Casting with the Pros Tips and Tricks for Effective Phishing Nathan - - PowerPoint PPT Presentation

Casting with the Pros

Tips and Tricks for Effective Phishing

Nathan Sweaney @sweaney nathan@secureideas.com

secureideas.com

• Security Consultant with Secure Ideas
• BSidesOK Organizer
• ISSA Oklahoma
• OWASP Tulsa
• @sweaney
• nathan@secureideas.com

Nathan Sweaney

secureideas.com

Campaign Design Targeting Infrastructure Setup Bypassing Defenses

Agenda

secureideas.com

• Meatware is vulnerable
• Recent Breaches
• User Awareness Training
• Executive Impact

Why Phish?

secureideas.com

Latest & Greatest Executable Payloads

secureideas.com

Campaign Design

secureideas.com

• What’s the org hoping to get?
• Goal-oriented tests vs Awareness training
• Consider white-box/grey-box testing
• Levels of Simulation

Campaign Design > Assessment Goals

secureideas.com

• Click links to a malicious site
• Download & execute a file
• Remote access
• Provide credentials
• XSS
• Establish rapport

Campaign Design > Desired Outcome

secureideas.com

• Use current events

– Especially emotionally-charged events – But be careful

• Holidays
• Target-specific situations
• Existing technologies

Campaign Design > Ruse Considerations

secureideas.com

• Start with Recon

–

Learn what the target is used to seeing

–

3rd Party services? (HR, Payroll, Training, etc)

• Familiar/Similar Domains

–

companymail.com

–

mail.company.mailserver.com

• Generic Domains

–

mail-sender.com

–

eventcoordinator.com

• Punycode

–

portal.xn--securideas-f7a.com

–

portal.securéideas.com

–

www.xn--securedeas-2ub.com

–

www.secureıdeas.com

Campaign Design > Domain Name Selection

secureideas.com

• Humans are easily controllable

– Urgency – Emotion – Familiarity – Eagerness to help/serve

• Critical Faculty

– Spell check – Mimic email signatures – Realistic & similar domains – Context-appropriate language – Existing conversations

• Be Evil

Campaign Design > Use Psychology

secureideas.com

But not TOO evil

secureideas.com

Examples

secureideas.com

secureideas.com

secureideas.com

secureideas.com

secureideas.com

Targeting

secureideas.com

• One/Several/Everyone?
• Remember the goal
• Response Time
• Prairie dog issue

Targeting > Number of Victims

secureideas.com

• Particularly vulnerable

– Legal – HR – Accounting – Sales

• Particularly privileged

– Sys Admins/Network Admins – Executives – Helpdesk

Targeting > Victim Type

secureideas.com

• Social Media

– LinkedIn

• Lead Generation sites

– site:zoominfo.com “domainname.com" – Bizshark – Pipl – Clearbit – RIP data.com

• Tools

– Recon-ng – theHarvester – datasploit

Targeting > Finding Victims

secureideas.com

• The company’s website

– Blog – Metadata

• 3rd Party tools

– Github

• Data breach dumps
• AD
• Phishing/Vishing

Targeting > Finding More Victims

secureideas.com

Infrastructure

secureideas.com

• Your laptop
• Hosted

– AWS/Azure/etc (cloud-based) – Gmail/Office365 – MailChimp, SendGrid, etc – Target’s mail servers (open relays)

• Considerations

– Server age – Domain age – IP Reputations

Infrastructure > SMTP Server

secureideas.com

• Sendmail
• Toolkits

– GoPhish – Modlishka – Evilginx2 – Phishing Frenzy – King Phisher – Social Engineering Toolkit

• LetsEncrypt
• PhishMe, KnowBe4, etc

Infrastructure > Technology

secureideas.com

• SMS
• Facebook/Twitter/LinkedIn
• What’s App
• Slack
• NextDoor
• Think outside the box

– Suspicion is context-sensitive

Infrastructure > Alternatives to Email

secureideas.com

Bypassing Defenses

secureideas.com

• AV

– https://github.com/Veil-Framework/Veil – Online Scanners

• VirusTotal
• MetaScan (https://metadefender.opswat.com)
• VirSCAN (http://www.virscan.org)
• NoDistribute (https://nodistribute.com)
• Hybrid Analysis (https://www.hybrid-analysis.com)
• Watch out for automated sandbox analysis
• EDR Tools

– Good luck – Keep it simple

Bypassing Defenses > Anti-malware

secureideas.com

• Content Filtering Submission Forms

–

Symantec/Bluecoat https://sitereview.bluecoat.com/#/

–

WatchGuard/ForcePoint/Websense http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.php

–

Cisco Umbrella/OpenDNS https://community.opendns.com/domaintagging/submit/

–

Cisco/Talos https://talosintelligence.com/reputation_center/support

–

Palo Alto https://urlfiltering.paloaltonetworks.com/query/

–

Barracuda http://www.barracudacentral.org/report

–

McAfee https://trustedsource.org

• Recently Expired Domains

–

https://www.expireddomains.net

–

https://freshdrop.com

Bypassing Defenses > Content Filtering

secureideas.com

• SPF, DKIM, & DMARC
• Consider sending via Gmail or O365
• Check Blacklists

– https://www.talosintelligence.com/reputation_center

• Online Spam Checks

– Google’s Postmaster Tools

https://postmaster.google.com

– SenderScore https://www.senderscore.org – Mail Tester https://www.mail-tester.com

• Discuss with the client

Bypassing Defenses > Anti-Spam

secureideas.com

• Duplicate real sites vs Build your own
• Unique user identifiers
• Source IP restrictions

– Automated sandbox analysis

• Time restrictions
• JavaScript obfuscation
• Subdomains vs directories

Bypassing Defenses > Landing Pages

secureideas.com

• Constant battle

– No more shikata-ga-nai

• Use hosted known sites
• Test, Burn, & repeat
• “Encrypted” Excel file

Bypassing Defenses > Payloads

secureideas.com

• Remember the goal
• Use back channels with clients
• Keep it simple
• Make it familiar
• Don’t be TOO evil

Final Thoughts

Questions?

Nathan Sweaney @sweaney nathan@secureideas.com