Casting with the Pros Tips and Tricks for Effective Phishing Nathan Sweaney @sweaney nathan@secureideas.com
Nathan Sweaney • Security Consultant with Secure Ideas • BSidesOK Organizer • ISSA Oklahoma • OWASP Tulsa • @sweaney • nathan@secureideas.com secureideas.com
Agenda Campaign Design Targeting Infrastructure Setup Bypassing Defenses secureideas.com
Why Phish? • Meatware is vulnerable • Recent Breaches • User Awareness Training • Executive Impact secureideas.com
Latest & Greatest Executable Payloads secureideas.com
Campaign Design secureideas.com
Campaign Design > Assessment Goals • What’s the org hoping to get? • Goal-oriented tests vs Awareness training • Consider white-box/grey-box testing • Levels of Simulation secureideas.com
Campaign Design > Desired Outcome • Click links to a malicious site • Download & execute a file • Remote access • Provide credentials • XSS • Establish rapport secureideas.com
Campaign Design > Ruse Considerations • Use current events – Especially emotionally-charged events – But be careful • Holidays • Target-specific situations • Existing technologies secureideas.com
Campaign Design > Domain Name Selection • Start with Recon – Learn what the target is used to seeing 3 rd Party services? (HR, Payroll, Training, etc) – • Familiar/Similar Domains – companymail.com – mail.company.mailserver.com • Generic Domains – mail-sender.com – eventcoordinator.com • Punycode – portal.xn--securideas-f7a.com – portal.securéideas.com – www.xn--securedeas-2ub.com – www.secureıdeas.com secureideas.com
Campaign Design > Use Psychology • Humans are easily controllable – Urgency – Emotion – Familiarity – Eagerness to help/serve • Critical Faculty – Spell check – Mimic email signatures – Realistic & similar domains – Context-appropriate language – Existing conversations • Be Evil secureideas.com
But not TOO evil secureideas.com
Examples secureideas.com
secureideas.com
secureideas.com
secureideas.com
secureideas.com
Targeting secureideas.com
Targeting > Number of Victims • One/Several/Everyone? • Remember the goal • Response Time • Prairie dog issue secureideas.com
Targeting > Victim Type • Particularly vulnerable – Legal – HR – Accounting – Sales • Particularly privileged – Sys Admins/Network Admins – Executives – Helpdesk secureideas.com
Targeting > Finding Victims • Social Media – LinkedIn • Lead Generation sites – site:zoominfo.com “domainname.com" – Bizshark – Pipl – Clearbit – RIP data.com • Tools – Recon-ng – theHarvester – datasploit secureideas.com
Targeting > Finding More Victims • The company’s website – Blog – Metadata • 3 rd Party tools – Github • Data breach dumps • AD • Phishing/Vishing secureideas.com
Infrastructure secureideas.com
Infrastructure > SMTP Server • Your laptop • Hosted – AWS/Azure/etc (cloud-based) – Gmail/Office365 – MailChimp, SendGrid, etc – Target’s mail servers (open relays) • Considerations – Server age – Domain age – IP Reputations secureideas.com
Infrastructure > Technology • Sendmail • Toolkits – GoPhish – Modlishka – Evilginx2 – Phishing Frenzy – King Phisher – Social Engineering Toolkit • LetsEncrypt • PhishMe, KnowBe4, etc secureideas.com
Infrastructure > Alternatives to Email • SMS • Facebook/Twitter/LinkedIn • What’s App • Slack • NextDoor • Think outside the box – Suspicion is context-sensitive secureideas.com
Bypassing Defenses secureideas.com
Bypassing Defenses > Anti-malware • AV – https://github.com/Veil-Framework/Veil – Online Scanners • VirusTotal • MetaScan (https://metadefender.opswat.com) • VirSCAN (http://www.virscan.org) • NoDistribute (https://nodistribute.com) • Hybrid Analysis (https://www.hybrid-analysis.com) • Watch out for automated sandbox analysis • EDR Tools – Good luck – Keep it simple secureideas.com
Bypassing Defenses > Content Filtering • Content Filtering Submission Forms Symantec/Bluecoat https://sitereview.bluecoat.com/#/ – WatchGuard/ForcePoint/Websense – http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.php Cisco Umbrella/OpenDNS – https://community.opendns.com/domaintagging/submit/ Cisco/Talos – https://talosintelligence.com/reputation_center/support Palo Alto https://urlfiltering.paloaltonetworks.com/query/ – Barracuda http://www.barracudacentral.org/report – McAfee https://trustedsource.org – • Recently Expired Domains https://www.expireddomains.net – https://freshdrop.com – secureideas.com
Bypassing Defenses > Anti-Spam • SPF, DKIM, & DMARC • Consider sending via Gmail or O365 • Check Blacklists – https://www.talosintelligence.com/reputation_center • Online Spam Checks – Google’s Postmaster Tools https://postmaster.google.com – SenderScore https://www.senderscore.org – Mail Tester https://www.mail-tester.com • Discuss with the client secureideas.com
Bypassing Defenses > Landing Pages • Duplicate real sites vs Build your own • Unique user identifiers • Source IP restrictions – Automated sandbox analysis • Time restrictions • JavaScript obfuscation • Subdomains vs directories secureideas.com
Bypassing Defenses > Payloads • Constant battle – No more shikata-ga-nai • Use hosted known sites • Test, Burn, & repeat • “Encrypted” Excel file secureideas.com
Final Thoughts • Remember the goal • Use back channels with clients • Keep it simple • Make it familiar • Don’t be TOO evil secureideas.com
Questions? Nathan Sweaney @sweaney nathan@secureideas.com
Recommend
More recommend
