• @ozymandias117
    link
    English
    567 months ago

    The one they use at my work is extra silly, as it adds an extra email header saying it’s coming from a phishing campaign

    • @frickineh
      link
      537 months ago

      Ours do that too. It’s so obvious that I’m not sure if they think we’re all stupid, except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

      • @cm0002
        link
        597 months ago

        except then I remember that some of my coworkers actually are stupid, so it’s probably aimed at them.

        I work in IT and have done these campaigns, if you’re on Lemmy, you’re probably not the target audience lmao

        • @LowtierComputer
          link
          357 months ago

          There’s an older guy in my group who rants and raves about how all the new training is a waste of time. Discrimination, harassment, safety, information security, all of it. But he specifically hates the fraud and phishing training.

          He’s the only one in our group that has failed any of the test emails.

      • @[email protected]
        link
        fedilink
        English
        247 months ago

        I’ve worked with a dude for years who I would consider smart both technically and non-technically. One time we got an email at work with an attachment that was something like “microsoft_update.exe.txt”. The email said “due to a technical limitation on the email system, this file needs to be renamed to drop the .txt and executed to apply a critical to your computer.”

        It was, in my mind, such an obvious phishing attempt that I laughed out loud and said “who the fuck would ever fall for this?” Then my coworker popped his head over the cube wall and said “WAIT WHAT? We weren’t supposed to run that?!”

        Fortunately, the security team sat nearby and heard the whole thing and rushed over to quarantine his PC

        • @Emerald
          link
          157 months ago

          quarantine his PC

          You mean shut it off and steal and the Ethernet cable? Lol

          • @[email protected]
            link
            fedilink
            117 months ago

            You DONT want to turn it off. Digital forensics work WAAAAAAY better if you have a memory dump of the system. And all the memory is lost if you turn it off. Even if the virus ran 10h ago and the program has long stoped running, there will most likely still be traces in the RAM. Like a hard drive, simply deleting something in RAM doesn’t mean it is gone. As long as that specific area was not written over later it will still hold the same contenta. You can sometimes find memory that belonged to a virus days or even weeks after the infection if the system was never shut down. There is so much information in ram that is lost when the power is turned off.

            You want to 1: quarantine from network (don’t pull the cable at the system, but firewall it at the switch if possible) 2: take a full copy of the RAM 2.5: read out bitlocker keys if the drive is encrypted. 3: turn off and take a bitwise copy of the hard drive or just send the drive + memory dump to the forensics team. 4: get coffee

            • @Emerald
              link
              77 months ago

              Why would you be doing digital forensics?

              • @KISSmyOSFeddit
                link
                137 months ago

                To find out if nuking that one workstation is enough or if you have to take more drastic measures.

                • @Emerald
                  link
                  47 months ago

                  I feel like most companies wouldn’t bother with all that. They’d probably just nuke the workstation and call it a day.

                  • @[email protected]
                    link
                    fedilink
                    27 months ago

                    Yeah no. You gotta do due diligence. Getting one system compromised isn’t enough. The whole point is to pivot, elevate, repeat.

        • Boozilla
          link
          English
          97 months ago

          Even a smart person can have a bad day / moment of weakness. If you are super busy / stressed out and some email comes that looks like a bullshit request from HR or IT or whatever, it can be tempting to just try to knock it off your plate real quick so you can get back to whatever fire you were fighting.

          My tactic these days is I pretty much don’t click on ANYTHING in an email, so it’s an ingrained habit. If it’s a link to something, it’s usually one I can navigate to myself using my browser. If it’s an attachment, we use a file sharing system that stores these so I can just go to that and see what’s in there.

          It’s inconvenient, and you don’t always have these work-around options, but by trying to make into an automatic habit, it has saved me a couple of times.

    • Boozilla
      link
      English
      57 months ago

      That’s really funny. It’s like you work for Dunder-Mifflin.

      • @smort
        link
        37 months ago

        Lots of us do lol

    • @[email protected]
      link
      fedilink
      47 months ago

      Lmao, the other day I had to whitelist some domains used for phishing training emails in the anti-phishing software we use just so they wouldn’t get nuked, then I had to whitelist them in another anti-phishing software so they wouldn’t have - huge red header injected on the top of the email body warning the user it was phishing.

    • @Magister
      link
      37 months ago

      haha same for me, the header contains the word “gophish”, easy to filter it

      • borari
        link
        fedilink
        27 months ago

        Damn. I’ve scripted out the entire process of verifying an owned domain in a hosted mail providers system, deploying the ec2 infrastructure, and installing and configuring gophish for a campaign, along with tearing everything down.

        That header thing gophish adds is a default option that you can override by just setting that header to an empty string. Whoever runs campaigns for your employer either wants to make it easy for you to pass or doesn’t care about their job at all.

        I’ve done it in the context of red team/adversary emulation campaigns before though, so the opsec needed to be a bit tighter than the mandatory phishing awareness stuff i guess.