Determining the effectiveness of Phishing campaigns using metrics is great to be able to target awareness training for users and determining the effectiveness of your technical controls. The main questions you are trying to answer are :

  • How many people were targeted by the phish?

  • How many people replied? (If applicable)

  • How many people visited the website in the email?

  • How many people submitted credentials to the website?

">.net) with BRO, I wrote a script that will gather this information for you.

">The basic setup is at the top of the script and you need to setup the location of your compressed files for BRO. This should be the top folder where each day is listed. Also, if you want to change the temp or log location, you can do this.


">$chmod 750 /usr/local/bin/bro-phish.sh

">The arguments for the script are SUBJECT EMAIL_SENDER SPOOFED_SITE DATE. In this case the attacker used the email address [email protected] with the subject of NOTICE and the website they wanted you to click on was hxxp://www.newversion.esy.es.

">$bro-phis.sh NOTICE [email protected] hxxp://www.newversion.esy.es 2015-11-03

">Number of POSTS to the website:1

">Senders mail agent: PHPMailer [version 1.71-blue_mailer]



">While BRO doesnt capture the POST data by default, youll have to rely on a full packet capture device or match up users to IP">Reset user(s) password. And monitor accounts for possible login from external IPs.

">Submit to phishtank and other reputations websites

">Review why the phish was successful and determine if your current awareness training covers the topic appropriately. The user(s) who submitted credentials should receive a refresher for your awareness training. An additional follow-up from the security group or their supervisor should happen with the specifics on the incident and how they can improve in the future.

">By tracking how successful each phishing campaign is, you can start determining how successful both your technical and non-technical controls are. As time goes by you should see a decrease in how many visits to the site and credentials submitted.

">When you run the script, it generates a log file (Default /var/log/phish-stats.log). This will allow you to gather metrics on each campaign in a quick and easy way. The log is | delimited and the format is below. You can load this file up into excel and do some number magic to see your progress.


">2015-11-03|[email protected]|NOTICE|50|0|5|1|,,,|-|-|

">You can access the script on my github at hxxps://goo.gl/zJnEH4 or (hxxps://github.com/tcw3bb/ISC_Posts/blob/master/bro-phish.sh)


Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

iT News

IT brain drain hurting infosec in NSW planning agencies
iT News
The NSW Audit Office keeps uncovering the same IT deficiencies within the state's planning and environment portfolio, and has complained that agencies don't have the IT resources to fix them. Acting auditor-general Tony Whitfield handed down his annual ...


A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.

The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:

The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third-party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

To consider just how insidious attacks like these are, consider this: earlier this week, Ars reported that the Reader's Digest website was actively infected by Angler. A reader promptly replied that someone in his organization had visited the site in early November—four weeks before the article was published—and was infected by CryptoWall after reading an article. The target's only mistake, it seems, was failing to update one of several apps.

Read 3 remaining paragraphs | Comments


Attorney General Loretta Lynch, China's State Councilor and Minister of Public Security Guo Shengkun, and US Secretary of Homeland Security Jeh Johnson pose for a photo at the first US-China cyber coordination meeting in Washington on December 1. (credit: news.cn)

Update 12/3/15 2:15 ET: China has apparently made arrests in the case. The Washington Post reports that a group of hackers arrested by the Chinese government in September were in fact the people behind the OPM breach. The hackers were targeted based on intelligence provided by the US, and China had previously reported that Americans believed these hackers, whose identity has not been revealed, were involved in state-sponsored industrial espionage. It's not clear if the group was connected in some way to the Chinese military or had other government connections, but the arrests were made as part of the deal struck between the US and China in September. This led to President Obama dropping the threat of economic sanctions against China. (Our original story on the situation appears below.)

An official Chinese report claims that US and Chinese representatives "yielded positive outcomes" at the first meeting of a bilateral cyber security coordination group. The group was set up under the provisions of an agreement signed off on by President Barack Obama and Chinese President Xi Jinping in September. At the meeting in Washington, China acknowledged that the long-running penetration and theft of data from the systems of the Office of Personnel Management did originate from within China—but not from a state-sponsored attacker. "Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the US side has previously suspected," the report from China's Xinhaunet on the meeting claimed.

As part of the September agreement, China has pledged not to conduct economic espionage against the US. Last month, China joined the Group of 20 nations (the 20 most wealthy nations in the world) during the Ankara summit in pledging not to conduct any economic cyber-espionage against each other. Prior to these agreements, the Chinese leadership (and most of the other nations in the world) had not made any distinctions between economic espionage and spying on other governments.

Read 4 remaining paragraphs | Comments

ESA-2015-171 EMC NetWorker Denial-of-service Vulnerability
[slackware-security] mozilla-thunderbird (SSA:2015-337-02)

CSO Online

Infosec jobs: 5 Ways to score an ace recruiter
CSO Online
With cyberattacks on the rise, infosec jobs are hotter than ever. According to a report from Stanford University, cybersecurity jobs are expected to grow 10fold in the next decade. That's good news for security professionals, but bad news for the ...

[slackware-security] libpng (SSA:2015-337-01)
Ellucian Banner Student Vulnerability Disclosure
[SECURITY] [DSA 3411-1] cups-filters security update
Internet Storm Center Infocon Status