Understanding Phishing Campaigns: how they are performed, and which data is useful for attackers
Part of my job is to test the human element of security in Organizations. I do so by creating and launching (commissioned) phishing campaigns.
Doing a few phishing campaign simulations each year might reduce the likelihood that employees click on malicious links, or download malicious files, or give out critical internal information when contacted by an attacker. Performing these activities and then discussing them through an awareness training will get the best results.
In this brief blog I will explain what phishing is and how easy it is to create a phishing campaign, so that each one of us can be more aware of the risks we, and the Companies we work for, face every day.
What is Phishing?
Phishing is basically tricking people into performing an action via an email. The most common type is credential phishing, where the attacker tries to get access to plain text usernames and passwords in order to get a first foothold into the organization. Other phishes might have malicious files attached, usually related to a payload made by someone else (e.g., Cobaltstrike).
The Recon Phase
To start phishing, when one is targeting an organization, the first step is building a database of the people who might work there (email addresses and contacts). There are plenty of free tools and platforms that allow anyone to collect information from LinkedIn.
Once the attacker has collected a list of all potential employees from the social network, the attacker needs to find out how the email address of the company is composed. To do that, again, there are different ways; one is to use Rocket Reach.
Rocket Reach, like many other platforms, allows registered users to find out valid emails which were part of data breaches. With very few attempts, one can find a valid email for the target company, thus figuring how it is made (e.g., name.surname@companyname.com) and making it very easy to have the key element of the database.
Once we have our database, if the objective is collecting employees’ credentials, we should perform some basic web enumeration searching for login portals used by the victim and decide which one we will impersonate.
Weaponization
The second part of the Preliminary Phase is Weaponization.
Let’s assume our goal is to collect credentials. To begin with, we should prepare the environment, which means buying the domain we are going to use for the phishing assessment and configuring the email service-related records. To make things easier (and smarter) we usually configure the VPS with GoPhish, which is a phishing platform that allows to send emails in mass and gather information on the campaign.
Once the environment is ready, we go on preparing the email template. Here’s the tricky part: the content of the email template may vary based on the type of campaign, whether it is targeted or not.
In a targeted phishing campaign, we usually add a step in the Recon Phase where we perform some OSInt on the target to get to know it: how it communicates, how it is structured, what are its core interests and values, etc. This allows to create a tailored email template which would induce the most employees to perform the desired action.
When the campaign is not targeted, it usually conveys topics of general interest (e.g., bonuses, lotteries, etc.) which leverage on some kind of need, desire, fear, etc., in those who read, inducing them to perform the action to get something they crave or to prevent something the dread from happening.
When we opt for a credential stealing campaign, we then go on preparing the web page to steal the credentials which will then be sent to our GoPhish . The portal we build will usually present characteristics (gathered during the reconnaissance phase) which will remind the targets of their company, to look a bit more legit.
Campaign Launch and Information Gathering
Everything is ready, and now we can launch the campaign. Campaigns are more likely to be sent around “uncomfortable” moments such as close to lunch break or to the end of the workday, thus we usually choose one of these two moments. Attackers try their initial access during these windows because it is more likely that employees are distracted or tired, therefore more incline to perform the desired action.
GoPhish is quite useful when it comes to data gathering; using a simple tracker in the body of the email permits GoPhish to track which users opened the email, and how many clicked the link landing on our malicious portal. Finally, it also tracks the users that inserted the credentials flagging the action as “performed”.
All of these data might be useful to an attacker:
· The tracker telling the attacker that email has been opened will confirm the validity of the email address which might be used in a second targeted campaign;
· The action of clicking (even though not followed by the credentials insertion), might flag the user as a “potential weak spot”;
· The credentials inserted might be used to get a first foothold in the target’s infrastructure.
Conclusions
Understanding how an attacker thinks and acts might help improving a Company’s defense. Strengthening the weaker ring in the chain might benefit both individuals and the Company itself. Continuous training of the users, not only strictly connected to the Company’s perimeter but also to their own, might benefit both parties and therefore be more effective.
