Sharing their pentesting experience, Martin Bos and Eric Milam outline the stages of a spear phishing attack and analyze email harvesting as a starting point.Martin Bos: Here are our obligatory statistics (see image); every presentation has to have some statistics. Like I said, these are more for the corporate type users we were talking to, but this was a survey done by Proofpoint at the last big Microsoft conference, and they interviewed about 350 organizations. 51% of them believed that they had fallen victim to a spear phishing attack, and more than 1/3 of those 51% believed that their spear phishing attack had resulted in some type of compromise, malware, login credentials, whatever. So, that’s quite a bit. We do a lot of target research, so this is basically the anatomy of how an email attack works (see left-hand image). This is the difference between a spear phishing attack and a regular phishing attack. A phishing attack doesn’t require any research; we just send the email out to as many email addresses as we got off that Iranian web board that we could find.
So, we’re really invested in step 1: we spend a lot of time researching our targets, and we’ll show you one of the main tools that we use. We like to not only find email addresses for a specific company that we’re targeting, but we like to find out where they live, which people are working in the same office, and the most important thing that we like to find out is what position those people actually have, because we like to filter out people from the IT department and people that might otherwise find a phishing email fishy and report it.
The people that we like to target the best are HR departments, because, you know, their entire job is to sit at their desk and open up PDFs and macro-enabled Word documents all day long – that’s their job. See, so you can’t fault those users for opening suspicious documents all day long.
Eric Milam: That research also gives us an ability to find out what they are running in their environment so we can build our payloads accordingly. If it tells us on LinkedIn job board what AV they’re running, or they are looking for something specifically, like McAfee implementation or Symantec or whatever it is – it gives us a better idea, based on what we’ve done in the past, with our payloads and what we might need to incorporate and implement.
Martin Bos: Like Eric was saying, we use the email addresses to search message boards. We take ‘company’.com and do some Google search to find the Juniper forums, and we find some guy that’s like: “Hey, I’m trying to get my Juniper firewall working, and I’m having trouble with egress filtering these three ports, and here’s the config.” We love it when people do that, and we especially love it when you post for a job on LinkedIn that says: “We need a Symantec expert,” then, of course, they have Symantec AV. That type of stuff helps. So, doing your research, just like in every situation, really helps on executing a proper spear phishing attack.Eric Milam: As Martin started talking about email harvesting, we gather email addresses for the target; there’s tools there at the bottom (see image), we’re going to go through one for you. The good thing about the tool that we’re going to show you is that it actually shows you the department the person works in, where they are physically located, what city/state, what their job title is. So, it’s really easy to say: “Alright, this guy is in network architecture, this guy has Security in his title, so we’re going to go and remove this person, because that’s someone that’s going to raise a red flag right away and maybe do some DNS blackholing to get our site, so that their internal sites can’t get to it.”
So, we use Goog-Mail, Goohost, The Harvester, custom scripts, again, LinkedIn, but the one that we like the best is Jigsaw. How many people have heard of Jigsaw, just the website Jigsaw? The cool thing about the website Jigsaw is that it’s basically from salesforce.com, it’s for people to hand out business cards. If you hand out your business card, then they take that business card and they upload it onto this website, so that’s how we know what names and titles of these people are.
If you pay for this service, you can also get the phone numbers and actual emails out. But most of us know that most email addresses are going to be first initial and last name, or first name dot last name, and even if they’re not I think you can make up your own: if you’re like email@example.com, there are still probably aliases on the back side of the exchange server that are created with first initial and last name, they’ll still point to that email address. We’re going to go ahead and demo for you the jigsaw scripts real quick. This was written by a guy that actually works for us. Jigsaw recently implemented cookies, so we’re working on getting the code updated to get it working.
Read previous: Advanced Phishing Tactics Beyond User Awareness