This is only tangentially related (email links encoded with trackers) but when I ran the technology for a school, our district network security officers ran a web security literacy audit by sending out a fake phishing email. Obviously, I was supposed to tell my staff to not click on anything in the email, and then forward it to me, or the district network security officers.
So, I sent an email to my campus, telling them to not click their link, and simply forward their emails to me. I pretty quickly suspected that the email was part of an internal audit, which was all but confirmed by the fact that they used a Google ad campaign generator that was hosted on our district domain. I also confirmed that every email link had unique identifiers in them, including the recipient’s employee ID, which I found extra funny.
So, I then got to work clicking on everyone’s links. It went to a suspicious-looking login screen, similar to our portal, that then took us to a video about network security that was embedded on our district website, and then that forwarded to a Google Form in which we were supposed to fill out our names, and answer some questions based on the video. For the login screen, I rotated through the network security officers’ employee IDs, and used passwords such as “OopsiePoopsieSuchARiskyClicky1!”
When I saw the Google Form, I then created a Google Sheet with everyone’s links, and then split the users into a separate column that had a randomized order so that the user info was unlikely to align with the link. Then, I used that to submit incorrect user info on each form so that it wouldn’t match my collected email address, and the reported email tracker ID. I also used the sheet to match tracker IDs with incorrect employee IDs, and clicked all of those links. I did this from my phone, my Chromebook, and my MacBook. I also was traveling to NJ that weekend, so I did the same thing, only from my phone, a few times in NJ, and wherever my layover was.
I had such a hard time containing my laughter when I got a call on Monday from the lead network security officer. He explained how they were at first concerned that my campus was the only one where 100% of the recipients failed the security test. Not only did everyone seem to click their link, they did it multiple times. The security officers then checked if the page was loading properly, because they couldn’t figure out why people would keep following a phishing link. Then the security officers were really concerned that something went wrong with their collection methods, because every click came from the same few IP and MAC addresses; even worse, the user info from the Google forms didn’t align with the tracker IDs on their source Google Sheet. After that, they were really confused that everyone kept clicking their email links over the weekend, and that some of the recorded IP addresses were from out of state, but didn’t appear to be associated with a VPN. Finally, they looked at all the form submissions, and saw that over 98% of the form submissions all recorded the same logged in email address: mine.
So, they called my manager to ask why I would do such a thing, and my manager said, “that’s just what TheFartographer does.” So they called my department’s assistant director, who also explained, “that’s just what TheFartographer does.” Then, my department supervisor proactively called them to explain “that’s just what TheFartographer does.” During my call, I found out that I accounted for nearly 2000 submissions, which impressed me because we only had around 100-150 employees at my campus. We have around 30,000 employees throughout our district, so the network security team thought that around 7% of our users failed the security audit, but then found out that the number was closer to 1%. I was told that they eventually all had a good laugh about it, but then asked me to please never do that again.
This is only tangentially related (email links encoded with trackers) but when I ran the technology for a school, our district network security officers ran a web security literacy audit by sending out a fake phishing email. Obviously, I was supposed to tell my staff to not click on anything in the email, and then forward it to me, or the district network security officers.
So, I sent an email to my campus, telling them to not click their link, and simply forward their emails to me. I pretty quickly suspected that the email was part of an internal audit, which was all but confirmed by the fact that they used a Google ad campaign generator that was hosted on our district domain. I also confirmed that every email link had unique identifiers in them, including the recipient’s employee ID, which I found extra funny.
So, I then got to work clicking on everyone’s links. It went to a suspicious-looking login screen, similar to our portal, that then took us to a video about network security that was embedded on our district website, and then that forwarded to a Google Form in which we were supposed to fill out our names, and answer some questions based on the video. For the login screen, I rotated through the network security officers’ employee IDs, and used passwords such as “OopsiePoopsieSuchARiskyClicky1!”
When I saw the Google Form, I then created a Google Sheet with everyone’s links, and then split the users into a separate column that had a randomized order so that the user info was unlikely to align with the link. Then, I used that to submit incorrect user info on each form so that it wouldn’t match my collected email address, and the reported email tracker ID. I also used the sheet to match tracker IDs with incorrect employee IDs, and clicked all of those links. I did this from my phone, my Chromebook, and my MacBook. I also was traveling to NJ that weekend, so I did the same thing, only from my phone, a few times in NJ, and wherever my layover was.
I had such a hard time containing my laughter when I got a call on Monday from the lead network security officer. He explained how they were at first concerned that my campus was the only one where 100% of the recipients failed the security test. Not only did everyone seem to click their link, they did it multiple times. The security officers then checked if the page was loading properly, because they couldn’t figure out why people would keep following a phishing link. Then the security officers were really concerned that something went wrong with their collection methods, because every click came from the same few IP and MAC addresses; even worse, the user info from the Google forms didn’t align with the tracker IDs on their source Google Sheet. After that, they were really confused that everyone kept clicking their email links over the weekend, and that some of the recorded IP addresses were from out of state, but didn’t appear to be associated with a VPN. Finally, they looked at all the form submissions, and saw that over 98% of the form submissions all recorded the same logged in email address: mine.
So, they called my manager to ask why I would do such a thing, and my manager said, “that’s just what TheFartographer does.” So they called my department’s assistant director, who also explained, “that’s just what TheFartographer does.” Then, my department supervisor proactively called them to explain “that’s just what TheFartographer does.” During my call, I found out that I accounted for nearly 2000 submissions, which impressed me because we only had around 100-150 employees at my campus. We have around 30,000 employees throughout our district, so the network security team thought that around 7% of our users failed the security audit, but then found out that the number was closer to 1%. I was told that they eventually all had a good laugh about it, but then asked me to please never do that again.