Overall, the infosec community has done a relatively good job in securing systems. While a measure of restrained back-patting is called for, we shouldn’t forget that social engineering and humans remain the weak link – and attackers know this.
In this extended blog, we’ll cover a range of the different techniques attackers of all persuasions (whether sophisticated nation state or low-level hacker) choose when performing their phishing campaigns. By looking at details revealed in law enforcement indictments against nation state and organized criminal campaigns, as well as the tips and tools being shared by actors on cybercriminal forums and messaging applications, we can make sure that organizations are prioritizing the right controls and training policies to best protect themselves in 2019.
Harnessing the Power of Social Media
Phishing tactics are used widely, from state-level actors to low-level spammers. The indictments issued by the United States Department of Justice (DOJ) in 2018 have underscored how effective phishing can be, even in large network intrusions conducted by suspected nation state actors.
One example is the September indictment against a North Korean regime-backed programmer associated with a series of campaigns, including the Sony Pictures Entertainment attack, the Bangladesh bank heist and the WannaCry outbreak. This indictment confirmed that even proficient attackers used a variety of pretexts to convince targets to click on the link in their phishing emails, including masquerading as Facebook or Google official notification emails. As well as approaching victims by email, the attackers also sent messages directly through social media sites such as LinkedIn.
Figure 1: Phishing email impersonating Facebook notification as detailed in September 2018 indictment against a North Korean regime-backed programmer (Source: justice.gov)
School of Phish: Tutorials and Template Services For Novice Phishers
You don’t have to be a state-backed programmer to achieve these social engineering stunts. Even the least sophisticated threat actors have access to a wide variety of forums and groups where they can learn the latest phishing techniques, as well as purchase step-by-step tutorials and phishing templates to conduct their own campaigns.
Figures 2 and 3 taken from the Exploit[.]in sub-forum dedicated to social engineering show sellers offering 40 templates for phishing on well-known sites such as Gmail, and a tool to create social media phishing pages.
Figure 2: 40 templates for phishing on well-known sites (e.g. Gmail)
Figure 3: Blackeye v1.1 tool offered on Exploit[.]in, allowing creation of phishing pages on social networks
The Burden of Spoof
Given that users are more likely to open an email when they believe it has been sent by a legitimate sender, phishing attackers often choose to spoof or forge the email header in their messages to increase their chances of success.
Email spoofing has been around for a long time, but it is still going strong. Both the North Korean indictment and the earlier indictment issued against the GRU (Russia’s Military Intelligence agency) demonstrated the use of email spoofing as a viable tactic for initial compromise. In the GRU case:
“The attackers “altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link.”
Phishing tutorials (or “starter packs” traded on cybercriminal forums) focus heavily on spoofing tactics. In Figure 4 (below) taken from a phishing tutorial thread from the KickAss forum, the poster describes the basic steps novice cybercriminals need to take to successfully send emails to steal credentials from their victims (highlighted in Figure 5).
Figure 4: Phishing tutorial offering high-level steps to performing phishing attacks. Posted on KickAss forum
Figure 5: Anatomy of a phishing attack as outlined in KickAss forum post
Of particular note in this phishing tutorial is the inclusion of email spoofing techniques to impersonate a legitimate organization (highlighted in green in Figure 5). The poster on KickAss recommends that phishers “host the fake email SMTP server (php) which will send emails with authentic address eg firstname.lastname@example.org (sic)”.
Spoofing an email is a relatively easy process. An attacker needs to create, compromise or find a Simple Mail Transfer Protocol (SMTP) server that allows the forger to send the spoofed emails. Some attackers will look to compromise an existing site with an SMTP server, for example one used to send marketing communications, although a level of technical understanding is needed here, which may put off the most elementary of phishers. Novices might instead look to purchase a compromised server, which are commonly traded among threat actors on forums and marketplaces.
While creating or acquiring the mail server may be fairly painless, the difficulty for less-sophisticated phishers will be in ensuring their emails don’t end up in spam folders. This will require some level of knowledge and understanding to configure domain name system (DNS) records for the server, as well as preventing the hosting IP from ending up on blacklists.
Phishing Pages Made Easy: “They Do It With Mirrors”
Steps 4 and 6 in the anatomy of a phishing attack outlined in the KickAss forum post (Figure 5 above) encouraged phishing actors to create a clone of legitimate website as well as an impersonating URL they could include in the email body. In this case, the poster suggested using Metasploit; however, there are a number of other tools being recommended by users to reduce the barriers to entry needed for conducting phishing campaigns.
One service that has proven popular among aspiring phishers is a website cloning or mirroring service known as XDAN CopySite. The service allows users to simply enter the domain of the website they want to clone, and it produces a static version of that site within seconds. This tool has been shared widely on forums and messaging applications by users looking for phishing tools and services (Figure 6).
Figure 6: URL links to XDAN Copy Site shared across forums and messaging apps
Cloning services such as these will generate an html file – or series of files for more complex sites – that phishers will then host on a website using an acquired domain. This will usually be a domain squat or a domain simulating a legitimate service.
While these mirroring platforms may help aspiring phishers, those wanting to clone more complex sites with login fields will need some hands on work to add credential harvesting PHP scripts. This might explain why the KickAss forum user suggested using Metasploit specifically; platforms such as Metasploit or Social Engineering Toolkit (SET) can reduce the barriers to entry further by automatically adding a credential harvesting script and even hosting the web server for the attacker.
5 Ways to Reduce Phishing Risks
Going into 2019, it’s safe to assume that phishing and social engineering will continue to pose great risks to organizations of all sizes and industries. As demonstrated in this blog, the phishing techniques employed by the most sophisticated adversaries are largely similar to those being discussed by zealous learners on criminal forums. With templates, tutorials, cloning platforms and phishing services littered across the cybercriminal ecosystem, it appears a new generation of hatchlings are already trying get in on the act.
Despite barriers to entry seemingly falling day by day, organizations can still employ a wide variety of measures that can help them stay afloat and clear of phishing threats. These include:
- Limiting what information your organization and its employees share online, including on social media sites such as Facebook and LinkedIn. The most successful phishers will perform detailed reconnaissance on targets, so they can craft the most effective emails and social engineering lures
- Monitoring for registrations of typo- or domain-squats that can be used by attackers to impersonate your brand, send spoof emails and host phishing pages
- Implementing additional security measures such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult. Check out our detailed practitioner’s guide to combating email spoofing risks.
- Protecting your accounts in the case that phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented wherever possible
- Training your employees in how to spot phishing emails. More importantly, they need a clear and recognized reporting method to alert security teams to suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack.
For additional phishing prevention guidance, we recommend reading the UK National Cyber Security Centre’s multi-layered approach to phishing defenses.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.