Use your own website for phishing scams

Next Webinar: Using your own Website for a Phishing Simulation

Wow! In our eyes, our first webinar was an overwhelming success! That’s why we decided to carry out our next live demo already in May: “Use your own website for phishing scams.

Use your own website for a phishing scam - LUCY Webinar on May-17th 2017

Can your employees be puzzled by a website that looks exactly the same as your official web presence? Our experience has shown that the employees often click on alleged company websites, even if they have a disturbance. Appropriate training and phishing simulations can better deal with such threats and this can significantly increase the company’s security.

In our webinar you will experience live how to set up, implement, run and monitor a web based phishing campaign in LUCY, for training purposes. Meet the LUCY founder, Oliver Münchow, and learn how to:

  • Create a web based phishing scenario, using your own website as a template
  • Insert additional “layers” in the scenario, so that you can capture username and password
  • Configure and personalize the phishing mail messages
  • Start, run and monitor the campaign including the behaviour when a user is trapped. We show also how the data input is tracked and stored
  • Analyze the results of the phishing campaign
  • Oliver will answer to a selected Q&A at the end

In addition, we have a special offer for interested parties and owners of the community license, at the end of the webinar!  Register below!

 

Registration Form: Use your own website for phishing scams

Monday, 15th May 11.00 – 11.30 am EST (17:00 – 17:30 CEST)

Educational Advanced Spear Phishing Simulation with the appropriate Malware

Advanced Spear Phishing Campaign and appropriate Malware [Video-Tutorial]

Suitable for reproduction: Build your own advanced Spear Phishing Simulation with the appropriate attached Malware with LUCY. A 30 minute video gives you the possibility to build up an advanced phishing and malware simulation almost off the cuff!

LUCY Founder Oliver explains how you can set up an advanced Educational Spear Phishing campaign and store it as an reusable template. Contents are:

  • Create a new attack template for your own purpose
  • Create a file-based or mixed advanced spear phishing scenario, using pre-defined templates.
  • Configure the phishing mails, so that thy contain personalized content
  • Configure and integrate harmless Trojans (Malware) into the file-based scenario
  • Set a default behavior of the Trojan (f.e. commands on the client to be executed or the listing of “Recent Documents” on the target computer)
  • Start, monitor and finalize the campaign
  • Reporting: Analyze the results of the Spear Phishing campaign
  • Useage of the scheduler with multiple scenarios (Q+A at the end)

You would like to reproduce/replay this educational phishing campaign? Just request a Demo System here:

 

What the public knows about cybersecurity quiz

Most Americans don’t know much about Cybersecurity – And you?

I did the quiz. My score was 9 out of 10. With this result I belong to the top 4% – It’s not only about strong passwords…
A new Pew Research Center survey titled “What the Public Knows about Cybersecurity” tallied responses from more than thousand American adults last year about their understanding of concepts important to online safety and privacy. It shows that Americans are not as good as recognising Phishing mails or determining if the web site where they are entering credit card information is encrypted. We assume that other countries would not perform better.
Pew - Study: What the public knows about Cybersecurity
Only 54% of US internet users are able to identify examples of phishing attacks. Phishing remains a favourite trick for infecting computers with malware and to gain access to the computer. Americans’ understanding of E-Mail and Wi-Fi encryption is also rather mixed. Less than half of internet users are able to correctly identify that the statement “all email is encrypted by default” is false.
Private browsing not really private – Only 4 out of 10 internet users are aware that internet service providers (ISPs) are able to see the sites their customers are visiting while utilizing the “private browsing” mode on their internet browsers. And one-third (33%) are aware that the letter “s” in a URL beginning with “https://” indicates that the traffic on that site is encrypted!
Other findings in the Pew survey:
  • 75 % of participants are able to identify the most secure password from a list of four options.
  • 52 % of people know that turning off the GPS function on smartphones does not prevent tracking. Mobile phones can be tracked via cell towers / Wi-Fi networks.
  • 10 % were able to identify one example of multi-factor authentication when presented with four images of online login screens.

LUCY Server makes Phishing Simulations and Cybersecurity education available and affordable to everybody. A free Community Edition can be downloaded from lucysecurity.com/download. Hunderts of customers trust LUCY!

Update immediately to LUCY V 3.3.3

Alert! Please install V 3.3.3! Your LUCY Server needs an immediate patch.

Dear Clients,

Please install LUCY version 3.3.3 as soon as possible! It should be available in Lucy upgrade section.

 

In the case the server has running campaigns:

If you have some campaigns running, that prevent you from upgrading and you are unable to access the campaign page, you will be unable to upgrade from the UI. In order to upgrade, you will need to stop campaigns manually. That could be done by connecting to Lucy over SSH and issuing the following command under the root account:

sudo -upostgres psql phishing -c 'update campaign_scenarios set status = 0 where status = 10'

 

After the command is done, you can safely upgrade to the newest version and start (do not click RESTART: ONLY click “START | REAL ATTACK” to resume the campaign without re-sending the mails) the campaigns you previously stopped again.

 

“Stop all” Feature will come with LUCY 3.5

In the last days, we got a lot of improvement requests for this functionality. We will implement it: Starting from Lucy 3.5 you can stop all campaigns before upgrading right on the update page.

 

Should you have problems:

If you experience any problems,

  1. please open an SSH connection for our support engineer and
  2. get in contact with us.

A big sorry for the inconvenience!

Best Regards,

Oliver Muenchow & Palo Stacho

LUCY Phishing GmbH

 

Edit Apr-06-2017, 3pm (CEST)

Reason: The patch adresses an internal issue with an encryption module that is used to obfuscate LUCY code. The encryption module stopped working. As a result code (e.g. PHP) cannot be decypted anymore and results to errors when accessing certain pages (500 internal server error). After the patch, the code can be interpreted again.

Cyber Insecurity: Administrations are not giving enough priority to the issue of cybersecurity and cybercrime today (2017), ie the wrong attitude.

The Best Remedy for Cyber Insecurity

The Ransomware explosion of 2016 has not only led to lot of  damage, but also to uncertainty and “cyber insecurity”. This is normal; in the case of new incidents, every person is initially unsure. As with all other uncertainties, experience, education, attitudes and practice also help with cyber insecurity!
Experience – In the case of an incident you are much better prepared when you experienced something similar in the past. Of course, nobody in the Security sector will rely solely on his experience, but experience is certainly the main remedy factor in cyber insecurity.
Education Matters – “Executives and managers responsible for cyber risk management realise that education of their employees has to be a feature of any credible security plan“. A Study named The Meaning of Security in the 21st Century of the Economist Intelligence Unit shows a strong increase in employee awareness training which is another key factor in making a Company or a Government safer.
Attitude – The correct ‘setting’ helps. Many executives believe that vulnerability is a weakness. We say: It depends! It can even be a strength. If, for example, you are hit by a Ransomware attack, but it does not cause any damage, because the hole is immediately stuffed and a current backup is played back, then a short breakdown can cost much less than the costs for a multiple redundant total protection. Of course, this does not apply to cases such as the theft of customer data etc. Here, vulnerability is an absolute no-go. But if you have the right attitude, it helps not only in cyber insecurity, but also in costs. And: You will never be able to protect everything completely.
The Economist Intelligence Unit Study reports  a weakness in attitude and perception among governments. Administrations are not giving enough priority to the issue of cybersecurity and cybercrime today (2017), ie the wrong attitude.
Cyber Insecurity: Administrations are not giving enough priority to the issue of cybersecurity and cybercrime today (2017), ie the wrong attitude.
 
Practice makes perfect. What else is there to say? Whoever does not practice has no experience, remains theorist and remains cyber insecure. That’s why we recommend LUCY-Server. You can start to practice right away: Simulate cyber attacks like Ransomware or a malware attack. Train your employees with phishing simulations and constantly check your network for weak points with LUCYs “LHFC”. And we nearly forgot – There’s a lot of educational CBT or eLeaning content out of the box!

All that helps against Cyber-Insecurity 🙂 – Give LUCY a try and ask for a Demo!

Biggest Cyber Security Threat 2017

What is the Biggest Cyber Security Threat this Year?

When Artficial Intelligence becomes Criminal or your Fingerprint gets Hacked and eighty other Nightmares in (cyber)crime.

In his blog post “Cyber Security Threat 2017” Deepak Kumar has published the answers of his survey on possible cyberspace threats. Nearly 90 answers read like a template for Mr. Robot’s next season. Here are a few examples:

1984 – Governments around the world are finally turning into “Big Brother”

US companies are now legally required to provide the US government with any data it requires. Similar legislation may follow in other countries as governments, highly sensitive to risks such as terrorism, try to get ‘control’ over the data that resides in their multi-national corporations. This is a huge risk to businesses, as it puts them at the mercy of government policy.

2001 – When artificial intelligence becomes evil

Criminal AI :“Because of its potentially catastrophic ability to learn and adapt without re-programming, making an AI criminal attack very difficult to trace and deflect and to stop criminals who use this software.”

0 confidence – If your fingerprint is no longer safe

Biometric authentication: “A password can be changed, but a face, fingerprint or voice isn’t so easy to change if that data is breached and replicated. As an industry we need watertight methods of storing this data securely before we play with people’s identities.”

In the original contribution, many professionals have shared their reflections and fears. We are not the friend of “FUD” (Fear, uncertainty and doubt), but the possible threats described in the blog are, according to our opinion, quite realistic and give us to think….

 

Read more possible (cyber) horror scenarios in the future:

Register for LUCYs Spear Phishing and Malware Setup Webinar on April 11th 2017

Register for our Spear Phishing and Malware Webinar on April-11th!

phishing-tool-overview-lucy-v33

The ultimate Phishing Tool and even more – LUCY V 3.3 out now!

A completely redeveloped PhishButton, Reports in Microsoft Word format, improved learning management system (LMS) functionalities: LUCY had become the ultimate Phishing Tool (and even more)! And it’s still free for up to 50 Users! Download it now.

New Version: The Phishing Tool and its training functionalities

Again, we put lot of efforts into our baby. With the feedback from our customers and we improved many existing features. Here’s the list:

Completely new Outlook Plugin / Phish Button: Starting with LUCY 3.3 the plugin is a signed MSI file and programmed as a C++/COM object. The loading time of the plugin is around 10 Milliseconds.

Reports in Microsoft Word Format – Docx: Within each campaign you will find a button that allows you to create a PDF, HTML, raw CSV and now in Version 3.3 a Word report based on a predefined *.docx template report format

New CSV reports. Export the insights you got in raw CSV format

Embedded java exploit: The JavaExploiter is a signed applet that will execute one or multiple commands and report back to LUCY

Recipient stats page improvement: http://www.lucysecurity.com/PS/doc/dokuwiki/doku.php?id=monitor_a_campaign_statistics#see_advanced_recipient_statistics

Alternative dashboard views & actions: You can select different default views for your dashboard and starting with LUCY 3.3 you can export the dashboard info (overall stats, campaign names etc.): Ability to reschedule awareness training: Starting with LUCY 3.3 the recipient will be able to re-schedule an awareness training.

The ultimate Phishing Tool Dashboard - LUCY V 3.3 is out

New Dashboard Style available – LUCY – Phishing Tool and more

Comparison improvement: Starting with LUCY 3.3 you have advanced comparison statistics that allow you to make also trend analysis

Scheduling improvement (Timezones)  Now you have the ability to create scheduling rules based on different time zones. If you specify a longer time range you can also ensure, that mails are not sent out on weekends by selecting the according checkbox

Victim reminder: The victim reminder is a new feature that can be configured within a campaign. It allows the administrator to define, that recipients who did not click on a link, did not start a training or did not finish a training, get a reminder message send after X days (to be specified).

Automated awareness link delay (LMS): Now you can set a delay for the automated awareness email. This setting will ensure, that people within the same office will not all be informed immediately that a phishing simulation took place.

Recipient list custom fields:  You can create custom recipient fields now. You can add any new recipient attribute you want (e.g. city, gender, education etc.). Those attributes can be used for using customized statistics in LUCY (dashboard filters or raw exports).

Linking a custom Wiki / Optional manual view: By default the LUCY admin or view only user will have access to the LUCY WIKI. If you don’t want to expose the WIKI or create your own web based manual with your corporate design, you can go to the advanced settings and define a link to your manual

Even more new or improved Features in LUCY V 3.3 – The ultimate Phishing Tool:

  • Ability to install all available patches at once
  • Improved charts in reports
  • Time-based variables in message templates
  • Website copying improvement
  • Campaign recipients page improvement
  • Victim side optimizations
  • License purchase improvement
  • Improved statistics
  • Campaign blocking improvements
  • Benchmark statistics improvement
  • Ability to detect clients behind proxy
  • Awareness scheduler improvement
  • Possibility to rename fields in report
  • Timeline improvements
  • Closed JS files from unauthenticated access
  • Setup tool improvement
  • Optional custom 404 for domains
  • OpenDKIM improvements
  • Optional let’s encrypt domain check
  • IDN improvements
  • Limited view account
  • Menu adjustments

Upgrade now to the ultimate Phishing Tool (and it’s even more ) ! Or download below:

Robert Bosch uses LUCY for Phishing Simulations

Customer Story – Experiences with the use of the LUCY Phishing Awareness Training Server at Robert Bosch

An interview with Patrick Zeller, Senior Manager Enterprise Security, Robert Bosch LLC.

Robert Bosch uses LUCY for Phishing SimulationsMarch 2017 – “Bosch” is one of LUCY Security’s first major customers. Thanks to its support, the LUCY Phishing and Awareness Training Server was able to develop rapidly. At the beginning of the year 2017, we interviewed Mr. Zeller on the use and experiences with the products.

Mr. Zeller, how and to what extent does Robert Bosch use the LUCY server?

Patrick Zeller: We use Lucy to educate our employees around the world, on the dangers and risks of phishing and to raise awareness about this. Our employees are given the opportunity to gain experience on this topic, within a safe environment.

And since when is the product been used by Bosch? Can you tell us something about the volume of the already-conducted campaigns?

P.Z.: After an initial evaluation in autumn 2015, we have been using the LUCY Phishing Awareness Training Server since spring 2016. We have conducted various campaigns in more than 10 different languages, with up to 300,000 recipients. Also, since the end of 2016 we have been using the new function of “USB phishing”.

Can you now say something on the benefits of the phishing simulations; has the awareness against cyber risks actually increased among the employees?

We have not yet performed enough campaigns to have proving evidence, with regard to the “click-through rates”. We expect the first KPIs by the middle of the year. However, the feedback of our employees on the respective campaigns is very positive. What we can say with certainty is that we have noticed a significant increase in the notification rates / reports on phishing emails to our internal CERT, as a result of the phishing campaigns carried out so far. This indicates an increasing general awareness of our employees.

Do you remember the incidents; have there been fewer breaches, infections, or something similar?

These are internal data on which I unfortunately cannot comment on. However, since security have always been a top priority for Bosch, we have traditionally been very well positioned here. We see the topic “Security Awareness Phishing” as a complementary tool and measure in our IT security portfolio.

Thank you, Mr. Zeller. Let’s now get to the product itself: why did Robert Bosch GmbH opt for LUCY?

In addition to its excellent price / performance ratio, the decisive factor was the fact that we could completely run the LUCY Phishing Awareness Training Server in-house or on-premise. This is important to us, as it ensures that no sensitive data from our employees leaves the company. Overall, this equally helped us to obtain approval from our worker`s council, since we could convincingly demonstrate and ensure that no employees are monitored. LUCY gives us the flexibility to individually design campaigns and to execute them completely anonymously. It is our goal to train our employees and not to carry out performance checks on them!

And how were the experiences so far?

Overall, it is very positive; as such, we’ve decided to continue with the LUCY Phishing Awareness Training Server. We appreciate the close contact with LUCY’s developers, who can directly support us in case of problems and who are always open for new feature requests. With the version 2.x, we had some performance issues at the beginning, but since the version 3.0, the product has significantly matured and it runs reliably. Unfortunately, the report generator can only be used to a limited extent, because we have very specific requirements, which is due to the size and complexity of our organization. Fortunately however, we can solve this by exporting the results, which we then appropriately prepare for ourselves, through our database applications.

Can you tell us about your favorite features or templates and how are you satisfied with the product?

To be honest, we rarely used pre-made templates in the past. We have too much fun in implementing our own ideas. In general, LUCY’s flexibility is certainly a feature which we greatly appreciate. Also, the “Randomized Phishing” and the “Double Barrel Attacks[1]” are among our favorite features, since they are very efficient and easy to configure. Currently we are looking at the new Phishing Incident Plugin for Microsoft Outlook (Note: Phishing alert button). Overall I can say that LUCY is a very efficient tool for my team, for creating awareness amongst our employees and it meets all our requirements!

Thank you very much for this interview, Mr. Zeller.

[1] In a double barrel attack, the system first sends the user a lure email with a teaser text. The system then waits for some time, before the actual phishing email is sent to the user.

About the LUCY Phishing Awareness Training Server

The LUCY Phishing Awareness Training Server is used for the simulation of technical social engineering attacks and it is universally applicable from SMEs (Small Application Areas Phishing LUCY Server Robert Boschand Medium size Enterprises) right up to large customers. The product can locally be installed at the customer’s location; a cloud variant is also available. The Swiss solution provides dozens of preconfigured phishing templates and training modules, which can be independently used by the end user. Through the “Phishing Incident Plugin” for Microsoft Outlook, the user is opportune by his/her quick reception of an alert, in the event of an attack; this thus reduces the work put in by the security team in the analysis of the threat.

For further information please contact LUCY Security at +41 44 557 19 37 or at http://www.lucysecurity.com/contact-team/.

copy-existing-webpage-for-social-engineering-scam-simulation-with-lucy

You want to copy an existing Website for a Social Engineering Scam? (Simulation) – We show you how it’s done

After 2 (two!) minutes you have a cloned website for your Phishing Scenario. LUCY Social Engineering Simulation Server empowers you when you set up an IT-Security Awareness Campaign [Screencast].

Advanced Phishing Simulations: Clone a Website and add your own Login Form – Do you want to create a phishing simulation and you want to use an social engineering simulation with LUCY - Cloning an existing Website and inserting a login form for data capturealready existing website as a landing page? This 2 minute video shows you quickly how to create a custom landing page with the website copy feature and adding a custom login form for data capture.

Just create a new scenario and select an empty Web based scenario. You can also select any other Web based scenario template for the social engineering simulation you want to customize, because the “Website Copy Feature” overwrites the default Landing Page of the template.

The steps described in the webcast are

  1. In LUCY, create a new campaign, edit the basic settings and save it
  2. Create a new scenario by selecting a Web based attack template (or chose an empty one), populate all mandatory fields and save it.
  3. Go to the Landing Page Menu Item of the scenario you created just before
  4. Push the “Copy Website Button”, the ‘WebSiteCopy’ dialogue appears
  5. Fill out the fields:
    • URL – The source website you want to copy
    • Language – With that you’re defining your language version (LUCY allows multiple languages in the same campaign)
    • File – Select the appropriate value in the poplist, choose f.e. index.html
  6. Push the “Start” Button and the Website Copy is executed. Even really big sites can be copied. And it’s fast!
  7. After the copy is finished, use the Back Button of the dialoge (not of the browser)
  8. Go into the editor, place the cursor where you want to add the login form, push the button “Insert Login Form”
  9. The System provides you three predefined login forms. Select an appropriate one and press OK. If you want to modify it later on, you can do that manually.
  10. The login form appears on the landing page from you social engineering simulation / phishing scenario. Save your setup of the landing page and you’re done with it!

 

Thank you for using LUCY. If you want to see the full end-to-end process from setting up the campaign until sending out and tracking the phishing simulation messages, the just watch the longer webcast below.

Watch the full and more detailed Scenario: Social Engineering Simulation Webcast