User Tools

Site Tools


Sidebar

LUCY MANUAL Applies to LUCY versions above 2.2.

monitor_a_campaign_statistics

Monitor the progress of the campaign: all available campaign statistics

Where can I see the logged data?

The progress of the campaign can always be monitored in “real-time” under the statistics tabs or after a campaign using the reporting options or the CSV export. If you run only one scenario, you can look at the statistics in the Top Menu called “Statistics”. Dependent on the criteria (Department, Location etc.) you saved in the Recipient list, you can filter all stats accordingly.

64.jpg

Real time statistics in LUCY

When you access the “summary” overview page you see the overall campaign statistics. Only if you add an awareness content to your campaign, you will see the circle statistics:

If you access “statistics” tab, you will have at least 4 submenus:

  • collected data (1)
  • recipients (2)
  • awareness website (3)
  • benchmark (4)
  • compare (5)

What can be logged in LUCY?

The following list of information can be collected within a phishing campaign:

  • Emails Opened: Recipients opened the email (this statistic is based on a tracking image within the email. Many email clients will block the automatic download of images. As a result, this number might not be very accurate). Please read more about this feature here.
  • Link Clicks: Recipients clicked the link in the email (a unique randomized URL that is generated by LUCY to match the link with the email recipient). Each user (SMS or Mail) gets a unique link (see chapter how links are created). It can be activated only once using a GET request from the client. So if a client clicks on the link and forwards the email to a different person, who also clicks on that link, it will still be considered only as one click. As a result any SPAM filter that follows the links within the email before delivering it to the final recipient might generate some false positives. Therefore it is important to always perform a test run.
  • Successful Attacks: Recipients submitted data in a form (e.g. login data that is submitted via a form based POST request), clicked on a link, executed a file etc. A complete list of success status is here.
  • Invalid submits: Recipients submitted data in a form (e.g. login data) - but it did not meet the filters in those input fields which you might have defined. More info can be found here.
  • Hourly Stats: Page views, link clicks, successful attacks, invalid submits, etc.
  • Daily Stats: Page views, link clicks, successful attacks, invalid submits, etc.
  • Recipient Criteria's: Based on the usage of additional fields in the recipients list you can sort and filter the statistics for each field
  • File downloads (Requires you to append the ?tracking variable at the end of the download link). More details can be found here.
  • Trained: Tells you if the user clicked on the link to the Awareness Site.
  • IP: Remote IP address of your recipient. Please note: if your user is accessing the internet using a firewall, web proxy or any other gateway, LUCY will only display the remote accessible IP.
  • eLearning Stats: Track who participated in an eLearning, which question got answered correctly and how much time it took in average to answer a question (success_rate: how many times has the user been successfully attacked in one or multiple campaigns? | click_rate: how many times has the user clicked on a link in one or multiple campaigns? | answers_count: in how many interactive elements did the user participate? | correct_answers_count: how many of the interactive elements did the user answer correctly? | quiz_time_spent: how much time did the user spent on an interactive element in general or in particular?). Learn more here.
  • Vulnerable Browser | Vulnerable Client: Based on the user agent, LUCY will tell you if there is any misuse. A User Agent is a short string that web browsers and other applications send to identify themselves to web servers. A user agent string contains the following information: Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]. Unfortunately, most browsers falsify part of their User-Agent header in an attempt to be compatible with more web servers. LUCY also is only enumerate major versions (like IE 11) but not minor versions which would show the actual patch status, some results might be false positives. Example: if you don't use the latest IE (e.g. IE10) we will query the CVE database and present all vulnerabilities for IE10 (http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-9900/version_id-138705/). But that does not mean the IE is not patched. This only displays all possible vulnerabilities for this browser version. Within the campaign statistics the vulnerable clients are displayed with an exclamation mark:

  • Client and network based vulnerability report: If you embed LHFC within a campaign you can collect output from up to 45 vulnerability checks
  • Additional stats: LUCY can determine additional info like:
  • Flash
  • VBScript
  • PhoneGap
  • Google Gears
  • Silverlight
  • Web Socket
  • QuickTime
  • RealPlayer
  • WMP
  • WebRTC
  • ActiveX
  • Session Cookies
  • Persistent Cookies
  • Tor
  • FireBug
  • Popup Blocker
  • Unsafe ActiveX

View the collected data from users (passwords, uploads etc.)

The actual collected data (user passwords, Output from Tools) are located within the scenario. You need to select “Collected Data” and the related scenario.

65.jpg

When you click “Click to View”, you are able to see the detailed data.

66.jpg

See advanced recipient statistics

When you click on Recipients, you can see the details about the user who clicked on a link, participated in an awareness campaign etc. Just click on the name and a sub menu with all details will open. The exact output of BeEF or the awareness page can be opened beneath each recipient (just click on the link to expand the details):

Note - Opened Emails Statistics: The general statistics are presented on the campaign Overview page. It also contains a statistics called “Opened Emails”. This statistic is based on a tracking image within the email. Many email clients will block the automatic download of images. As a result, this number might not be very accurate.

68.jpg

Note - Clicks Statistics: Some users might click on the link twice or refresh the webpage. This has also an effect on the “Clicks” or “Form Submits”.

Track e-learning (awareness)

Similar to the phishing page each awareness landing page has a randomized URL variable which could look like this: http://your.awareness-page.com/Zhsdg3 (where “Zhsdg3” is a randomized string generated in LUCY that is associated with a unique mail address). When the user makes a GET request to that URL, LUCY knows that the eLearning page has been accessed by the user and the user counts as trained. It is irrelevant for LUCY if on that awareness page has an embedded video or just some static HTML. If you want to go further and track if and how specific content is accessed within a landing page you need to click on “quiz enabled” within the awareness page (see http://www.lucysecurity.com/PS/doc/dokuwiki/doku.php?id=create_an_interactive_e-learning_template). You can use this embedded JavaScript to track basically any interaction on the awareness website (e.g. Place a START button to play a video and set the starting point for the script accordingly). If you want to see examples on how the interactive eLearning is implemented we recommend taking a look at some existing templates (e.g. http://www.lucysecurity.com/PS/doc/dokuwiki/doku.php?id=interactive_elearning_pages).

You can access the awareness data via:

  • Reports (Raw CSV Report or PDF/HTML Export)
  • Statistics/Recipients (expand recipient to see the details)
  • Statistics/Awareness Website

Note: If you want to track how users perform on an interactive quiz you need to activate this feature.

Deleting Data in Statistics

  • Delete all Stats: Press “Reset Stats” - the data in the database for this campaign is deleted and cannot be restored.

  • Delete Stats from a Single User: Go into Stats/Recipients and delete the specified user. The user will not appear in the stats anymore.

  • Delete Stats from a User Group: If you remove a group from a running campaign all stats associated with this group will be deleted.

Compare Different Campaigns

Using the compare button within a single campaign you are able to compare the campaign statistics among different campaigns. In order to compare campaigns please go to “statistics” within the campaign and then click on “compare”.

LUCY will allow you to compare your current campaign against all other campaigns visible for the current client.

Common Questions regarding the stats

  • How can a click rate in recipient statistics be ever less than 100 %? That is calculated for a recipient over several campaigns: if the recipient has participated in 10 campaigns and clicked on a link in 5 campaigns, the click rate will be 50%. The same with the success rate
  • How is it possible the awareness dashboard shows “N/A” for certain countries? Lets say a campaign has 3 victims, 1 from Switzerland and 2 N/A (as they never clicked). These 2 charts show - the percentage of users from countries that clicked or not clicked the awareness webpage link (it shows 100% from Switzerland never clicked and 100% from N/A never clicked) and the second chart shows absolute numbers - 1 from Switzerland never clicked the awareness link and 2 from N/A never clicked the link as well.
monitor_a_campaign_statistics.txt · Last modified: 2018/01/23 07:41 by lucy