get in touch open menu close menu
TSS Logo Part of TSS

Phishing Attack Simulation Saga

October 23, 2020

Phishing Attack

 

Information Gathering

Welcome to our Phishing Attack Simulation Saga. In the following post, we will tell you a story about a large organization called YCorporation, with a generous security team and a very well shielded infrastructure. Before we start, we would like to warn you that some aspects may slightly differ from the original events. Besides that, please be aware that performing or testing some of the steps described in our article without the previous written acceptance from the target organization is illegal. 

Security threats?! 

Once upon a time in the vast IT universe, two teams from different organizations gathered for an informal discussion during their morning coffee. Back then, we still had the luxury of gathering around and sharing our thoughts without a monitor separating us. As you may expect, the combination of good coffee and good company always brings interesting topics and ideas to the surface, so that’s when our interesting journey started. And it did with a simple question: “What is the most vulnerable component of a company? 

What seems to be a simple question with anapparently, straightforward answer quickly turned into a debate that took hours. The morning’s topic became a challenge for one of our red teams and the foundation of this story. From the back of our minds, we will argue that the lack of proper mechanisms, procedures, and powerful tools to detect and prevent attacks are the root of all evil. Others may think that a faulty operating system or hardware is the path to destruction. But most of the opinions tend to point out to human actors. Therefore, the question now becomes: “From a security point of view, what is more likely to become a threat to the organization: the underlying infrastructure and software or those who use it? 

Can the technical part be a threat? 

Of course, there is no doubt that most of the security flaws discovered in widely used software or protocols may endanger your organization without you even being aware of the hidden risks. More than that, the lack of tools, mechanisms, and procedures that aim to enforce a security baseline will affect your organization’s running business. 

But, in the last few years, a huge amount of time, effort, and resources have been invested in improving existing products’ security and building extremely powerful software to shield your organization. And so far, the good guys seem to have won this battle, as the time required for an attacker to get access to a target machine significantly increased over time. There are tools available in the market that set traps for the attackers, detect any suspicious behavior, or even predict a targeted attack based on a lot of metrics and events collected and processed in real-time. 

Even without special tooling and hardened configuration, the modern operating systems and servers have a pretty good default configuration and a continuously improving overall security. 

Can employees be a threat? 

The group of uneducated and unaware employees can be one of the greatest vulnerabilities within an organization. Unintentionally, they can cause a huge amount of harm unless properly educated, trained, and made aware of the potential risks and threats that surround them. With well-invested effort and efficient measures, these employees can be turned into the greatest asset that a company has. However, you need to present them with the right educational tools, whereby you create a mentality shift that could make a difference in an attacking scenario. 

Employees

 

“It is my judgment that the Internet itself is for the most part secure, though there are steps we know can be taken to improve security and resilience. Most of the vulnerabilities arise from those who use the Internet – companies, governments, academic institutions, and individuals alike – but who do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.” 
by Vinton Cerf, United States Congress Joint Economic Committee on 23 February 2000 

So, are the employees the real threat? 

Really no. The employees are what makes the difference between a malicious attempt and a successful attack. When the tooling fails (and it will fail for sure), the employees are the last resort and the greatest defense of your organization. 

Both in real attacks and during our simulations, a huge amount of malicious content goes undetected. Most security mechanisms will filter out obvious attacks based on the attacker’s behavior or previously learned patterns. But when it comes to a targeted attack, most of those resources will be specially crafted to look as real as possible. 

Actually, if you agree with the presumption that the employees are a security threat and could harm your organization, it may put you into a position where you should build walls around them and restrict them from any (unwanted) action. Sadly, this behavior will cause more harm than good because you will invest a lot of time and effort in the wrong direction (as said before, all those walls and tools will fail you at some point). 

You may be wondering why? Because we love a good brain teaser, we will answer this with two questions. 

  • Did you hear about The Pygmalion Effect? 
  • Who are more dangerous/lethal  sharks or mosquitos? 

Then why have we read so many stories that say the opposite? 

It’s the same as the story about the number of malware applications on Windows vs. Linux vs. MacOS. It’s about the attack surface. To be effective, any attacker aims to obtain a reward greater than the time invested in preparing the attack. To be sure of that, most of the attackers will exploit the most used application or the most popular operating system. 

As infrastructure security has evolved tremendously over the past years, attackers are forced to look for other entry points. In our case, these are the employees, and the reasoning behind it is very simple. There are more employees than there are organizations, and, in most cases, the attackers will need credentials from only one of them. 

In other words, one can expect to have a huge number of attacks directed to the employees because, from an attacker’s point of view, that may be the only way in. But do not forget that happy, involved, aware, and trusted employees are what you would wish for as a defense. 

Social Engineering? 

As you can see, there are many different points of view and many facts to support each one. So, we decided to dig deeper into this matter and to find a way to prove, without any doubt, that we could bypass the security measures and smart tooling to ship malicious content to the employees. And at that point, when the employees are the only and final defense, some will take brilliant actions to protect the company. 

The art of DeceptionNow we had our target clearly in mind, but not yet the road to get there. And none of our team members had any experience in social sciences. But a challenge is a challenge, and it will not be worth taking if it were easy. The first step was to devour The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick. As the world’s leading authority on the topic, Kevin Mitnick defined the security industry’s standard for social engineering testing. In his book, he explains that the easiest way to penetrate high-tech systems is through the people who manage, operate, and use them. He considers that humans will always be the weak link in your security, and no technology can change that – but experience can.   

Social engineering is an extremely effective technique used by hackers worldwide to compromise internal systems and proprietary information assets. In fact, it’s one of the top two techniques used by criminals to compromise organizations like yours.  

Essentially, malicious “social engineers” use manipulation, deception, and influence to persuade an employee or contractor to unwittingly disclose secure information. Or they use it to persuade someone to perform an action which grants unauthorized access to an organization’s information systems.  

Over the phone, in person, and online, malicious imposters are the undisputed biggest threat to your organization’s security. 

Having read the book, we wanted to be sure that we are on the right path, so we added the Influence: Science and Practice by Robert Cialdini. Now we felt confident that we could target the right emotions in our attacks. 

What would a Social Engineering attack look like? 

 

 

What would a Phishing Attack look like? 

Most of the phishing or scam campaigns are looking very much like the one presented in the following video: 

https://youtu.be/LiLS7U7YIdc

 

When it comes to default phishing campaigns, most of the time, they are easy to spot. They contain general information, the scenarios are not very credible (or are too good to be real), they impersonate the wrong people, and so on. Therefore, the general perception is that phishing campaigns are not dangerous for IT companies. Their employees have better cybersecurity hygiene, and such scams will not fool them. 

The problem arises when it concerns a targeted attack. If you wonder how that would look, the answer is very simple. It will resemble every serious and important email in your inbox. 

Let’s start phishing 

After a couple of weeks, we had finished reading and researching and could start the preparations for our challenge. 

The preparation phase for Phishing Attack Simulation

This phase mainly consisted of creating the required infrastructure to perform a phishing attack simulation. We don’t want to bore you with all the technical details; we will keep this section as short as possible. 

Our phishing attack simulation infrastructure contains: 

  • different web servers in different geographic locations that will serve the landing pages 
  • different mail servers in different geographic locations that will send the actual phishing emails 
  • management tools: 
    • logs and metrics aggregation – to be sure that all the components are working as expected 
    • custom dashboards – to ease the monitoring of active campaigns 
    • DNS servers – to have full control of our DNS zones 
  • different open-source tools:
    • Lockphish – it’s the first tool for phishing attacks on the lock screen, designed to grab Windows credentials, Android PIN, and iPhone Passcode using an HTTPS link.  
    • evilginx2  is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows bypassing 2-factor authentication protection. 
    • GoPhish – is a powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing. 
    • King Phisher – the open-source solution from SecureState 
  • In-house tools – to be sure that we have complete control over the campaigns and that any potentially leaked data is stored in a very secure way. 

Information gathering phase 

Although building infrastructure is our day-to-day job, we became a bit scared by the time we reached the information gathering phase. Our preconception was that organizations tend to share very little information regarding their structure, internal processes, way of working, or culture. With that in mind, we were really scared that we would not be able to craft those very realistic messages and gain the trust of the employees of our target company. 

Let’s see if similar domains are available 

We started with just one piece of information; the official website of the YCorporation was available at ycorporation.phishing-simulation.yonderAfter some brainstorming, we decided to buy all the available domains that differ from the original one by one letter (like XCorporation, YCorporations,      YCorporotion, etc.). All of those emails were added to our mail servers, and we created an inbox that could catch all the emails sent to those domains. You won’t believe what kind of information people send to the wrong email address (with a typo) – but more on that later. 

What we can find on Social Media 

The game radically changed when we started to follow the social media accounts. The YCorporation was present and extremely active on LinkedIn, Facebook, Twitter, Instagram, YouTube, student portals, and some more. As you can imagine, that activity was a gold mine for us. 

After a couple of weeks, we managed to collect the following data: 

  • using information available on LinkedIn and Facebook, we put together a list with almost all employees containing their name, position, manager, hometown, picture, and much more personal information (like names of their pets); 
  • based on the technical presentation, we created a list of topics or areas of interest, technologies, and tools most likely to be used in their production environment; 
  • lucky for us, it is a trend to show how proud you are to work from home on social media, and organizations publish many print-screens of meetings or pictures of their employees’  setups/offices. This taught us the following: 
    • new employees name, aliases, and positions 
    • the preferred tools for meetings/chat
    • the preferred browser of some employees 
    • available hardware of the employees 
    • the used operating system
    • some of the application names that are available on laptops/computers 

Let’s see a job description 

On the website and LinkedIn, we found many job descriptions for various positions in the organization.  Sadly, we cannot use any of that information because we end up with a list of all the modern technologies available on the market after we put all those things together. 

I think we are fit for a new job 

You would be surprised how easy it is to get a job interview with any company with a profile that contains any existing buzz words and some Pokémons’ names. Yes, we are that evil! We’ve created an architect-level profile who just relocated to the right location and is looking for a new opportunity because the current company is affected by the pandemic. 

Because we didn’t want to use a lot of their time, we communicated mostly via email and refused the video call interview, but for our purpose, it had given us the insights we needed. 

We had gained the following resources: 

  • The email content formatting and branding 
  • The email address format 
  • Information regarding the open positions and company culture 
  • Information regarding the way of working and technologies used (the real ones, not all the tools available on the market included in the job description)
  • Overall information regarding the evaluation and team structure 
  • Last but not least, information regarding projects, clients, and partners 

Oh, my data 

Scary, right? All this information was out there waiting for us to put it together. With all the collected data, we were ready to go to the next step. 

Please be aware that collecting that data without approval is not allowed. To use such data is a direct violation of the General Data Protection Regulation (GDPR) – in Europe. 

See you soon for part two

And here ends the first part of our article. Thank you for letting us share our story with you. If you want to know how this story ends, please look forward to the second part, “An unexpected journey,” that will be available soon.  Until then, we would love to hear your opinion! 

Alex Coman – Cyber Security Engineer

If you want to find out more about protecting your organization against phishing attacks, then send us an email and we will get back to you.

Interested in other posts from our Cyber Threat Aware team? Click here.

STAY TUNED

Subscribe to our newsletter today and get regular updates on customer cases, blog posts, best practices and events.

Subscribe