Prepare phishing attacks
Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data.
Red Team: Attack vectors and Techniques
The amount of information an organization publishing is undoubtedly one of the reasons for the significant vulnerability to phishing attacks. As you all know reconnaissance plays vital role in any cyber-attacks for preparing phishing attacks, So attacker approaches the below 3-tier methodology.
- Find emails & users
- Verify emails & users
- Creating phishing payloads & sites
1) Find Emails & Users
As mentioned at the top, information can be gathered from various sources like LinkedIn, Google & etc.
Eg: Using both Maltego tool which discovers data from open sources and Password Spraying techniques that attempts to access a large number of accounts.
People use the same password on work which were used on 3rd parties which doesn’t have strong password storing algorithms.
2) Verify Emails & Users
https://activedirectorypro.com/use-nslookup-check-dns-records/
This can be done by multiple ways
a) Using SMTP server commands, find MX records
Eg: nslookup -type=txt fakeweb.com
b) Send Test Emails; Metasploit has modules auxiliary/scanner/smtp/smtp_enum & iSMTP tool
c) Office365 OWA MS APIs -
Recent trends shows that attackers are no longer targeting a user’s login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient’s account, According to the report by PhishLabs, these OAuth phishing emails are pretending to be shared OneDrive or SharePoint files that contain a link to the shared document, this provides huge amount of access to a victim’s account, which is most likely being used to conduct reconnaissance that will be used in even more targeted attacks.
3.Create Phishing Payloads & Sites
When it comes to choosing a payload attackers concentrates on egress filtering by choose either reverse_https(creates encrypted tunnel) which is proxy aware or the reverse_tcp_all_ports.
Cyber criminals coming with innovative methods such as weaponized obfuscating URLs which circumvent the content filter exceptions and buying expired domains. As mentioned above OWA MS API’s can be used to create payloads to lure the user.
Eg: iptables -t nat -A PREROUTING -p tcp — dport 1:65535 -j REDIRECT — to-ports 443
Tools : Ghost Phisher, Social Engineering Toolkit
BLUE TEAM: Detective and Preventive Controls
Phishing technical defenses in each situation is unique and one strategy may not work for every situation, So I will be explaining the detective and preventative controls in 2 levels.
1) Network level
2) Process level
This phishing vector can be detected & mitigated by Network & Process level methods only.
1) Network level
1a) Disable & log VRFY and/or EXPN and RCPT requests on your mailserver because these can be used for SMTP Enumeration. VRFY & EXPN are internal cmds of SMTP service used for enumeration. VRFY = Used to confirm the names of valid users EXPN = Reveals the actual address of user aliases & mailing list.
Eg: For postfix add ‘disable_vrfy_command=yes’ in ‘main.cf’ file
For Sendmail add the option ‘O PrivacyOptions=goaway’
Here 250 series shows the user account is valid & 550 says invalid user account.
The SMTP service has two internal commands that allow the enumeration of users:
VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)).
1b) By default the authentication calls (number of HTTP NTLM requests) will be 2 but this can also be increased, however large number of HTTP NTLM requests has to be monitored at the network level.
1c) Implement CASB-Cloud Access Security Broker, which we can place on top of ur cloud infrastructure that will help in detecting these attacks.
2.Process Level
2a) Train end-users about using diff password on diff websites, not clicking on suspicious links. Happily Some company give reward to those who find phishing mails & links.
2b)Monitor your domain expiration's.
At least by these implementations we can able to defend at certain level.
