It’s Monday morning. Your e-mail inbox icon lights up with a new message. It’s a note from your CEO, describing a procedural change and inviting you to open an attached Word document to view the details. You are relatively new to your job, and you are eager to make a good impression, so you quickly open the message and prepare to dutifully dive into the directions.
I knew you would do this.
I knew it two weeks ago, when I started researching your daily routine and getting to know your habits. I knew you would be quick to open the message, with the affinity you have for the CEO that you’ve raved about on Twitter. I suspected you would fail to follow company protocol to double-check the e-mail domain of any incoming message. And I knew that you would be off your game this morning, after last night’s concert that you posted about on Facebook.
Little did you know, the message wasn’t from your boss. It was from me: your friendly neighborhood hacker. Luckily for you, I’m a good guy; a hired gun known as a “Red-Teamer.” I was tapped by your employer to identify vulnerabilities in your company’s security, and you just revealed a big one.
Strategizing a phishing scam
Just like any hacker, Red-Teamers invest significant time and energy into getting to know the target’s daily routine so that any phishing scam blends into your daily life naturally. I like to think of it as a personal approach – stepping outside of myself and trying to think with the mind of my target. I’ll seize on any vulnerability. For instance, when targeting corporate employees, I look for individuals between two to five months of employment. Why? Because it allows me to target the individual when he or she is still in that awkward transition phase – not yet fully settled into the corporate process, making it more challenging to decipher what is normal and what is suspicious. Diabolically, this increases my chance of success substantially.
Social media adds a whole new world of opportunity. Information that was once a valuable commodity is now given so freely. With just a few mouse clicks, I can find out virtually anything about a target: their favorite sports teams, their dog’s nickname, their last vacation spot, and even details about their work life such as their title and how long they’ve been with a certain company. The harvesting of this publicly available information is called “Open Source Intelligence Reconnaissance.” It is the critical first step in any successful phishing campaign.
Based on intelligence gained from a previous employee who worked at a given organization, I can deduce the type of application used to verify official documents, providing valuable insight into corporate procedure. To generate target emails, all that is required of us is to mimic the general outline and work flow of an email using View Source – simple enough. The next step is to find the right individual to use as the “sender.” Someone from in upper management, HR or accounting usually does the trick. Better yet, I could even create a friendly email from the CEO directly, welcoming the target to the company, with a document containing “information” about his or her vision and how to be successful in the company. When it comes to creating the body of the email, creativity is key – aided by all the information gathered from our Open Source Intelligence Reconnaissance.
If I don’t feel like going through the trouble of spoofing the email address, I can always easily purchase a domain that is close to the real thing. For example, say I want to bypass a spam filter, buying a domain similar to Company XYZ, like Company XYY, or even better yet Company XYZManagement, can completely bypasses the spam filter since the domain has yet to be flagged as spam. Taking a closer inspection at the framework of malicious emails, there are usually two main threats or “hooks,” a malicious link, or malicious file attachment (i.e. a macro phish, or a credential phish). Utilizing our recently gathered Open Source information, the malicious link could potentially redirect/send the user to a fake login page to harvest login credentials. Or if an attachment is used, the malicious file has to be doctored in some form that fits in with our targets daily work flow.
Target confirmed: Prepare to phish
Now that the target details have been established, it’s time to bait the hook. The hook usually represents an exploit that is used to gain a foothold in the organization. Most companies use Word documents on a daily basis, so what better way to obtain a foothold in an organization then to create a malicious Macro that you embed in a Word document? Once the user accepts the prompt asking for the Macro to be ENABLED, the unsuspecting victim’s computer will create a reverse connection to our secure Command and Control Server, and we will now have full control. The final step is to evade Anti-Virus software. After various tests, a creatively encoded Macro finally emerges from the depths.
All the preparations have been set: weeks’ worth of investigations, planning, trial and error, has ushered in the campaign’s zenith. Now is the time for me to put myself in the target’s shoes and create the perfect bait…
It’s Monday morning. Your e-mail inbox icon lights up with a new message from your CEO, describing a procedural change and inviting you to open an attached Word document to view the details.
Do you open it?