I want a "Red Teaming"
Michael Schneider
This is how Professional Phishing works
The first spam email in history was sent in 1978, yielding 12 million dollars for sender Gary Thuerk. Cut to 40 years later, and we find ourselves confronting a more “advanced” variety of spam: phishing. According to the first semiannual report 2018 published by MELANI, over 2,500 phishing pages were reported, with some churning out over 150 URLs a week. Even if we are currently seeing other kinds of attacks, such as sextortion and ransomware, in the field of IT security, most of the attention remains on phishing emails – a classic instrument in the hacker’s toolbox. In 2018, hackers proved their resourcefulness yet again after the two-year transition period for the EU’s new GDPR law expired, offering the perfect opportunity to take a GDPR phishing trip. This article will discuss some of the methods and subtleties of phishing, as well as measures for dealing with the problem based on experience with phishing simulations.
The word phishing is a neologism with elements of the words password, harvesting and fishing. Usually, hackers use phishing to get their hands on a person’s sensitive information, such as their user name and password, to then exploit that person’s credentials for their own gain. Through an email that looks highly authentic, the person is lured into clicking on a link that redirects them to a fake website. From there, they are usually prompted to log in or verify their user credentials.
In most cases, the perpetrators attempt to create a sense of urgency, pressuring their victims and stealing as much data as possible before the attack is discovered.
In order to send a phishing email to as many of a company’s employees as possible, the first task is to obtain their email addresses. But this hurdle is relatively easy to clear. Many company email addresses have a specific structure, such as firstname.lastname@company.com. Using a LinkedIn search (as discussed in another article), you can very quickly amass hundreds of employees’ names.
The next step is then to compose a message that appears highly credible. There are countless ways to do this, particularly in the corporate sector; with each new season there are summer parties, annual reviews, sport viewing events and the publication of quarterly figures – all of which offer high odds for success. Company websites and social media profiles also provide information about current topics. Perhaps the company just celebrated its anniversary, an opening for having the “Board” send out a thank you note. Or perhaps cybersecurity has become a hot topic, so a “new communications partner” offering an e-learning session might be a fruitful opportunity.
But it’s important to get the wording right. Every company has a corporate culture made up of several different levels. If a hacker succeeds in using the right jargon to strike a chord with employees, then their research efforts will have paid off. Edgar Schein’s model divides corporate culture into three basic levels:
The last of the three is particularly relevant.
Does a company post a lot of pictures of races and team sports events on its Instagram page, or promote its sports facilities as a fringe benefit? Then expressions like “dynamic, sporty, goal-oriented, committed, team work” may have more of an impact than “traditional, established, structured, process-oriented”. Weaving expressions like these into the text in the right way is an art form in itself – one with great impact. On a subconscious level, the email will seem more trustworthy and credible, and trigger less skepticism.
The same must hold true for the actual website used for the phishing attack. The force of people’s habits can offer an obvious advantage. If possible, the page the employee is visiting should resemble one they already know. It might be the login page for their webmail account, the company’s intranet page, or some other service. This always depends on the information available, however. The more credible it appears, the more likely it is to succeed.
Spear phishing presents a similar case. Information collected about the company might be used to approach a person in a professional context, but it might not necessarily reflect their own values and convictions. To target a person very specifically, usually based on their position in the company or higher-level privileges, a bit of open source intelligence (OSINT) reconnaissance can be fruitful.
In the case of managers, especially, it can be helpful to look into their academic backgrounds and any works they have published. A guest presentation on a specific topic offers a potential attack scenario that exploits the person’s interest and expertise surrounding the topic. Facebook and other social media may also offer information about personal interests. Is the person involved in volunteering or other socially-minded activities in their own time? In this case, an event at a school would be more appropriate than a guest lecture at a commercial broker event hosted by an insurance company. The key here, however, is not to overdo it. Too many “matching” triggers can be just as suspicious. The most effective approach is to insert subconscious triggers that the targeted person won’t question.
Anyone who knows a thing or two about marketing will remember the basic criteria of market segmentation: geographic, demographic, psychosocial, behavioral. Like any other kind of product marketing, a phishing email can very precisely target a specific customer group which represents a homogeneous market segment. These emails employ a classic marketing approach, with the phishing email worded and designed to appeal to a very specific group of people. Who hasn’t been contacted by the Nigerian prince who urgently needs help handling his million-dollar inheritance? These emails contain poorly written English and are highly conspicuous, which is why you probably delete them immediately. You may briefly wonder why the sender didn’t at least bother to have their text translated properly. But what you may not know is that the emails have been deliberately composed to read poorly. This allows hackers to specifically weed out skeptical people who would just be a “waste of time”; by definition they are not the desired target group. Instead, the goal is to find the most gullible recipients who don’t think twice when they receive such emails and who are naively eager to help. This reduces the time and cost for the attackers. These individuals who respond to the email represent the group of people most willing to transfer money for “legal processes” in the hopes of big payouts.
Technical precautions to counter phishing include good email filtering and client software hardening as well as blocking of harmful sites.
Preventing phishing altogether is impossible with current technologies. It helps to hold regular security awareness training sessions to sharpen recipients’ ability to recognize these tactics. But the obvious tactics, such as avoiding random links, verifying senders, and scrutinizing the grammar and language in emails, are only part of the picture. If an employee does end up clicking on a link and notices that they have been taken to a phishing site, how they react is equally critical. Notifying the right IT representative in order to limit the damage or prevent any further damage is tremendously important. Employees should know exactly who to contact internally. It is also important that the topic of phishing not be taboo and that victims are not “punished”. Otherwise employees will conceal their mistakes instead of addressing them and mitigating further damage. More specifically, new employees may find it helpful if process descriptions are available in a central location, and checklists and information are immediately accessible to allow risk assessment.
There is a whole range of tactics for sending effective phishing emails, regardless of the number of recipients and the actual target. Attackers always try to get their hands on valuable information by targeting specific individuals or market segments. It is especially important for companies to discuss and deal with the matter openly. While preventative measures are widely known, it is also very important that employees know how to react when an attack has progressed to an advanced stage.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!