The Social Engineer’s Guide to Phishing: Part II
In the first part of the series, we spoke about the psychology behind successful phishing techniques, and how to choose the right tools for the job. For this article, let’s jump into the more advanced topics and learn how to bring the pieces we’ve learned into a coherent process.
Spearphishing and Whaling
Just like there are different methods for actual fishing, there are different methods for phishing according to what your target is. Spearphishing is the act of targeting a single person or group of people. Whaling is like spearphishing, but with a greater purpose — specifically targeting individuals of high rank or status.
You would be spearphishing if you decided to target the marketing team of a realty company, you would be whaling if you decided to phish the CEO.
With the base we’ve already established in previous chapters, this chapter will build on that knowledge and demonstrate these more advanced techniques for landing your phish (or whale).
Recon: The Meat & Potatoes of Targeted Phishing
Let’s say you’re targeting a doctor in Ohio. What does your email say? If you feel like you don’t have enough information to answer that, you’re absolutely right. That’s why recon is so important, especially when administering targeted attacks. Without some type of ‘insider knowledge’ on your target, you can never really hope to get into their bubble of trust. Large scale phishing attacks are mostly a numbers game, with measures taken to ensure a good percentage of phish. You’re not afforded the same comforts with targeted attacks, simply due to the smaller sample size.
Reconnaissance is critical to gaining insight on your target, and crafting a false narrative that best fits the situation. So how exactly do you get this info? Googling is always a good idea. Google the person’s name, location, email address, and anything else you have. Begin creating a dossier of information like so:
Name: John A. Smith
Aliases: Johnny, Albert
Social Media Profiles:
facebook.com/johnasmith75
linkedin.com/in/smith-john-a
Email(s):
Current Occupation: Unknown
Add as many fields as you can think of. Take notes. Building a map of this person’s network of friends/contacts will also greatly increase your ability to spoof a connection to them. If you’re not feeling like a real creep, you’re not doing it right.
Tools
The following tools are paid services that will help you get more information on a single person, based on a piece of info you have (i.e., an email address, physical address, or phone number):
- Spokeo
- FullContact
- WhitePages
You’re probably wondering why I haven’t listed 20 different opensource packages or mentioned Kali a dozen times — while I have used many opensource tools in the past, the truth is that I’ve settled on a method that works very well for me that makes use of just a few tools. I’ll cover that next.
Methodology
So, assuming I have a target in mind, I would start by Googling whatever info I have on them. Let’s say I have an email address. By searching for the email address between single quotes, ‘jsmith@gmail.com’, I can force Google to only return full matches. I would also search for ‘jsmith’, because people love to reuse their usernames. I get back a bunch of results for social media profiles, a couple of forums they’ve posted in, and a random pastebin dump. I’m not fluffing anything up here, this is typically what you will see with most people.
I decide to copy the social media profile info and turn my focus to the forums. For some reason, people don’t ever expect to be connected to their forum usernames. What I do next is take the site name and username and run a search like ‘site:coolforums.com jsmith’, which prompts Google to only return results from ‘coolforums.com’ and search for ‘jsmith’ in those results. What I get back are lots of posts from our target. Boom, I found another email address where they prompted someone to contact them, and a phone number as well (our target isn’t very smart). I’d feel bad about how easy I’m portraying this to be, if I hadn’t seen these very results numerous times.
So now I have a name (from social media), 2 email addresses, social media profiles, forum info, and a phone number. I turn to WhitePages.com to get a physical address from their phone number. WhitePages is also gracious enough to provide other people connected to that address. If needed, I could start the process over with each of these people and build a map of connections to the target.
This isn’t a bad start, and I’ve probably only spent an hour doing recon so far. What’s next is a bit more tedious. Using the social media and forum profiles I gathered earlier, I begin to read posts made by the target. I also pay attention to what others are saying to the target. All I’m looking for is some upcoming event they are interested in, an organization they’re connected to, or some new thing they purchased. Any of these things could be a foot in the door to open conversation.
That’s pretty much it. For pulling data on bigger entities like companies, search for their articles of incorporation, look them up on wikipedia, or use a tool like Maltego to map people connected to that company. Unless you’re whaling (and maybe even then), remember who you’re looking for: the idiot with the most access. And what are you looking for? That sweet intel that makes you seem legitimate to them.
Putting Your Work to Work
You now know more about a stranger than you reasonably should. It’s time to use that intel for a purpose and hopefully justify what you just spent hours doing. For the next step of this process, you can think of yourself as a sort of salesperson. You need to sell them on the idea that you are who you say you are, and what you need from them is perfectly legitimate and safe.
While not every spearphishing engagement will require back-and-forth correspondence, you need to be prepared to do so. This is where rapport building comes into play. A good salesperson has this down to a science. The following figure illustrates the stages of building rapport and locking down a sale:
1. Establish Relationship
Attacker: “Hello Mr. Smith, my name is Justin and I work with Cisco. I understand you’re having some problems with one of your networked devices and wanted to reach out. Let me know how I may be of assistance. Thanks.”
Target: “Hello Justin. I’m not sure what you’re referring to exactly, but I do manage a few devices. How did you get my email?”
Attacker: “There was a ticket submitted on Thursday. Your email was listed as a contact, as well as (the name of his supervisor). Could I get you to verify your CCO ID?”
Target: “I get listed on these things sometimes, my CCO ID is (whatever).”
2. Understand Motivations
Attacker: “Perfect, thanks. The ticket matches what you’ve provided. However, the explanation was a little vague. Could you tell me more about the connection issues you’re experiencing?”
Target: “Again, I’m not exactly sure what the ticket was about, but we have been experiencing issues with our Meraki device. Could I possibly look at the ticket you’re talking about? None of my colleagues new anything about it.”
3. Create Value
Attacker: “My apologies for the confusion, I can grant you access to the ticket and also give your team some Cisco Learning credits for your trouble.”
Target: “Sounds good. Thanks.”
4. Ask For Commitment
Attacker: “Ok, Mr. Smith. You been given access to the service portal to view the ticket in question. You’ll need to log in using your company email. Please have your CCO ID, Customer Number, and Support Passcode available. You may need to validate your account. Heres the link: https://link-to-fake-login-portal.c1sc0.com"
Target: “Perfect, I’ll check it out. Thank you again.”
In a simple, short exchange of emails, the security of the company may have been compromised. By researching the name and place of work of Mr. Smith, and some additional work to find names of vendors to his company, the attacker was able to effectively spoof the type of support correspondence that is normal for Mr. Smith to deal with. Notice how ‘Justin’ was also distrustful of Mr. Smith? It’s important to remember that rapport building is supposed to work both ways, and acting like you trust the target implicitly from the jump is highly suspicious.
Packaging It Up For Success
Hopefully, you now have a decent understanding of how to create convincing campaigns, why they work, and how to follow up. Oh, wait, we haven’t covered that last part yet. The follow up.
As an engineer, you might believe that sending the email and getting people to click on things is the end of the line. Not even close! Many organizations believe this, too, and it’s a damaging belief to hold in terms of safety and security awareness.
Any phishing program that ends with people failing a simulation is unfinished and ineffective. If Bob fails a test 5 times, does he learn more about the subject? Not if we don’t show him what he did wrong. Targets must be educated immediately after failing, and those who fail repeatedly need to have further training and assessment.
As an organization, training should be mandatory and continuous. The real phishing attacks will never cease, and they will continue to get more convincing. Without proper training in an ongoing fashion, your company will get compromised. It’s no longer a matter of if, it’s a matter of time.
Education
Many organizations try to provide internal training to their employees, and some are very successful. I think of this like creating your own encryption algorithm, or building user authentication from scratch — ok, you might be able to do that, but there are tried-and-true solutions that exist already. Don’t reinvent the wheel.
Many people have contributed to that wheel, and have done the legwork of failing and rebuilding over and over again to bring you a finished product. My suggestion — find a company offering security awareness training and get them to provide it to your company. I guarantee that (nearly) any cost for training will be much less than you could lose in a data breach.
An educated workforce is much less likely to fall for run-of-the-mill phishing scams, and will undoubted save your company thousands (or millions, depending on company size) in law suits and losses. I would suggest a mixture of quarterly training from a security awareness training provider, as well as an automated solution that will deliver educational materials to anyone failing a phishing simulation.
Reporting
This is the other leg that your success will stand on. Reporting is a two part process; you need to collect metrics on who has been sent an email, who has opened it, and who has clicked any links or opened attachments. You also need to be able to collect and correlate data on who reports your phishing simulation emails as phishing attempts or spam. The other part of this process is packaging it up for management to consume.
If you haven’t already, I would suggest looking into tools like ELK (Elasticsearch/Logstash/Kibana), Splunk, or Grafana. They will allow you to consume time-series data (such as real time phishing events) and create stunning visualizations from it. They make the lives of security engineers much better, because much less time is spent writing boring reports. They improve the work of an organization by providing transparency into highly technical processes and allowing technical or non-technical people to get the same benefit from a set of data. There are a million quips and jokes you can make about managers loving dashboards — it’s all true, and with good reason.
Some examples of data-points you should be including in your report:
- Number of emails sent
- Number of people who opened the email
- Number of people who clicked the links or opened the attachment
- Number of people who reported the email
- Overall fail rate (number sent vs number clicked)
- Browser & Platform stats for those that failed
Conclusion
The occurrence of phishing attacks is only going to increase. Regardless of firewall rules, spam filters, strong passwords, and any other technical solution you can throw at the problem, humans will always be the weakest link in the chain. Social Engineering through phishing is like hacking the human brain. We have to do our best to educate against these attacks, and since people most often learn best by doing, phishing simulation with education and training will continue to be the best defense.
