Have you ever wondered just how easy it is to send phishing emails? Well, can you use premade tools in Linux? Can you set up virtual machines in a cloud service like Azure or Amazon Web Services? If so, you’ve got all the technical skills you need to start phishing. However, successful phishing also requires other skills that are more nebulous: soft skills, or the ability to understand another person's perspective. This post will focus on using your soft skills to craft a phishing email that appears so legitimate, so normal, that at least some of its recipients will open it and click the malicious link it contains without a second thought.
But first, a disclaimer: The skills and processes mentioned in this post should be used only for ethical phishing, with the consent of the corporations or individuals being targeted. Federal computer crime laws are no joke, and violations can carry some serious consequences, including prison time. In extreme cases, the perpetrator may even be barred from using any computer for several years after being released from prison, a potential career death sentence in today’s modern world. (And of course, cybercrime is just plain wrong.)
Most ethical phishing campaigns have one of two main goals: increasing user awareness of phishing or gaining initial access to a system to identify exploitable weaknesses. Phishing campaigns designed to increase user awareness are typically internal corporate initiatives; a company will use a commercial tool to send employees canned phishing emails that redirect them to an educational page or additional training. While those campaigns are necessary in some situations, they aren’t terribly exciting. This post will focus on gaining a foothold in a network—specifically on gaining a foothold in a company’s network by phishing its employees.
The First (and Most Important) Step: Reconnaissance
The most crucial step in the phishing process is targeting; the more information that a hacker knows about a target, the easier phishing will be. While some hackers choose to use open-source intelligence tools, those tools can be daunting and don’t always yield the most useful results. It’s better to start by answering a few basic questions:
- What’s the name of the target company? It might seem like a silly question, but the official name of a company is one thing, and its internal nickname is another. For example, take Independent Security Evaluators, which we all refer to as “ISE.” If an internal email used the company’s full name, the recipient would immediately find it strange and would be hesitant to trust the email. Building trust is an important part of launching a successful social engineering attack; the more a phishing email resembles a legitimate company email, the more likely the victim will be to just glance through the email and click the link.
- Who are you trying to phish? Again, it seems like a bit of a rhetorical question, but the most successful way to phish is to keep the target as narrow as possible—assuming you have control over the target.
When ethical hackers at ISE perform a phishing campaign for a client, we target who the client allows us to target. Sometimes we aren’t given the targets that we’d like, or we’re given a massive pool of targets and told that we need to try to phish all of them. We work with what we’re given.
When targeting is up to you, though, try to narrow things down. Consider focusing on high-value targets, or employees with permissions or privilege levels that would be particularly attractive to an attacker. (And don’t assume that those employees would be too savvy to fall victim to an attack; no one is immune to phishing.)
- What industry does the target company work in? There’s no catchall phishing strategy that can be used against every company or in every industry; you need to get creative. Dig up as much information as you can about the industry your target works in and try to leverage that information to craft a believable phishing email or landing page.
Learn the “local language”—that is, the industry jargon. For example, say you’re launching an ethical phishing campaign against a medical technology company. Those companies have approvals and regulations and deadlines that are so unique and esoteric that they can make your head spin. You can (and should) research the medical technology industry, but research alone may not give you a sense of how people actually communicate with each other. Use your soft skills and see if you can find a colleague or someone else in your network who’s worked in that field in the past. Gaining some “insider info” and adding some jargon to your email can increase your chance of success. Just make sure that you’re using the jargon effectively.
- What’s the target company’s size? Does it have 100 employees? 1,000? 50,000? Does it have subsidiaries? Are they part of the target? As a rule of thumb, phishing campaigns against smaller companies tend to be more difficult; it’s harder to send a phishing email impersonating someone at a company if all of its employees know each other or work in the same office. By contrast, people who work at a division of a larger company aren’t always in the know about the parent company’s policies and decisions, and that type of structure can be easily exploited.
- Can you find any corporate literature or marketing emails? Sign up for any marketing newsletters or communications that the target company offers. These emails can serve as a kind of template, as they often include the company’s logo (or links to it) and may even include a signature block that you can replicate.
Once you’ve answered those basic questions, take the following steps to dive a little deeper:
- Search for old domain names abandoned by the company or its subsidiaries. Some companies adopt new domain names as part of rebranding or restructuring efforts; others stop using an old domain name after being acquired. Regardless of the reason for the change, if a domain name expires and is not reclaimed, it will eventually become eligible for reregistration.
Check publicly available domain name drop lists for old domains abandoned by the company or its subsidiaries. Using an old domain in your phishing email can give it an air of legitimacy, as many employees will overlook the use of an old domain.
- Check the company’s Domain Name System records. Specifically, check for a Sender Policy Framework (SPF) record, which specifies the mail servers that are allowed to send emails from a domain. If the company has an SPF that ends in +all, any server can send emails from the company’s domain. While it’s unlikely that you’ll hit the jackpot and find such an SPF, that mistake does happen—and it’ll make it much easier to spoof the company’s domain name in your phishing emails.
- Find as many company email addresses as possible—and figure out the company’s email address schema. Use a tool such as theHarvester or SpiderFoot (or a paid alternative) to scrape company email addresses from public sources. In addition to providing you with email addresses for your phishing campaign, this process will tell you what email address schema the company uses (i.e., the format of its email addresses); then, armed with that schema, you can begin targeting employees whose email addresses you don’t know.
- Use LinkedIn to obtain the names of employees and to determine the technologies that the company uses. Try to find the profiles of IT employees, and look for job postings for technical roles at the company. If you have already selected (or been given) your targets, check out their LinkedIn profiles too—they may provide more information about the targets’ personal interests. If you haven’t, use LinkedIn to narrow down the pool of potential targets.
You can also use LinkedIn to find someone to impersonate in your phishing email. Try to find someone of mid-level importance; your targets should feel that communication from this person is too important to ignore, but not important enough to raise suspicion. Then check that person’s profile for any information that could be used to create a seemingly legitimate signature.
The Next Step: Crafting the Email
Generally, there are two ways to craft a successful phishing email. One is to blend in with the target environment with an email and domain that look as normal as possible, in the hope that the victims will click the malicious link without noticing that the email is from an impostor. This method is effective but carries risk because it’s not usually feasible to see how the email will look on the victims’ end. In other words, you won’t usually know what kinds of mechanisms are in place to send users warnings if their system flags an email as suspicious.
The other strategy is to stand out as much as possible, but in a good way. Phishing attempts that use this method are more like spear phishing, which is a very narrowly targeted attack against a single person. Spear phishing involves doing a significant amount of research on one individual to identify that person’s interests—and then exploiting them. Detailed information on your target can be a powerful tool, especially if you can find something that your target desperately wants.
For example, if you discover that your target collects baseball cards, you might check social media to find whether the target is searching for any cards in particular. You can then craft a phishing email that lists those cards for sale and send it to the target’s work email address. (Just be sure that your email also includes cards that the target isn’t interested in so that it won’t be too suspicious.)
Before choosing a method, consider your goals and carefully weigh each method’s pros and cons. The first method is a good choice if you’re hoping to reach a wider audience and thus more low-hanging fruit. But if you’re successful in gaining access to a target’s network, you’ll need to work quickly, as campaigns that use the first method are more likely to be detected by automated systems. The second method may have a higher success rate by raw numbers, but given the level of effort required for each individual target, you’ll have fewer chances to succeed.
After you’ve chosen your target(s), use the guidelines listed below to start working on your phishing email.
- Never impersonate a government entity or representative. That is always illegal and can result in serious legal trouble, even if it’s done in good faith (e.g., as part of a red team engagement).
- Choose the premise of your email carefully. Use all of the knowledge you’ve gathered up to this point to craft a scenario that will compel your target(s) to click the link in the email.
- Consider the timing of your attack, especially if you’ll be sending more than a few emails. For example, if you’ll be impersonating someone who lives and works on the East Coast, sending multiple emails at 3:00 a.m. EST could draw suspicion. Instead, consider sending your emails after lunch to take advantage of the sluggishness that many people feel around that time. On the other hand, if your email is designed to mimic an account expiration notification or another automated email, sending it at midnight might not be suspicious.
Phishing distinguishes itself from many other attacks by generally targeting people more than technology. As a result, the success of a phishing campaign depends more on an understanding of the targets’ psychology than on sophisticated technical abilities. By doing proper research and relying on your soft skills, you’ll increase your chance of successfully phishing more targets and improving organizational awareness of the inevitable risk of malicious phishing attacks.
When a client hires ISE for a phishing campaign, our team is relentless in its effort to gain a foothold in the client’s network. But malicious attackers don’t work within the confines of ethical hacking and are willing to go even further to break into a network. So stay vigilant—and if your organization is in need of advice regarding social engineering–based attacks, chat with one of our ethical hackers today.
A special thank you to Daniel Hughes for his contributions to this blog!