Email phishing is one of the primary methods used today for delivering Advanced Persistent Threats (APT). From an attacker's perspective, email phishing offers the most cost effective attack vector for gaining access to passwords and internal network resources. During NetSPI phishing tests, a website will be constructed based on an existing company website, and phishing emails approved by the client will be sent to the target email accounts. NetSPI will collect passwords as users log into the website that can be validated during network penetration tests phases. Per request, the phishing website can be also be configured to prompt users to install software, or execute browser based exploit code. Finally, phishing emails can be sent with malicious PDF, DOC, and XLS attachments to test both technical and process related controls. Throughout the test, NetSPI is able to collect metrics around how many users from each target group accessed the site, how many users executed attachments, and how many users accepted the installation of unknown software through the browser. The final deliverable will provide metrics, and remediation recommendations that can be used to help focus awareness training, improve technical controls, and update processes.
Phone Based Phishing
Phone based social engineering attacks are conducted on a daily basis around the world. The attacks target call centers, employees, and customers directly in an attempt to gain access to sensitive information, access critical systems, and commit fraud. As a result, it is essential that organizations understand their employee's level of awareness and educate them to help reduce the risk associated with such attacks. NetSPI's Phone Based Phishing tests begin with a review of existing administrative and technical control documentation to identify areas of weakness that could be leveraged during testing. During the actual tests, qualified penetration testers leverage pretexting techniques to persuade users and support staff to divulge sensitive information, and provide access to systems. The approach commonly includes basic testing scenarios that range from zero knowledge to full knowledge of a specific test accounts; NetSPI works with clients to define project specific objectives that meet their needs. The final deliverable will provide an overview of the test scenarios used, metrics from the calls, and recommendations for improving weak administrative and technical controls.
Onsite Social Engineering
Onsite social engineering is used less by attackers than phone and emails vectors, but still presents a critical threat to IT resources. NetSPI's Onsite Social Engineering tests begin with a review of existing administrative and technical control documentation to identify areas of weakness that could be leveraged during testing. During the actual tests, NetSPI leverages baiting and pretexting techniques to persuade employees to provide access to information, systems, and sensitive areas. Baiting typically involves leaving a USB, CD ROM, or SD card infected with a backdoor program outside of the building or in the lobby. The intent is to entice employees to open files on the device so that the tester can gain internal remote access via the backdoor programs. NetSPI will also test administrative controls to gain access to restricted areas, and attempt to install secure wireless devices or key loggers that can be used to gain further access. The final deliverable for this service will provide an overview of the test scenarios used, and recommendation for improving weak administrative and technical controls.