What we can learn from how cybercriminals run phishing campaigns

Published by on October 12, 2018 in Information Security

How Cybercriminals Run Phishing Campaigns

Clever and competent IT managers are responsible for the protection of websites, servers, other network devices. They use modern tools and techniques. However, the protection and security training of end users, support reps, secretaries and other workers, leaves much to be desired.

As numerous reports show, phishing is often the most common option for cybercriminals to gain access to the target system. In this article, we’ll dive into specific techniques and tools used in phishing to help your company better understand and combat the threat.

Let’s start from the beginning, or rather with the definition of what phishing is. Phishing is a type of fraud, the purpose of which is to gain access to confidential user data, for example: usernames, passwords, and PIN numbers.

What methods do crooks use? The most popular methods are;

  • Sending fake emails with malicious links or attachments;
  • Creating fake websites;
  • Fake personal messages in social networks and other means of communication;
  • “Scattering” flash drives (physical level)

Let’s take a closer look at the process of creating web resources for phishing. This process is one of the most frequently used and is an integral element of other cyber attacks.

This article deals with the order of actions in a phishing campaign, as well as auxiliary tools.

See also: 50+ phishing statistics and facts for 2017-2018

Choosing the domain

First, hackers register a domain where their malicious web service\resource will be hosted.

  • Common techniques include replacing visually similar characters: i -> l
  • Character replacement using Punycode
  • Registering any random domain name but using a subdomain with a target name that will be visible at the beginning like admin.bankofindia.com.sample.com. It is very effective for mobile clients, where the address bar in most cases gets cut due to the screen size.
  • Register exactly the same domain in another zone, for example, bankofindia.io.
  • Using something “original” like bankofindia-blog.io.
  • Using special software that implements some of the described methods, for example, EvilURL and DomainFuzz.

Company staff should be instructed to always double check for inconsistencies in the domain both in their browser’s URL bar and after the @ symbol in email addresses.

After selecting the site name, hackers bind it to an IP address and configure additional features.

It is common for hackers to use popular hosting services that give access to the admin panel where everything can be configured in a couple of clicks. For example, they may rent a VPS at DigitalOcean for 5 USD a month.

Next steps are configuring SPF, DKIM, DMARC:

  • SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be allowed to send mail for a specific domain.
  • 2) DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trust is achieved by an implementation of the standard public/private key signing process.
  • 3) DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.

Next, if the plan is to send phishing messages using email, it is necessary to add email accounts associated with the domain. Actual sending duties can be delegated to third-party services, which can help in some cases. For example, crooks use legitimate services like SendGrid, Mandrill, GMail for Business.

The next step is to issue an SSL certificate for the phishing domain. This allows the hacker to enable HTTPS on their fake website, which can make victims trust it more. In the past, HTTPS was usually indicative of a legitimate website, but that’s no longer always the case, and company staff should be made aware of this.

Let’s Encrypt works perfectly well for this. There are a lot of deployment scripts for it depending on the web server used.

To enable HTTPS on your website, the hacker needs to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, they just have to demonstrate control over the domain. Plus plenty of hosting providers offer free built-in support for Let’s Encrypt.

Creating fake copies of legitimate web pages

Phishing relies on fake web pages that look identical to legitimate web pages to trick victims into entering private information, such as a password. The first option is to copy the authentic site either manually through the browser or using GNU Wget. It is necessary to change links, copy styles and images, see what requests are sent when users try to authenticate on the page, and make a script that will copy the data sent to it.

In the end, some make an optional redirect to the original page. There are many examples of such scripts on the internet.

In light of this, company staff should be made aware that phishing websites can look perfectly identical to the authentic site they’re impersonating, so appearance is not a good way to judge whether a site is legitimate or not.

The second option is to use the Social-Engineer Toolkit. In general, this is not the best option, since it involves its own web server. On the topic of phishing frameworks, a couple more include: Gophish and  King Phisher

Sending phishing emails

Phishing scammers need to collect a lot of email addresses. Where from? There are many options:

The topic of an OSINT (open-source intelligence) is beyond the scope of this article, but I will give you a couple of links where you can learn more about the services, approaches, and tools available: OSINT Framework, Awesome OSINT  Good OSINT can greatly help in targeted phishing attacks, but the labor costs are quite high and is rarely used in low level attacks.

Company staff should assume that all of their email addresses are publicly available and anyone, including scammers, can target them.

Creating phishing emails

Once the email addresses have been collected, it is time to conduct a test email campaign. Crooks usually do it using a separate domain. Test campaigns help understand what a typical company email message looks like, how signatures look, the general format of the message, its headings, any antispam tools, the mail client used, and other things.

Most companies use their own signature design that includes employee’s full name, position, contact details, etc. Hackers just copy it, paying attention to the structure, visual design (color, font), etc.

Any email contains headers that may help understand whether a filtering system is used, or to provide details on specific email clients or web interfaces.

Speaking of spam filters, before sending any new emails out, crooks test their messages with SpamAssassin on a separate system. SpamAssassin provides a “Score” – a subjective assessment of the probability that a specific email is spam. This score is an opportunity to make edits before sending actual emails to ensure they don’t get caught in spam filters.

As for the subject line of the email, simple and common ones are used:

  • Please sign documents
  • Survey
  • Work schedule for holidays

If the letter is in HTML format and there are links to third-party resources (styles, images), then some email clients will block such content by default, though it can be unlocked by the user. Hackers use social engineering tricks to make users click. For example, a message may encourage users to view an infographic or coupon.

Company staff should be instructed to keep an eye out for these common tricks and never click on links or attachments in unsolicited emails.

Sometimes crooks specify multiple recipients (the Cc header) within the same company. Sometimes they use Fwd or Re in the subject line – all this adds trust.

See also: Common phishing scams

Email attachments

Once the text is ready, it is time to proceed to the attachments. Hackers may not only be interested in getting victims to open emails. They may also want to penetrate the recipient’s device with malware, and email attachments are a prime avenue for doing so.

What do crooks usually send? Basically, Microsoft Office documents, and sometimes archives. Sending typical executable extensions (.exe) is almost 100 percent certain to be stopped by a spam filter. It is strange, but companies filter almost all potentially dangerous file extensions in attachments, but allow RAR, ZIP, and other archives to go through.

In the case of office documents, the following options are used:

If hackers are only interested in registering an attempt to open a file, they have a few methods to do so:

  • Accessing an external source (sometimes with the possibility of leaking useful data)
  • Signing the document with a digital certificate
  • Monitoring contact with the CRL or Timestamp servers.

Again, staff should never click on attachments in unsolicited emails and be particularly wary of Microsoft Office documents and compressed files.

Social networks

For social networks and other means of communication, the approach is not much different from general email phishing. Darknet forums contain dumps with copies of personal correspondence and chats. These are aimed at forming a trusted relationship with a victim that leads to sending them a malicious link or file.

Company staff should be aware that they can be targeted through social media as well as email.

Physical media

Hackers might leave USB flash drives or other physical media lying around in order to lure victims into inserting them into their personal devices. The tactics vary widely, but usually, in one form or another, there is an opportunity to interact with employees. In most cases, crooks use Rubber Ducky or its cheap replicas from AliExpress.

Company IT staff should set a policy disallowing the use of personal USB devices in the office.

The impact of phishing

Things tend to get out of hand if a user happens to get on the crooks’ hook, especially if the target is a company employee. Having obtained sensitive access credentials, the adversary may steal intellectual property and other proprietary corporate materials. Furthermore, they can damage the company’s reputation by disclosing some internal communications – ultimately, this will undermine customers’ trust for the brand. In some cases, hackers start to blackmail organizations. To top it off, in some scenarios organizations may additionally face direct costs by having to pay fines for violating regulations like HIPAA and cover compensations to staff or customers for failing to protect their identity.

Regular users run the risk of losing their money over phishing if the criminals gain access to their bank account. A successful attack can also prop extortion attempts, where the perpetrators demand a ransom for not disclosing some embarrassing information about the victim. Installing malware on recipients’ computers is another possible vector of the malefactors’ activity.

At the end of the day, phishing attacks always result in adverse consequences for both corporate and home users. To stay safe, be sure to look out for the red flags listed above and treat suspicious emails with a bit of reasonable paranoia. More tips on avoiding phishing can be found in our guide here.

See also: What is spear phishing?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.