The long-standing problem with phishing, including spear phishing, is that people are easily fooled. The authentication mechanisms we all use daily are full of flaws. What further proof of the ever-expanding market of fraud do you need than the fact that a commercial site has been setup to “educate” users by trying to see if they are susceptible to fraud. This appears to be some sort of attempt to make a legitimate phishing site:
Over 15,000 corporate users have fallen prey to spear phishing.
Can your workforce dodge the hook?
The premise is simple, they ask you to enter your financial information and then they will help you determine if someone in your company is vulnerable to a pitch where they are asked to enter financial information…
Not sure who the company is? Ah, just click on the “Who We Are” button and you will find a site with a completely different name (“intrepidusgroup.com”) that appears to have absolutely nothing to do with the “phishme.com” site.
Is that how they create trust?
Another friendly is on their blog. It would seem they are not lawyers, but they propose the following banner for mail servers:
220-NO UCE. You are hearby notified that ANY email sent here becomes
220 the property of the recipient and CAN be redistributed
220 publicly to ANYONE without consent or notice. This notice supercedes
220 any legal claim appended to the body of emails delivered here.
Not the most convincing “we’re here for you” sales strategy I have seen.
My favorite example of a similar service gone awry was when a penetration tester used a spear phishing test connected to an IRC bot. The problem was that the test was “successful” and the target was not only infected but the tester then was tasked to help clean the mess. Not the model I would recommend.
If these self-proclaimed “black hats” really want to make a difference, perhaps they could start by educating the banks on best practices so that their customers aren’t trained to be more susceptible to fraud:
The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they’ve been conditioned to ignore potential clues about whether the banking site they’re visiting is real — or a bogus site served up by hackers.