A Little Backstory
There is a lot of content online that is focused on introductory level concepts about detecting and stopping phishing. This document is meant to act as advanced reference material when conducting an advanced phishing campaign.
Phishing is more art than technical, more human than artificial, and more dangerous than a misconfigured firewall rule. Poorly constructed phishing emails are still successful today, which is insufficient motivation for cybercriminals to change. The famous Nigerian prince scam would be most people’s introduction to phishing, and it's still successful today. Even with a scam so old and well known, there are some social engineering tricks from it that can still be learned. This is fine if we’re only trying to steal data or trick someone into installing ransomware and if the victim is irrelevant. When targeting a single organization with competent email filters, and security awareness training, this task becomes more difficult. An email littered with grammatical errors, broken images, and a from field of bankUSA2007@sbcglobal.net is not going to cut it.
The Building Blocks
Social engineering is the core of a successful advanced phishing campaign. So what makes a social engineering engagement successful or not? Information is the short answer. The longer answer involves understanding how a person thinks, and their priorities. Most of this can be found with good OSINT. The majority of people overshare useful personal information publicly online. Even a person with good OPSEC may be exposed by a friend with poor OPSEC. Good questions to ask yourself when considering your target may include,
- What does this person want?
- How can I validate that want?
- How can I provide that want to them?
The list of useful questions for framing our phishing campaign is endless, but these are great to get started. Ideally, our victim is empowered to click the malicious link, or open the malicious document. Most people want to be helpful; it is much easier to ask nicely for the desired behavior than it is to approach from a position of power. A boss’s demands are easier to ignore than a boss offering praise, or politely asking for help. If we are to define manipulation as making someone do something they don’t want to do, then social engineering could be defined as helping someone do something that they do want to do. So then the question becomes, what does this email look like where a person wants to be phished? Let’s create a scenario where we can answer the above questions and formulate one possible successful email. The target is going to be the Director of Educational Technology at a private school in the US. From doing good OSINT, we can determine he’s in his early 40s, has a family, and posts inspirational quotes on his Facebook wall. This is enough information to get started if we keep culture at the front of our minds.
What does this person want? There may be a different answer between personal and professional, but there is overlap. In his early 40s, with a family, most of his major milestones have passed. In this case, identifying the important want is straightforward. He wants to be understood. He may personally want a pool, or professionally a raise, but more importantly, he wants to be understood. This can be chained with other simpler wants like having an easier day at work, or being appreciated in his work community. Sending a new edtech tool his way via email demonstrates a level of understanding, even if it’s not deep or significant. Whether this is spoofed as a colleague or boss, or you claim to be a teacher at another school and you’d simply value his input, it is effective because it validates his wants. By making it personal in a positive way on his terms, engagement is driven up and he is more likely to overlook red flags that may otherwise kill the phishing campaign. In other words, he believes because he wants to, not because you want him to. By answering the first two questions, we have a roadmap for the final and most important question.
Let’s examine what this email might look like with what we’ve learned so far.
from: Dade Murphy <firstname.lastname@example.org>
to: Richard Gill <email@example.com>
date: Feb 10, 2020, 8:15 AM
subject: Remote Math Exam Tool
I’m a math teacher at [local but not too local high school]. I found your email in your school’s directory and wanted to reach out regarding this tool to help simplify taking remote math tests. I’ve been struggling as a teacher with remote assessments due to COVID and I would value your input if you think this tool is worth the investment. I’ve attached a sample exam as a Word file if you want to check it out. You will need to click Enable Contents, but other than that it should be pretty self explanatory. Let me know what you think, I look forward to hearing from you!
The highlighted items are done so because they are important parts of the social engineering process. Going in order,
- The time of the day you send your email is important. Teachers start early and you want your email to be the first thing in their inbox. This is disarming because people are not fully awake, and are more likely to knock out easy items before the day starts properly.
- Establish who you are immediately, no one wants to guess who, why, what, etc.
- Staying close to the community is important, it wouldn’t make sense for a teacher from Florida to email someone in LA, but San Diego to LA is plausible. You should stay away from being too close to the community where the target may have too much knowledge and will spot the fake right away.
- This plays on the desire to help people, especially people within your community (as a fellow teacher etc.)
- This gives some real authenticity to the pretext by playing on something that is happening outside of our phishing campaign. The target doesn’t have to guess as to whether that part is phishing because they can pull on their own personal experiences and difficulties.
- We value their input because it makes them feel good. People want to help, but they also want to be respected in their communities.
- This particular pretext works better as a malicious attachment because a web page would not need a login page to see the details of this new tool. More importantly than that, by attaching it we’re empowering them to get phished. After identifying want, and providing want, your job is to remove as many hurdles as possible to allow your target to get the want.
- Framing is important. Your target should have no surprises during the entire process up until they actually get phished. By telling them ahead of time that they’ll need to do something additional, they’ve warmed up to the idea more than if it’s a surprise for later.
The rest is common email etiquette. Always be clear and at a minimum polite, if not friendly. It is common for a phishing email to fail for any number of reasons. The only failure is once you’ve given up.
Your email is likely to get through in the scenario laid out, but there are still some challenges or enhancements to manage. The biggest problem with our email in this scenario is that any competent email filter is going to detect a Word document with macros from an unknown sender, and block it. There’s more than one way to bypass this, but I’ll reference my personal favorite technique of using remote macro enabled template injection.
Email filters faultily assume that .docx files are safe because they cannot contain macros. It’s true that .docx files cannot contain a macro on their own, but they’re still perfectly capable of executing a macro. We can load a macro enabled template into our document and then execute our payload. Word documents are essentially zip files. This can be easily demonstrated by renaming its extension to a .zip and opening it. In that structure, there exists a file named settings.xml.rels. This is where the document defines if it will contain a template, and the local link to that file to load upon opening the document. This link can be replaced by a URL which hosts our malicious template. This means the document will download its payload just in time to execute. As a bonus, the payloads can be hot-swapped or disabled without visibly breaking the Word document. This technique bypasses most email filters because there is simply no macro at the time that the attachment is received.
A brief note for blue teamers, to defeat this, it would be simplest to sandbox it and observe its behavior. Because the location of the template is standardized, it wouldn’t be difficult to quarantine and investigate attachments that contain a URL for a template.
Spoofing is a powerful tool that can be utilized against organizations without a DMARC policy set. While setting this policy is trivial, the knowledge to do it in the first place may not be present in non-technical organizations, such as healthcare or education. SET one such option but it is dated. Zaqar is another more modern option that allows email spoofing and the set up is trivially easy. For serious red teams, it is worth the time investment to have your own email spoofing infrastructure. This is for length purposes, not a guide on setting up any of the above.
On the social technical aspect, consider what most security awareness training looks like. If you haven’t experienced it, a brief visit to KnowBe4’s website will give you a rough idea on how primitive the training is, and needs to be. The vast majority of users are not cyber aware and even the idea that email addresses can be spoofed is foreign. It’s easy to train people to spot grammatical errors and email addresses that they do not know. It is much harder to train people to spot an email from their boss asking them to complete a task by the end of the day. It is even harder for a security awareness training company to recommend that a user questions whether or not their boss’s email is authentic. Due to the above reasons, spoofing greatly increases the odds of a successful phishing campaign.
When spoofing as a colleague or boss, it is important to follow the same rules as if you are “cold” emailing your target. Play on people’s desire to be helpful, be kind, be clear, and remove as many roadblocks as possible. Strongly consider the type of relationship that you’re impersonating.
A Final Word
This is all generic advice and your engagement will differ. Adaptability and creativity are the only limits for this type of attack. Focus on influencing your targets by framing your goal as their goal, and empower them to follow through. Don’t be discouraged by email filters.