Part of my job is to test the human element of security in organizations by creating and launching phishing campaigns (on commission, i.e. authorized to do so by the company!).
Running a few simulations of phishing campaigns each year could reduce the likelihood that employees will click on malicious links, download malicious files, or provide critical inside information when contacted by an attacker. Carrying out these activities and then discussing them through outreach training usually yields the best results.
In this short article I will explain what phishing is and how easy it is to create a phishing campaign, so that each of us can be more aware of the risks that we and the companies we work for face every day.
What is Phishing?
Phishing is a social engineering activity. It basically involves getting people to take an action by sending an email.
The most common type is credential phishing, in which the attacker attempts to gain access to plaintext usernames and passwords to gain a first entry point into the organization. Other types of phishing might carry malicious file attachments, usually related to a payload, a malicious component that helps infect a system, created by someone else (for example, Cobaltstrike).
Phishing is just one of the ways in which an attacker could establish a first internal position, other ways can be vhishing (i.e. a form of vocal "phishing", carried out through one or more telephone calls to the target), smishing ("phishing ” conveyed by sms), or other forms of manipulation through technological or non-technological means.
The Recognition phase
To start phishing, when targeting an organization, the first step is to create a database of people who may be working there (email addresses and contacts). There are many free tools and platforms that allow anyone to collect information from LinkedIn.
Figure 1- https://rocketreach.co/
Rocket Reach, like many other platforms, allows registered users to discover valid emails that were part of data breaches. With very few attempts you can find a valid email for the target company, understanding how it is composed (eg. email@example.com) and making it very easy to populate the database.
Once we have our database, if the goal is to collect employee credentials, we'll need to do a basic web enumeration looking for the login portals used by the victim and decide which one we're going to impersonate.
The Weaponization phase
The second part of the preliminary phase is weaponization, or armament creation.
If our goal is to collect credentials, to begin with, we will have to prepare the environment, which means buying the domain that we will use for the phishing assessment and setting up the records related to the email service. To make things easier (and smarter) we usually configure the VPS (Virtual Private Server, an instance of a system that runs in a virtual environment) with GoPhish, a platform that allows you to send mass emails and collect information on the countryside.
Figure 2 - https://github.com/gophish/gophish
Once the environment is ready, we proceed to prepare the email template. Here's the tricky part: the content of the template can vary based on the type of campaign, whether it's targeted or not.
In a targeted phishing campaign, we usually add a step in the reconnaissance phase where we OSInt the target to get to know them: how they communicate, how they are structured, what their interests and core values are, etc. to create a tailored email template that motivates the majority of employees to take the desired action.
When the campaign is not targeted, it usually conveys topics of general interest (e.g. bonuses, lotteries, etc.) that appeal to some kind of need, desire, fear, etc., in the reader, inducing him to make a action in order to get something they crave or to prevent something they fear from happening.
When we opt for a credential theft campaign, we then prepare the web page that allows them to be entered and subsequently sent to our GoPhish (which will mark the action as "executed"). The portal we build usually has characteristics (collected during the reconnaissance phase) that recall the company, to seem a little more legitimate and build trust.
Campaign launch and information gathering
Once all these steps have been completed, the campaign can be launched. Campaigns are more likely to be launched at 'inconvenient' times such as near lunch break or at the end of the working day; therefore, we usually choose one of these two moments. Attackers attempt their initial login in these windows because employees are more likely to be distracted or tired, thus more inclined to take the desired action.
GoPhish is very useful when it comes to collecting data; using a simple tracker in the body of the email allows GoPhish to keep track of which users opened the email and how many clicked on the link that landed on our malicious portal. Finally, it also keeps track of users who have entered credentials.
All of this data could be useful to an attacker:
- The tracker who tells the attacker that the email has been opened will confirm the validity of the email address which could be used in a second targeted campaign;
- The click action (even when not followed by entering the credentials), could signal the user as a potential "weak point";
- The entered credentials could be used to obtain an access point to the target infrastructure.
Understanding how an attacker thinks and acts can help improve a company's defense.
Strengthening the weakest link in the chain, almost always man, could benefit both individuals and the company itself.
The continuous training of users, not only strictly connected to the corporate perimeter but also to one's own, could benefit both parties and therefore be more effective.