When thinking of phishing, you might think of ‘Winning the Nigeran lottery’ or ‘Paying a small holding fee so that a prince can make you rich’. These were common attempts back in the day and the aim was to trick you so that you would send the scammer money. Since then, Phisher-men and women have evolved and are now using new techniques. What these people want though are very different things. Nowadays these types of attacks aim to steal personal details, credentials, money or even to infect the users machine.
For some phishing attempts are easy to spot but for others, not so much. Before, it was just a single person who would be affected by a scam/phish. Nowadays, it could be a whole organisation that gets breached due to one little phishing attack.
Although security systems such as email gateways can help prevent against 90% of these attacks, education is still the most effective way to protect yourself against these attacks. Without education, phishing will still be the most attractive method of attack.
With all this babble about education though, I imagine some of you out there are wondering how these attackers actually phish. Below are a few techniques and tools which attackers may use in the field. This is intended to educate people so that they can understand how to protect against them.
First, the attacker will decide if they are going to do a mass phishing campaign or focus their efforts on one or two targets. Both will require the attacker to get hold of contact details. The more information they can obtain, the better the phish.
There are multiple ways that they can find email addresses.
- Company website.
- Social media: Facebook, Twitter, LinkedIn.
- Purchase them online.
Using Google Dorks:
- Find email lists: filetype:xls inurl:”email.xls”
- Find based on domain: site:companydomain.com filetype:xls inurl:”email.xls”
Using tools such as TheHarvester.
Using tools such as TheHarvester.
TheHarvester is a tool which can pull email addresses from multiple data sources. It comes preinstalled on Kali or can be cloned using
Git clone https://github.com/laramies/theHarvester
To find Gmail accounts from Google, we would use: theHarvester -d gmail.com -l 500 -b google
If you were to target an organization, you would obviously use their domain. There is more than Google out there and other data sources can be found on TheHarvesters Github (Link above).
Once we are happy with our email list, we can do a bit more research to find out who can be used as a target. Searching Google or Pipl with their email address can help you identify online profiles. Once you have this profile, you can expand it by using tools such as Sherlock.
Sherlock is a very useful tool which will span across many sites finding profiles which match your criteria. For example, profiles which use user123:
The information they gather can be then used against you.
More recon techniques: https://ctrlaltdel.blog/2019/04/19/how-exposed-are-you-on-the-internet/
Now that we are happy with the list, we can now validate them. This is important as the email addresses you have obtained may be outdated or no longer used. You could use: https://trumail.io/ or by sending a basic email from a trusted mailbox. What you are looking for is one of the following:
- Bounce back: Mailbox disabled
- Out of office: May contain further contact information. “I’m OOH, please contact so and so….”
- A reply: The user could potentially be a target due to falling for this.
- Nothing: The mailbox is live. It could have been stopped by an email gateway but as we are just sending a simple email from a trusted email provider, it’s unlikely.
The email will be less likely to be blocked on the other end if it doesn’t contain any phishing traits. It could simply be sent from Protonmail or Gmail and read:
I’m sorry but I won’t be able to make Monday.
This angle is quite good as the user will either think that you have sent it to the wrong person by mistake or they might question why it was sent to them. You may even get a response form some due to their kind nature. Either outcome is fine as you are testing the waters at this point.
At the point, the attackers will either continue the phishing campaign or sell on the information they have gathered.
Once we have a few targets and our recon is complete, we need to review our finding and figure out how we are going to Phish. There are multiple phishing methods nowadays, so let’s run through a few.
This is phishing over voice. An attacker will aim to convince you to give them personal or financial details over the phone. They will do this by using several social engineering techniques. They will often do some reconnaissance first, so that they can use their findings to try and verify who they are. It’s not just bank details though. Vishing attacks can be targeted at the service desk. For example, if the attacker knows the username but not the password, they could ring the service desk and try and convince them to reset, and share it.
This is phishing through SMS. You might think how someone can phish me using text, but you would be surprised. Because smartphones have access to the internet, they can be used to harvest credentials. If the user clicks on a Smishing attempt, it will most likely load a fake site that mirrors the company which they are pretending to be. The text could say:
Your recent payment of £500 can be viewed here: https://paypaI.support ”
Once the user clicks, the link it could take them to a fake Paypal login page which steals their credentials. You can’t just use the Paypal name I hear you ask.
No, but that is why you could use character masking. The URL above actually reads paypai.support in lowercase. Since hyperlinks aren’t case sensitive, techniques like this are used all the time.
If not this, we could use a tool called DNStwist.
Git clone https://github.com/elceef/dnstwist
Running this command with give us a load of variations of the requested domain. In this instance, ctrlaltdel.blog. There are many different variations dnstwist uses:
Addition: Letters added to the end of the domain.
BitSquatting: Changing one character for another.
Homoglyph: Using alternative characters that look similar to the original.
Others include, Transposition, Vowel-swapping and Various.
Others include, Transposition, Vowel-swapping and Various.
To be more convincing, the attacked might also purchase the domain and apply the SSL cert to their fake site. This is so the user doesn’t see an unsecure icon or prompt from their browser.
This wouldn’t work for all though, so they might use other techniques such as:
Although this does read paypal.com,
the domain is actually confirmation-manager-security.com.
The site itself could has most likely been mirrors by using tools such as HTTrack: https://www.httrack.com/
This tool allows you to clone a live site so that it can be used for an evil twin.
Smishing attacks will often be sent using a burner phone or an online service such as https://www.sendatext.co/
Below are some Smishing attempts I recently received. This is pretty obvious to me as;
1: I don’t bank with Halifax and 2: I didn’t enter a survey.
Search Engine Phishing
This is a slow burner. The attacker will create a malicious site and try and get it listed on search engines such as Google. The will aim to use certain keywords in order to match your result. They can do this by masking their site and making it appear like a genuine company. The most common attempts are:
- Employment sites which have amazing job opportunities.
- Low credit card rates.
- Amazing discount or giveaways.
- Cashback sites.
- Emergency warnings.
All of these will aim to obtain personal details from its viewers. For example; The employment site might require you to fill in an application form. This will then have you fill in a bunch of personal information which the attacker can then use.
This is a targeted attack. Instead of sending mass phishing emails to an email list, the attacker will aim to attack certain individuals. This method is the most common as Is believed to have a higher success rate.
This is phishing the “big players”. The attacker will aim to phish employees which hold the roles such as CEO, CFO or COO. This is because they are of higher importance to the company and may have sensitive information. They can also be used to spread malware for further phishing attacks. If the attacker manages to steal the CEOs credentials. They could look to send out a mass internal email which contains a fake URL or payload. Because the email will appear to be genuine and come from the CEO, employees will be more likely to click on the link.
As you can see, phishing comes in many forms but even today, the most popular method would be through email. I imagine because the toolsets out there allow them to send out a mass phishing campaign with a few simple clicks. Plus, nowadays, emails are our life so it’s more likely to reach a victim. The attackers won’t be using their personal email though. They will most likely create a purpose-built email address or use a disposable service.
Below was taken from a popular site which allows you to send spoof emails online. As you can see, I’m manually inputting my email address. This is so I can send spoof emails and try to convince the user that I am someone else.
As you can see, when it hits the mailbox it matches my input despite me not owning that mailbox:
This is because no security measures are in place. DMARC, DKIM and SPF will help you to fight spoof emails as it will do a number of checks before it accepts the email. Things like this will help you fight against spoofing attacks although they can be tricky to setup.
If not through a web service, they will use tools such a SET which comes preinstalled on Kali and ParrotOS. https://www.trustedsec.com/social-engineer-toolkit-set/
This tool allows you to attempt multiple attacks. For phishing though you will require an SMTP server. Attackers will look to use open or exposed SMTP servers though as there is a chance it will be trusted. It also means they don’t have to spin one up themselves or pay. These can be found on sites such as https://www.shodan.io/.
Essentially what these attackers are doing is going to these exposed SMTP servers is telling them who they are. These servers don’t bother to check and simply forward the email based on the information they are given (From the attacker). If I say, I’m firstname.lastname@example.org, the server will send the email as email@example.com.
Attackers don’t have to spoof their email though, they could create a free account with Gmail, Outlook, Yahoo or purchase an official domain which comes with a mailbox.
Remember above I mentioned about purchases SSL certificates from GoDaddy. When you purchase domains, you have the option to get a mailbox created. This means you can send emails from a trusted source and appear to be genuine. Most will stay away from this as there will be an audit trail. Instead they may look to use a disposable mailbox.
More about disposable mailboxes: https://ctrlaltdel.blog/2019/04/15/disposable-services/
That’s it for now. Attackers are evolving day to day and new techniques are being discovered in the wild. There are a few things that you can do however to help protect yourself.
If it’s important, go
If you get an email from the “bank” that warns you about unusual payments and it has a link to click on, don’t. If it’s important, go direct to the banks website, login and check there. This goes the same for texts and voicemails. Instead of ringing the number they have given you, go direct to the site and ring the official number. Going direct may take a few seconds more than simply clicking on the link but may save you from being a victim. This goes the same for any login pages.
There is no harm in
Scammers will often push a sense of urgency so that they can push you to do something without questioning it. Nowadays, no one should argue with you if you double check a large money transfer or unusual request. Companies are now being fined thousands due to data breaches caused by phishing attacks. You sending an email to the CTO double checking if it’s him requesting to send a large amount of money to an unknown company will not get you in trouble.
The Signs are there
There are multiple education posters, videos and articles on how to spot phishing attempts. Take 5 minutes just to skim or read through them. Some of them aren’t always boring such as Googles quiz: https://phishingquiz.withgoogle.com/
If it doesn’t look
If you get a strange email or text and you have a security department, flag it. Again, there is no harm with double checking a potential phish. You might even uncover a larger attack.
If you weren’t
expecting it, flag and delete
If you get an email about an invoice which you were not expecting, don’t open the attachment or click any links. People don’t just send invoices for the fun of it. If it looks legit, flag it. Just say, you weren’t expecting this, but it looks important. Can you check it out please?
Don’t rely on
The fact of the matter is, there is no tool or method to 100% protect against Phishing. It just can’t be done. As I explained above, sending an email from Gmail will not be flagged or blocked. The IT department won’t be searching and checking all the companies emails to check if they are real or not. The responsibility nowadays lands with you. Security is everyone’s duty.