Real Phishing Tool Probes User Gullibility

A few year back, Southwest Airlines ran a commercial in which a woman, sitting in her work cubicle, idly clicked on an e-mail attachment, which then declared she had launched “The Pink Slip Virus.” It said her whole company would be infected, it would be traced back to her, and “good luck finding another job.”

Southwest’s vintage punchline “Want to get away?” may leave you laughing, but there was also some truth behind the ad’s wacky setup.

One of the fastest growing problems in the battle against malware  are e-mails that sucker the user into clicking on a link or executing a program without thinking twice. The computer — and the network it is a part of — are then opened up to all manner of infection, just like in the Southwest commercial.

The problem is expected to get worse in 2007. Enter Core Security Technologies which has updated its CORE IMPACT software to test an internal infrastructure against phishing  attacks. CORE IMPACT 6.2, available now, uses real-world viruses to test the security of a network to determine where a network might be vulnerable, and also to see how gullible the employees are. This type of attack will be the trend of 2007, predicts Mike Yaffe, director of product marketing for Core.

“Our customers are really telling us they are doing a better job of protecting the outer layer, making it more difficult to attack. They’re putting in place firewalls, intrusion prevention technologies, and the like,” he told

“But what they’re seeing is the new weakest link is attacking the users, getting the users to do something. We’re seeing first-hand from our consulting team that people are doing this. Customers tell them they can put in security things, but they can’t stop users from making mistakes,” he added.

Yaffe said most firms usually don’t get the opportunity to show people they made a mistake. “The only other way is when the company gets breached. There’s no other way to try honest to goodness attacks that show you’ve been compromised,” he said.

Hence, testing for e-mail exploits and social engineering is one of the main features in CORE IMPACT 6.2. Security professionals can effectively test their own staff to see how likely they are to fall for such a scam, and also, by using real-world malware, how it may impact their network.

Also new in CORE IMPACT 6.2 is an improved security system that won’t impact the network while the tests are running. It’s running a virus simulation, after all. The new agent can run for days without impacting the system. Version 6.2 also adds support for IBM’s AIX and Microsoft’s Internet Explorer 7.0 browser.

Mark Odiorne, chief information and security officer for reinsurance firm Scottish Re, has seen multiple benefits from using CORE IMPACT, starting with being able to put off frequent patches.

“I had to ask to take machines down, test and patch them every month, but we don’t have to do that any more if I can prove those systems are not exploitable,” he told “We can wait and schedule down time for a few months.”

Odiorne said with so many traveling executives, he needs the new client-side testing because so many employees are outside of the company’s firewalls. “The bad guys are going after machines outside the firewall. Now I can start testing the endpoints of my network, where I think the bad guys are going to be trying to probe,” he said.

You’d think the professionals involved in reinsurance would know better than to fall for phishing scams, but Odiorne said it still happens. “We do as much testing and education as we can, but if you hit people enough times, eventually someone’s going to cave in. This gives us more tools for testing the end user,” he said.

News Around the Web