Phishing Attacks: Learning by Doing

Phishing, and particularly spear phishing, is a major security concern, however it is often not taught in any detail on security courses. Showing students examples of what they know to be phishing e-mails tends to give the incorrect impression that phishing is easy to spot and those that fall for phishing e-mails are foolish. Phishing students without their knowledge might be an effective way to teach students the dangers of phishing, but would lead to ethical and legal issues. We have developed a framework in which students can try to perform phishing attacks against a simulated company1. The framework takes the form of a single VM which the students download and run on their own machines. On this VM the students find a website for a fictional company (with employee details), an e-mail client and common tools used for phishing. Using what they can find out about the company employees the students need to carefully craft spear phishing e-mails. A script in the VM processes every e-mail sent by the student and uses rules to decide if they have produced a realistic spear phishing e-mail. If the email passes this test then any attached executable, or any macros in Office documents will be run. Hence, the students need to both craft a successful phishing e-mail and a malicious payload. There is a docker container for each possible phishing victim, successful payloads may give the student a shell on this container, where they can find a flag, which they can submit to show they successfully completed a phishing attack.