BYU logo Computer Science
CS 465 Introduction to Security and Privacy

Extra Credit Project - SpearPhish Me

Overview and Background

Learning to think like an attacker is a critical part of cybersecurity. In this project, you will learn to think like a phisher—even if just a little! Social engineering remains a persistent threat. Social engineers often conduct extensive research on their targets to appear knowledgeable and relatable, exploit vulnerabilities, and bypass security filters. They might pose as a coworker, an old acquaintance, or even a senior executive. This exercise isn’t about teaching you to phish; rather, it challenges you to think about how to detect and ignore such attempts while reminding you not to overshare personal information online.

Assignment Steps

  1. Information Gathering: Collect publicly available information about me.
  2. Crafting the Message: Use the gathered information to create a targeted spear-phishing email or text.
  3. Interaction: Receive a response from me.
  4. Analysis: Answer a follow-up question based on our interaction in your writeup.

Ground Rules

  • Social Engineering Limit:
    The only person you are allowed to social-engineer, lie to, or attempt to deceive is me, Fred Clift. Please do not call my children in an attempt to trick them into revealing personal information about me (or anyone else). You may already know someone who knows me—feel free to ask them questions. You may also ask me questions; however, if I sense that you are trying to extract information, I may give evasive or misleading answers.

  • No Contact with Business Associates:
    Do not contact people with whom I have a business relationship to find out about me. For example, do not call my bank, Comcast (yes, I have a Comcast account), my bishop, or my boss. You are welcome to use publicly available information from the internet, but do not break any laws.

  • Communication Guidelines:
    All email communications for this assignment should be sent to my new email address: scamme@clift.org, or to my Google Voice number: 801-318-3106.

Requirements

This assignment has three phases: Research, Attack, and Post-Mortem.

Research

In the research phase, you will try to find out some or all of the following information about me:

  • My Reddit username (2 points)
  • 3 hobbies I enjoy (3 points)
  • My favorite soft drink (1 point) – you should already know this one if you are observant.
  • My (former) favorite hot sauce (2 points)
  • The names and occupations of 2 of my brother-in-laws (6 points)
  • What my high-school mascot was (3 points)
  • My username and current leaderboard ranking on RingZer0ctf (3 points)

Attack

For the attack phase, use the gathered information to construct a targeted spear-phishing email or text to the address or phone number provided above. (5 points) Think about something an attacker might want to extract from me and take your best shot with the information you’ve collected. Extra credit may be awarded if you make me laugh out loud.

Post-Mortem

For the Post-Mortem phase, I will respond to your message (out of character) and ask you a question. You must write a report detailing all your activities and answer any questions I ask. (3 points)

Submission

Once you think you’re done, WRITE A REPORT about what you’ve found and what you did in a simple text document, then submit it via Learningsuite. You must complete all phases to receive any credit for this assignment. Merely submitting “your favorite beverage is…” will earn you 0 points.

Note: I have robust spam filtering on that email. If I haven’t responded within a day, I probably didn’t receive your email. Contact me on Slack to confirm whether I received your spear-phish message.