Tuesday, March 29, 2016

Phishing is too easy

I only remember going in a boat fishing once. And did not catch anything. And had to help with engine problems all the way back to the dock. So I can't claim to be a fisher for I never learned and endured the hours of being pooped by the mocking seagulls while waiting on fishes who were much smarter than we give them credit for fall for the lure and get stuck on the shiny hook by the end of the line. There are many man, women, and children who are very successful in the way of the fish; I am not one of them.

Phishing is a completely different story. It is very easy to do. You can call it caveman-easy but you would be then insulting the cavemen. And yet, it is extremely effective.

Businesses (should) worry about being hacked since a breach costs them money and reputation. So, they (should) do their best to prevent the bad guys to get in by patching servers and services and deploying firewalls and making sure their mail and web servers are will not let anyone try to log in. Of course their problem is exacerbated because while they need to protect against any possible attack, the attacker just need to find one weak point to get in. And the easiest way to achieve that is through social engineering.

Basic Phishing Recipe

  1. Get a free website account. This is kinda important if you are providing a link in the email for your victims to click on. Some of them allow you to use very little or no verifiable info to create said account. So you can use really bogus info.

    Now, if you are doing Microsoft Office Macro attack, this still might be a good idea since it insulates your real addresses. Remember, it is not hard to create code to send collected data from the site to somewhere you want to collect the data.

  2. Select your target. You think that means to select the business you want to attack. Well, you are wrong; thanks to the crusade to push everything to the cloud you really need to think on a larger scale and go for who hosts those companies' emails. Based on what I have seen, the commercial google mail or the Microsoft equivalent (Office 365) are the best bets. First, a lot of businesses are using them, which mean you have to only hit one single target.
  3. Decide how you are going to deploy your payload. Are you going to send an attachment (most of the time a Word document) or a url? What about an executable (badly) disguised as an image? I say badly because I have seen a lot of attachments whose extension is simply changed or have an image extension appended to the filename because of how Outlook presents those attachments.
  4. Write the email. I would love to say this requires you to be creative and spend hours or days to recon the target company to figure out corporate colours, normal email format and language, and even the proper email addresses before launching an email-based attack. The reality is that is not necessary unless you craft it so badly the target's detection system will flag your email.

    People will fall for those emails even if it is badly written. Now, I am not saying everyone will, but those who are really busy and have to be reading and replying to emails every day -- people who order stuff from vendors all the time -- are rather likely to do so. They do not have time to stop and think whether the email makes sense. They will scan, made a decision, act on it, and then move onto the next target.

  5. HTML is your friend. The vast majority of people use email clients that will render a HTML-based email. If they use Office 365, you can disguise your attack links as
    <a href=https://shadysite.com/malware.exe>https://www.safeurl.com</a>
    Sometimes if you hover the link the real url will be shown, sometimes it does not.

References