The Social Engineer’s Guide to Phishing: Part I

A Brief Introduction

Phishing: to exploit the weakest link of the chain, human beings, through carefully crafted false narratives, delivered electronically, for the purpose of gaining valuable intel on your target.

This isn’t the official definition, but it might be a more realistic, living definition of what phishing actually is. It is a practical description from the point of view of the attacker. In nearly every situation, the human element is both the weakest link and the largest attack surface. Phishing is a process by which to funnel a user’s actions toward a goal of your choice, while hiding behind a veil of legitimacy.

The term phishing was coined in the mid 90s by a bunch of enterprising hackers using malicious emails to hack and take over America Online accounts. If you remember what AOL was like, this fact shouldn’t be surprising. Hacked accounts were often referred to as phish, and were even traded between phishers/hackers. Likely, the word itself is a sort of throwback to phone phreaking, a more lo-fi form of hacking that centered around exploiting phone systems using a tone generator of some sort (look up ‘blue box phreaking’), and which predates phishing by about 20 years.

In modern usage, phishing can be used to refer to social engineering attacks administered via email, social media, SMS/texting, and even shareable documents. These days, phishing can be as simple as sharing a malicious link to a fake login portal where user credentials are harvested. Social media outlets, especially, have been inundated with fake accounts baiting unsuspecting users with one-liners like ‘you won’t believe this’. In the case of Facebook, there was a late 2019 phishing scam that enticed users to click a link with the message, ‘lol, is this you?’ and supposedly linked a user to a video of themselves. The user would then be redirected to login to view the video. The login portal was fake, the video didn’t exist, but the attack was very real. It was very successful.

On the surface, phishing may seem like the lowest hanging fruit; it can be accomplished with absolutely no technical skill, it can be strictly opportunistic at times, and has been utilized effectively and without cease for nearly 25 years. Let’s just use the obvious comparison: any average Joe can cast a line over and over and eventually catch a fish, but the real heavy hitters are raking in millions.

Choosing the Right Tools

It’s always difficult to tell an imaginary person (in this case, you) what is best for them. There are too many choices and too many factors to give a one-size-fits-all recommendation.

So instead, let’s talk about what you might try to accomplish, and which questions you should be asking yourself in order to find the best tooling for you.

Let’s illustrate what’s possible by providing a few scenarios.

Scenario 1: The Dev Team

Richard owns a small software development firm in the bay area. Though his company size is less than 50 employees total, they are a diverse mixture of on-site and remote workers that don’t always communicate very well. In fact, many of his employees never have contact with each other. This leads to a situation where anyone who has done their homework on Richard’s company could easily phish his employees by simply pretending to be a coworker.

Luckily, Richard’s CTO is a smart guy. He can see a high risk situation unfolding and has started to look for ways to mitigate their risk while educating their workforce. He begins to assess their situation, and deduces the following:

1. They have a small number of employees.
2. They cannot afford an enterprise solution.
3. They have a small Security team that will have to orchestrate this.

After careful consideration, Richard and his CTO decide to go with an opensource offering called Speed Phishing Framework (https://github.com/tatanus/SPF). The allure of SPF came from it’s ease of use and ability to orchestrate it easily from the terminal, which was a huge plus for his Security Engineers. It doesn’t have a GUI, but it can be automated relatively easily. And hey, it’s free.

Scenario 2: The Mid-Sized Paper Company

Mike is the regional manager of a moderately successful paper company in New England. Recently, a successful hacking attempt led to the defacement of a load of stationary, and cost the company a lot of money in damages. The head of IT at his branch has tracked the attack back to a malicious email to the accounting team. Not wanting to risk another situation like this in the future, Mike begins looking for a solution to educate his employees about the dangers of phishing, and to provide some insight on who in the company is at risk. After painstakingly researching products, he decides to forward his research to the company’s CISO, Dwight. After reading Mike’s list, and supplementing his own knowledge, he decides on these factors:

1. They have a decently large number of employees, ~300.
2. They have multiple branches, and would need to manage user groups.
3. They would like to have regular reports, and to maintain statistics.
4. They’re still trying to save money after the loss, so opensource is preferred.

Mike and Dwight come to an agreement: they’ll use GoPhish. GoPhish is a free and opensource platform featuring campaign scheduling, user group management, RBAC, event collection, and a webhook feature which would allow them to feed data into their already-established Splunk instance, to help with report generation. All the Security Team had to do was put up a VM with GoPhish on their corporate server, and away they rolled. The UI isn’t too bad, either.

Scenario 3: The Uber-Conglomerate

Bob’s father built this company 40 years ago from the ground up, and now he’s sitting on top of an international corporation with thousands of employees. Being at the heart of American industry means always being in the cross-hairs of bad actors, both foreign and domestic. Recent developments in foreign affairs have put Bob’s CISO, CTO, and CIO all on edge. They are sure the company will see a tremendous surge in phishing attacks in the coming months. After a two-week long binge of sprints, standups, and other laborious meetings, the higher-ups have noted a few important points about their company:

1. They have too many employees to manage with a smaller platform.
2. They need complete transparency with operations.
3. Product support is a must, things always break eventually.
4. There is a lot at risk.

After a vote of 6:3, the newly formed Phishing Committee has decided to adopt Sophos (https://www.sophos.com/) as their enterprise phishing simulation platform. Sophos features hundreds of prebuilt templates, comprehensive reporting, data collection, and automatically provides Security Awareness Training to those who fail a phishing attempt. It’s a bit pricey, but Bob figures it’s an investment in their future.

So What’s the Gist?

Basically, it all comes down to budget, number of employees, need for reporting, and how you’d like to handle education. GoPhish is a popular choice for small to mid-range companies with a skilled IT department, larger clients tend to opt for paid platforms. Look around and get acquainted with the landscape, the reality is that, as a Security Engineer, you’ll probably have to use a few. As a manager or C-level exec, knowing what is possible and what is available will allow you to benefit from the best fit for your company.

Building a Convincing Campaign

Explaining how to trick users into doing what you want really isn’t as cut and dry as ‘use this template and say these things’. It’s bigger than that.

An amazingly convincing email can fall flat the same as one rife with spelling and grammatical errors that looks straight out of 1999. The opposite is also true. So what are the real deciding factors? Motivation and trust.

A user can at first be motivated to take action by a sleek, well-crafted email, but then hesitate when the premise doesn’t add up. On the flip side, an email may look outdated and slightly off, but be trusted by the user because of some myriad of background factors (they heard about management sending out surveys, they’re scared of not complying with a password reset, and so on). Let’s look at how to ‘hack’ these two factors to great effect.

Motivation

Humans are motivated in their daily lives by many things, some logical and others emotional. The easiest of the two to address are those that are purely emotional. What types of feelings tend to move you? Let’s look at a few simple scenarios.

1. You are driving home and stop at a stop light. A man approaches your vehicle. Out of fear, you lock your doors.
2. While browsing the web, you see an ad for something so ridiculous you just have to check it out. Your desire for new experiences compels you to click the ad.
3. You receive a phone call after a local historical building has burned down, the person on the line is asking for donations to restore it. Out of compassion, you pledge $50.

Ask yourself, and answer honestly, which scenario sounds most likely for you? The majority of human beings would probably answer #1 or #2. There are entire industries built around fear and desire. In fact, most are. Those that are relying on the generosity and compassion of others must get creative and aggressive in their tactics. Why is that?

Influencing others through the use of fear tactics is an age-old recipe. Threaten a negative outcome for something your target group identifies with (i.e., career, commodities, life itself), and they will react. This doesn’t have to be a direct threat. Simply introducing something that may cause a negative outcome down the line is usually enough. This is known as the Fear Appeal.

The Fear Appeal, as it is referred to in psychology, sociology, and marketing, is a strategy for probing others to take a particular action by inciting fear. A fear appeal presents a risk, and then may or may not suggest a form of protective action (i.e., click here to prevent X). There are many theoretical models for how this actually works; we will be looking at the Subjective Expected Utility theory (SEU) briefly, as a possible explanation for fear appeal.

SEU predicts that fear appeal will be successful when the target perceives that the benefits in reducing risk outweigh the costs of taking action. Simply put, does the user benefit more from the mitigation of risk, or by not taking the action? For clarity, SEU doesn’t actually consider the emotional process involved, but is based on the logical process behind fear appeal. The reason we are looking at this under the category of emotional influence is due to the subconscious way a person experiences this process. A typical user will not outright think ‘is it harder to click this button, or to get fired from my job for noncompliance?’. They will, however, act compulsively.

To motivate a person with desire is sort of the opposite of fear appeal. With this motivation method, the key is to eliminate (or greatly reduce) the perception of risk and heighten the temptation to take action. To be blunt, the adult industry has it easy in this regard. Sexuality is such an ingrained biological imperative that the mere suggestion elicits great curiosity in the majority of people. However, even for a motivation as great as genetic survival, the risks must be perceived as lower than the reward.

You can’t simply rely on any motivational tactic, however. As mentioned before, it’s only one piece of the puzzle. Luckily we’re only working on a two piece puzzle, so let’s get to the other half.

Trust

When we talk about trust, in terms of phishing, what we’re really talking about is believability. A user doesn’t have to trust you personally, but they do need to believe what you’re saying. Believability (also) comes down to two major factors: environment and aesthetics. Does this premise fit into what a user already knows/believes? Does the presentation fit into what a user expects to see? It’s a sliding scale, but you do need a little of both to make it work.

So what factors should we consider when working on environmental believability? The best way to illustrate this is with a few statements about an imaginary user. We’ll call him John.

1. John is a member of his local orchestra.
2. John is a Network Engineer at a local IT Shop.
3. John uses Paypal, Gmail, and Netflix regularly.
4. John’s boss, Dave, often emails him about important business topics.

These are all things that John keeps in his subconscious and conscious mental environments. If you were to walk up to him on the street and say, “Hey John, great bumping into you. Dave wanted me to talk to you about what networking stuff you’re working on. Have a minute?”, you would likely gain an audience with him. You’ve established that you know his identity, a key fact about him (his job), and that you know someone he knows. Even though the surroundings don’t fit too well (e.g., you’re on the street instead of the office), the high level of environmental believability allows you some leverage despite this shortcoming. Being dressed appropriately would likely be enough to seal the deal.

We hinted at the aesthetic believability factor already, but let’s elaborate a bit. I want you to imagine a scenario. You’re looking for a graphic designer for a project you’ve been working on. You peruse through a well known freelancing directory and begin looking at candidates. You see that some freelancers have thorough portfolios and profile images that look professional. Others have a few examples of work and lackluster profile pictures. The cost difference between the two types of people you are noticing isn’t tremendous, $5–10 an hour more or less. Are you going to trust the cheaper freelancer with fewer/no examples of work, or the more professional looking worker with a robust portfolio? The answer should be obvious.

In literal terms, you should be aiming for aesthetic believability in your electronic correspondence through the use of:

1. A believable (spoofed, if needed) sending address
2. If email, a template that looks like other emails in that space
3. All applicable logos and graphic resources a user expects
4. If social media, a profile that looks like a genuine person

There are many more factors that you will come to know as you dive into phishing further, these examples should provide a basis for the types of aesthetic believability factors you should be careful of.

Putting it all together

We now know that a campaign based on fear or curiosity is likely to have a better success rate than a call to action based on other means. We also know that we have to align the campaign’s content and presentation to a user’s mental environment and aesthetic expectations. This all sounds great in theory, but how do we actually put this together?

1. The Password Reset

Subject: Your Password Will Expire From: Microsoft Support support@microsoft.com Body:

Your password is set to expire in (10) days. To prevent loss of access, please click the link below to reset your password.

Analysis:

This is a classic. No user wants to be left without access to their account. The special sauce for this campaign would be in the design of the email body itself. Simplicity is key, and make sure you use the correct logo.

1. The Data Breach

Subject: Important Info Regarding Data Breach From: Incident Response security@chase.com Body:

Dear <whomever>,

Your information was recently discovered in a recent data breach. It is our responsibility to notify you of this event. For a full report and information on how you can take action, please visit the link below.

Thank you.

Analysis:

Another one playing on fear, but also curiosity (i.e, ‘you can take action’). It is almost literally a call to action. It uses fear to grab attention, but turns around to play on the user’s desire to find out exactly what action they can take.

1. The Package

Subject: Your Package Has Been Shipped! From: UPS notify@ups.com Body:

Your package is on it’s way! Please sign in below to view tracking info, cancel/reschedule delivery, or change your notification settings.

Analysis:

This is another easy click. The user is probably curious when the hell they ordered something, but the email may get lost in weeds if they order things regularly. Try it out if you want to put out some low hanging fruit.

As you can see, casting a wide net with common tactics really isn’t that hard. It requires a little bit of information gathering, some work to look legitimate, and decent timing. The real work begins when you decide to narrow your focus on a smaller group, or a single person. The odds of landing a few phish are generally pretty high when you are baiting thousands, but what if you really need to hit a specific target?

Be sure to look out for the next part in the series, where we’ll cover more advanced topics and learn how to create a solid phishing process.