
“We figured 18 seconds was the sweet spot: it is enough time for people to realise that they going on something wrong, read the message that we presented to them, and then think ‘oh crap. I’m in trouble now’,” the Fuzy said.
The ransomware was to be launched through a link sent out in a phishing email to around 900 users from across the business.