Testing phishing scenario’s

When I joined my company, I was asked to perform a few social engineering assessments for private and government customers alike. Previously, the assessment being done were more testing the amount of people that would click a link in a spoofed e-mail, regardless of the damage. But I wanted to step things up a bit, as I believe that phishing is often a very underrated risk, which seems to be quite effective.

Although “social engineering” is much more than phishing, we are generally asked to keep it to phishing attacks alone. We use following scenario’s to quantify the risk:

• Email attachment from unknown party: Usually we send a malicious CV (docx with a macro, rtf, …) from a free email (gmail, outlook, mail.com, ..) address.
• Email attachment from spoofed known party: If email spoofing works, this email would appear from a colleague, manager, etc., containing the malicious attachment.
• Email attachment from known party: Same as above, but sent from the proper internal email address.

If we determine that the mail client / MTA is blocking our attachments, or that the endpoints have protection to prevent these from being run, we try similar techniques but urge the victim to download the attachment. We host the malware, either as an executable or a document on a webserver somwhere, and track the downloads. We often add a ? or use mod_rewrite to track downloads and identify our users.

Aside from delivering malware, we also test for credential gathering. This is often automated by tools such as GoPhish or KingPhisher. We basically create a fake page that would request the user to give his/her credentials. With this, domain squatting comes in handy, whereby domains such as internetbank.com could easily be rewritten as internebtank.com.

In my opinion, it won’t be long until we see much more cloud based phishing services. PAAS (Phishing as a service) as it’s commonly called.

These are very targeted campaigns, if we were to attack a company in bulk, which usually is a bad idea and will get you 1.) statistical numbers and 2.) blocked quicker. You could use one of the open source or commercial tools to send very generic, non-personal emails. In my experience, targeted campaigns work a lot better.