In this section, Martin Bos and Eric Milam are discussing the different nuances to be taken into account for optimal phishing attack implementation workflow.Martin Bos: The next thing we do is we have to create a scenario. How are we going to get these people to click on the link? So, the first thing that we like to do is register a real domain. You know, back in the day there were all these email phishing scripts that you could use from the command line, but email filters and fancy appliances have way surpassed that, they don’t accept emails from root anymore.
So, what we like to do is register a real domain with GoDaddy, because they’re so cool – they give you one free email address with every domain registration. So, what we found in analyzing most of those email appliances is that the one major thing that they drop emails on is reverse DNS. So, if there’s no reverse DNS set up, they will drop your email automatically. So, what we like to do is register a real domain and we get a real GoDaddy email address with reverse DNS, and it’s legit. We’ll show a little bit more how we do that in a second.
The next thing we do is create a scenario: what are we going to use the phishing for? The one that we always try to use on pentest is targeting open enrollment. 401k, health benefits – all that kind of stuff never gets approved, not one time have we ever had that scenario get approved, because, apparently, messing with people’s health benefits is not cool.
Years ago we used to do a work from home one, which was pretty good: we would send out an email that said: “We’re only selecting 50 people for a pilot program to work from home on Fridays. Just fill out this survey, do not forward this to any of your friends,” you know, all that kind of stuff. That would work really good for a while, but work from home started getting flagged by email servers, because, I guess, there was another phish like that on the Internet.
Another one that gets flagged all the time is the OWA upgrade. The only reason we use this is that we have some clients that are not security mature enough for some of the email attacks that we use, so they’ve asked for something a little bit dumb down to give their users a chance.
A few years ago there was a giant OWA upgrade phish across the Internet, so we’ve actually copied that, and we use that sometimes when companies are just starting out, because, like I said, our goal is not to embarrass their users; our goal is just to conduct a successful phish so that everyone can see what happens. So, we have an OWA one; it’s got misspellings on the website and everything in order to sort of give the users a chance.
But our absolute favorite one is the security report, and that’s what we’re going to show everybody today; cat’s going to be out of the bag, I guess, but it doesn’t matter. We use the security report because it works everywhere. Every single organization has security, and every single organization always has some kind of random people walking around that you’re not really sure what they’re doing, especially in IT: we’ve always got some consultants in there or some people doing risk assessment or something.
And so, what we like to say is: “Hey, this company just had a security audit,” and people would be like: “Oh, that was those weird-looking guys that were walking around last week.” And then we also like to throw in there: “We’ll show you the whole email,” but we also like to throw in there that some people got in trouble, some people weren’t following security policies. That peaks people’s interest; they’re like: “Oh my gosh, I got a ‘C’, who got in trouble?”
Eric Milam: A lot of the time they think it’s them: “I got to look and see if it was me, maybe I got tricked,” and they are basically getting tricked this way.Martin Bos: Alright, these are the five steps that I like to follow when I’m creating the email (see image). The subject is the most important part, the subject line that comes up in your email client, because if that’s not good, then nobody’s going to open the email. It’s got to be easy to read; you can’t write these things with a PhD, because it won’t be realistic. You have to write in normal people corporate type language – obviously, depending on the organization that you’re going to be at.
If you’re targeting some farm machinery organization in Kentucky, you might want to throw in a couple of y’all-s in the email, and I’m from Kentucky, so I’m not making fun of us. But I’m just saying you want to make it easy to read and conducive to the people that you’re sending it to. And along those lines it should be legit, so there shouldn’t be any misspellings and there shouldn’t be any grammar issues. I mean, I don’t know about you, but when I send an email out to my entire company, I proofread it 5 or 6 times, because I don’t want to look like an idiot. And so I spend a lot of time making sure that my email is perfect.
Give the users a reason to click: obviously, you have to get them to execute some kind of action; the days of just opening an email and being infected with the black plague are over. People have to click on something, they have to accept something, they have to run something – they have to do something, so you have to give them a reason to click.
And, I already touched on that, but make it fit the organization. The example that I use is if we know the organization has 85% part-time employees, we would not send them a phishing email about open enrollment. Why? Part-time employees don’t have insurance, so it wouldn’t make sense.Eric Milam: So, here’s our standard phishing email (see image). Basically, what we do is we always end up sending that from information security, which is infosec@ – in this case it’s Humana-portal.com. So, what we do is when we set up the domain, it’s usually ‘(company name)-portal.com‘, and when we set up our server, we just add ‘secure.’, whatever, as a subdomain. I put everybody in the Bcc line.
So, here is our basic layout. What you’ve got here at the bottom – I spent about 5 seconds googling it – is the Humana logo, I put that in there. We’ve got the actual address and phone number. What we were talking about earlier, when I sent out the initial email, the Jim Smith email, sometimes I’ll actually get the phone number for their internal help desk – that’s good to put in there: if they start calling their help desk, everything looks legitimate. We’ve got the bold in the right place.
There’s a link in the email; one of the things that users always do is hover over to the link to see if it actually goes where it says it’s going to go. We always make sure it does; that’s a level of trust there. When they hover over there, it goes there, so it’s not any type of obfuscation.
But, basically, what it says is: “As you know, security is an integral part of our aspect; and recognizing that, we performed an audit; based on that, we were able to see that some employees and contractors didn’t adhere to our policies, so the auditors were successful in compromising systems and people, and all kinds of stuff.”
What we end up telling them is: “Hey, it’s your duty as a member of our company or organization to go out, sign in to this secure website, download it and read it. It’s up to you guys to help us protect ourselves from spear phishing attacks.” So, farther down in the original email it actually has that legal footer down there. All these little things help build trust when someone actually looks at it. The email looks professional, it’s spaced correctly, we’ve got the right signature line – everything looks good, everything looks legit.