Social Attacker: Automated Phishing on Social Media
Attackers continue to pivot to social media. There’s been a 10 fold increase in social media phishing attacks in the last 2 years alone. How can we as Penetration Testers and Red Teamers stay up to date with emerging trends, and efficiently emulate attacker techniques.
Introducing Social Attacker; an Open Source, Multi-Site Automated Social Media Phishing Framework. Social Attacker allows you to automate the phishing of social media users on a mass scale by handling the connecting to, and messaging of targets.
Social Attacker currently supports the following social media platforms:
- VKontakte
However with some minor customisation, it should also be possible to edit Social Mapper to run on any internal private social networks you may have at your organisations.
Social Attacker is primarily aimed at those wanting to perform Social Media awareness testing. They will use it to perform phishing on targets social media profiles. You can choose your campaign and pretext, but here are a few ideas to get started:
- Create a detailed HTML report showing a breakdown of how your organisations employees react to a random account adding them and sending them a link to click on various social media platforms.
- ‘Friend’ and Connect to your targets so you can direct message them links to implants or macro documents. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
- Create custom phishing campaigns for each social media site. Redirect them to a credential harvesting page with an offical looking login form, or a site under your control hosting an exploitkit or Metasploits browser autopwn.
- Trick users into disclosing their emails and phone numbers with fake vouchers and offers to make the pivot into email phishing, vishing or smishing.
Social attacker is a python3 tool which works in 6 main steps, with two of which are optional. The basic overview flow can be summarised as follows:
- [OPTIONAL] Logging Server Setup: In this optional stage a custom web server included with Social Attacker is set up, which serves files or web pages and produce logs which can be fed into Social Attacker to generate a final report showing clicks.
- Parsing: In this stage the tool extracts profiles from a csv file in the output format of Social Mapper.
- Connecting: In this stage the tool uses selenium to instrument the web browser, log into social media networks and connect to targets via various forms of a friend request.
- [OPTIONAL] Scraping & Custom Message Generation: In this optional stage the targets profile page is scraped, harvesting posts, tweets and liked activity to attempt the generation of a “message of interest” to the target. This produces a sentence which a phishing link is appended to which forms a custom pretext for the target.
- Phishing: In this stage the tool checks if the connection request has been successful and has been accepted by the target. If this has occurred it then sends the specified phishing message, or the custom generated one to the target.
- Reporting: In this final stage CSV reports are generated showing the current status and relevant information on targets of the phishing campaign. With the logs from the webserver set up prior, which records tracking IDs, it is also possible to produce a full HTML report showing which users clicked and when, what message they were sent, the IP address they clicked from and the user agent of their browser.
So, let me show you how this works in practice. Setting up the logging server is really simple, just the following command. You can force a specific file to always be served using the ‘ — file’ command, or change the default port from 433 using ‘ — port’. It’s also worth noting that in the folder where sa_server.py is located are instructions on how to create a free SSL Certificate. If it is named correctly it is automatically used.
Next, we focus on running the tool itself. Social Attack can be run one module at a time, with add, check, generate and phish commands. Alternatively, all of this can be run in one go using the addphish module, where you provide a wait time to give targets a chance to accept requests.
You provide a phishing message & link using the ‘-m/ — message’ flag, a file full of targets in Social Mapper format(-i) and specify which social media sites to target(-a,-fb,-li,-tw,-vk). Additionally in the phishing message you can inject targets names and a custom tracking ID into the phishing link url so you can record which users click on the link.
After the tool has finished running, and we have waited a few hours or days to give users a chance to interact, the last step is to use the weblogs file ‘social_attacker_server.log’ file and combine with the csv results of the phishing to create a HTML report. This report shows a break down of the phishing campaign in a much more comprehensive way that the CSV’s. You can quickly look up at verify the messages that were sent to each target and on which platform, which targets clicked on a link, the IP address that the click came from, the time of the click and the user agent of the clickers browser.
All this means you can run your own social media phishing tests on your employees or on behalf of your clients.
I will however now end with a short disclaimer. This tool likely breaks the terms and conditions of Social Media sites, meaning that the accounts you use could potentially be banned. Additionally in certain jurisdictions and countries phishing your employees social media may not be legal. Please check with your company lawyers before proceeding with this type of testing as I take no responsibility for your actions with this open source tool.
Social Attacker aims to provide a proof of concept to what is possible in the area of social media phishing automation, and spark a discussion on how we use social media and the protections (or lack thereof) that sites provide us with.
That said I hope you will find tool useful and use it in new and innovative ways. You can find more information on running the tool on the GitHub page. Please report any bugs you find and feel free to drop in some feature requests if you have any ideas for improvement. And of course, tweet me @Jacob_Wilkin with any success stories you have using Social Attacker!
