I’m A Hacker, Here’s How I Break Into Your Company’s Network | How Phishing Attacks Work

Have you ever received an email from a Nigerian prince or a non-existent distant relative who is offering you an absurd amount of money? It was a phishing scam, albeit an extremely unsophisticated one. These unsophisticated phishing emails are generally sent to a huge number of people, in the hundreds of thousands or even millions. Sending this many emails does not take much effort given the right resources. If just 0.01% of people fall for this phishing scam, at $1000 per victim, with 1 million emails, you have just made yourself a tidy $100,000. Not bad for a weekend’s work!

Phishing attacks are not just for Nigerian scammers, they are the most common way that malicious hackers gain access to corporate networks. The more sophisticated phishing attacks are highly targeted and believable. A motivated hacker might spend months enumerating their target before they strike. Let’s give a simple example of how this might work.

Let’s say that I decide that I am a super evil hacker who would really like to have full control of ABC Bank’s network. Fred Jones is the receptionist for ABC Bank. Like most people, he has a LinkedIn and Facebook account. I know Fred works there as a receptionist, because I can see it on his LinkedIn profile. I also know that he has applied for annual leave, because he posted about an upcoming trip to Hawaii with his wife and two kids. His bosses name? No problem… His boss also has LinkedIn.

After 5 minutes of Googling, we are armed with the following information about ABC Bank:

  • Fred Jones is the receptionist
  • Bobby Gertrude is Fred’s boss
  • Fred has applied for annual leave for a trip to Hawaii

With this small amount of knowledge, I could put together a pretty believable phish. First I create a Gmail account, bobby.gertrude@gmail.com, and write an email that goes something like this:

From: bobby.gertrude@gmail.com
Hi Fred,
My corporate email seems to be not working on my phone so I’m sending this from my personal email. Your annual leave should be approved, but we just need a few extra details from you. Do you mind filling out this form for me?
www.leave-request.abcbank.staff-organiser.com
See you Monday,
Bobby Gretrude

Take a close look at that link. The first part looks quite innocent, “www.leaverequest.abcbank”, but the next part is what really matters. “staff-organiser.com”. You see, if I buy the domain “staff-organiser.com”, I can also add anything in front of it. I could create “google.staff-organiser.com”, or “apple.staff-organiser.com”. But in this case, I chose “www.leaverequest.abcbank.staff-organiser.com” because I think Fred might fall for it.

I create a login page which is a clone of the ABC bank’s staff portal. My clone has one important difference, instead of sending the usernames and passwords to the bank for validation, it sends them to me! Once Fred clicks that link (my cloned page) and attempts to log in to sort out his annual leave, I gain his username and password, which allows me to read Fred’s emails, and login to the staff portal. Thanks Fred.

To make things even more believable, I could have masked the link in the email. One thing that many people don’t realise is that the text shown in a hyperlink is not necessarily the location of the link. For example, if you click the link below, it won’t take you to Google as you would expect, it will take you to my Medium profile:

http://www.google.com/

Practice hovering over the link to check the real location of the URL now.


Phishing for credentials is pretty effective, but there are some other nasty things that this email could have done:

  • Linked to a Java applet that allows me to control Fred’s work computer.
  • Attached a macro enabled Microsoft Word document which allows me to control Fred’s work computer.
  • Attached a malicious Microsoft Word document that contains a “subDoc”, which allows me to obtain an encrypted version of his password, which can later be decrypted.

Many corporate environments have a VPN setup which allows their employees to work from home. With Fred’s password, I could probably log in to this VPN and explore the banks network. Otherwise, I could use one of the nastier phishing attacks outlined above to gain control of Fred’s computer, which is already connected to the bank’s internal network.

Once internal network access has been gained, a skilled hacker won’t have much trouble exfiltrating passwords of other users, sensitive documents, emails and more. But that’s for another blog post.

Protecting Yourself Against Phishing Attacks

  • Think before you click. If the email smells phishy, it probably is. Delete it!
  • Nobody will ever email you randomly offering you money, gift cards, iPhones, puppies etc. unless they are trying to scam you.
  • If an email from “someone you know” is coming from an email address you haven’t seen before, call them to verify that it is legitimate.
  • Hover over hyperlinks before you click them to check it’s true destination.
  • Don’t ever send your passwords or personal details via email to anyone.
  • When you’re on a website, you can check that it is legitimate by checking the green lock and organisation name next to the URL. If this is not present, or the organisation name is not what you expect, don’t use the website. It looks a bit different depending on the browser you use:
Firefox
Internet Explorer
Google Chrome

More?

Phishing attacks are just one method for gaining access to the internal networks of companies, but it’s very effective! I’ll be releasing the details of a other techniques which are commonly used to break into a company’s internal networks. Follow me on Twitter to hear when I release a new article!