How do you send realistic test phishing emails?
One of the most frequent questions my customers ask is: How is phishing so successful and how do attackers do it?
It's a simple question but not one you'll easily find an answer for. The reason for this is that attackers don't want defensive security vendors to know their techniques and defensive security vendors don't want to publish these techniques, as it's typically considered proprietary information. In light of this, I'm looking to provide advice to IT and Security practitioners on how phishing attacks are conducted and how your email infrastructure or employee information could be abused by an attacker.
What is email phishing?
"Most phishing emails are not personalised or targeted to a specific individual or company–this is termed "bulk" phishing. More targeted forms of email phishing include spear phishing, whaling, CEO fraud and clone phishing" - Wikipedia
The first thing to understand is that phishing emails need to convince targets that they're real, while also avoiding certain red-flags that an email filter would use to prevent the email from ending up in an inbox in the first place. Considering this, we'll break phishing emails down to their core components and analyse the techniques attackers use for each:
- Abusing lookalike, compromised or spoofable domains
- Gaining access to high reputation email infrastructure
- Abusing personally identifiable information to create targeted phishing
- Creating phishing emails that masquerade as popular services
- Choosing the payload that suits the attackers goals and motivations.
1. Abusing lookalike, compromised or spoofable domains
This component of a phishing email is all about the address a phishing email appears to come from. This is often the first thing a target sees and accordingly it's absolutely crucial that the target believes the address appears to come from a trustworthy sender. To do this, attackers have a number of techniques at their disposal:
1.1 Spoofing email display names
Sophistication: Moderate --- Difficulty: Low --- Frequency: Widespread
Spoofing an emails 'From' display name is a feature that anyone can abuse. This feature is typically used for a range of legitimate purposes, such as identifying yourself by your name, title, the team you represent or company - however it's also commonly abused with malicious intent.
1.2 Purchasing lookalike phishing domains
Sophistication: Moderate --- Difficulty: Moderate --- Frequency: Widespread
Purchasing domains that look like domains used by legitimate services, is a common technique used by cyber criminals. All an attacker needs is $12 to spend with a domain registrar, configure the domains SPF records and then they're free to use it for email phishing.
1.3 Spoofing domains through SPF-bypass
Sophistication: High --- Difficulty: Moderate --- Frequency: Common
Spoofing domains can occur in a number of different ways... In fact, we've documented six different spoofing techniques that attackers can abuse. One technique in-particular is frequently abused and allows attackers to bypass SPF authentication checks by misaligning an emails Mail Envelope SMTP Mail From and their Mail Body From Addresses. SPF checks are conducted against the Mail Envelope From but email clients display the Mail Body From. DMARC includes an alignment check to protect against this, but many organisations haven't adequately hardened their DMARC records to enforce this. For a demonstration of how this attack works, click here.
2. Gaining access to high reputation email infrastructure
This component of a phishing email is all about the actual delivery of an email from the sender to the recipient. Cyber criminals will often attempt to gain access to high reputation email infrastructure to increase the likelihood that their emails land in target inboxes. Typically, attackers will use one of three techniques to do this:
2.1 Abusing freemium email marketing/delivery services
Sophistication: Low --- Difficulty: Low --- Frequency: Widespread
Attackers will often abuse free or freemium email services such as Gmail, Campaign Monitor, SMTP2GO, etc. for the delivery of phishing emails. The providers of these services do closely monitor their respective platforms and will quickly ban any users who abuse it for malicious intent. For this purpose, attackers will only ever see short-term success or only be able to use these platforms for highly targeted non-bulk phishing campaigns.
2.2 Compromising email infrastructure operated by legitimate businesses
Sophistication: High --- Difficulty: High --- Frequency: Uncommon
If an attacker can compromise the email infrastructure of a business, they will often abuse it for the delivery of bulk spam, phishing and even use it for highly targeted spear phishing to target the businesses customers. The benefit to attackers is that businesses often maintain high reputation email infrastructure as they typically deliver legitimate emails. Because of this, email filtering technologies will place a higher level of trust on emails received from these servers and be less likely to flag them as malicious.
2.3 Purchasing email infrastructure from unsuspecting hosting providers
Sophistication: Moderate --- Difficulty: Moderate --- Frequency: Common
Hosting providers such as Azure, GCP, DigitalOcean, etc. will typically restrict its customers from using their platform for the delivery of outbound emails. This restriction usually comes in the form of preventing servers from connecting outbound to other SMTP servers over port 25. With a bit of social engineering, this can typically be bypassed. While these cloud providers don't monitor abuse of their computing infrastructure as closely as freemium email service providers, if an external threat intelligence organisation flags your IP address as sending malicious material they will take immediate action to disable your account. For this reason, threat actors will only typically use this infrastructure for non-bulk targeted phishing.
3. Abusing personally identifiable information to create targeted phishing
With major data breaches making headlines on a near weekly basis (such as Optus and Medibank at the time of writing), it's becoming increasingly easier for cyber criminals to gain access to target information such as email addresses, first names, last names and employers. Attackers will leverage this information to either directly target an individual or find out more about them through social media and other open-source intelligence techniques. Equipped with this information, it can indicate to an attacker, what type of phishing material a target may be susceptible to (e.g. Cypto, Banking or Local Government themed phishing). To see how simple information such as first names and last names can drastically impact phish click rates, simply look at our Phishing Email Inbox Simulator.
4. Creating phishing emails that masquerade as popular services
With the prevalence of the internet and how intertwined the average individual is with it, any given target may be using upwards of dozens or hundreds of internet-connected services. Services such as Online Banking, Social Media, Online Retail, Cloud Storage, Cloud Collaboration and much more... It's easy to see how a cyber criminal could easily guess a service a large number of targets are likely using. To do masquerade as legitimate services, all an attacker needs to do is either identify an open-source repository of phishing emails they can leverage or simply sign-up for free accounts within the given service provider and replicate an email such as those provided for forgotten passwords, account lockouts, etc. To take a look at what a phishing email library may look like, simply look at what CanIPhish provide.
5. Choosing the payload that suits the attackers goals and motivations.
Cyber criminals are typically motivated by one of three things. They either want to steal sensitive information such as military or trade secrets, blackmail organisations through ransomware-style attacks or directly steal money through CEO-fraud and Business Email Compromise. To achieve these goals, attackers will typically use one of three payload methods:
5.1 Credential Harvesting
Sophistication: Moderate --- Difficulty: Moderate --- Frequency: Widespread
Typically comes in the form of a malicious link embedded within an email. When clicked, the target is led to a phishing website which masquerades as a trusted service and asks for login credentials. Once input, the cyber criminal can then assume the identity of the target and steal or blackmail information.
5.2 Endpoint Compromise
Sophistication: Moderate --- Difficulty: High --- Frequency: Common
Typically comes in the form of an attachment embedded within an email. When down loaded and opened, the target then has their endpoint compromised and an attacker can instantaneously control the targets computer. From here, an attacker can perform a variety of actions such as stealing information, blackmailing information and even laterally moving onwards to any networks the endpoint may have access to.
5.3 Reply-To Attack
Sophistication: Low --- Difficulty: Moderate --- Frequency: Widespread
Typically comes in the form of an email where the attacker is enticing the target to respond to the email directly. This type of payload is typically multi-staged and socially engineers an individual to trust the attackers identity... the attacker may be attempting to pretend they're an executive, customer or trusted partner and a payment needs to be made or bank account needs to be updated which results in money theft.
Sending realistic phishing emails may sound like an easy activity but when you bundle together all the infrastructural components necessary to kick-off a phishing campaign, the technical difficulty adds up. It's for this reason that there are cyber criminals who specialise in phishing and offer phishing kits to the highest bidder. These phishing kits attempt to automate many of the components necessary to successfully conduct a phishing campaign, with attackers often only needing to supply their own email server, domain and target list to get started.
The team at CanIPhish look to protect against phishing by training your last and most effective line of defence... your employees. To get started, all you need to do is sign-up for a free account and begin sending simulated phishing content. If you'd like to check if your domain is vulnerable to domain spoofing, simply use CanIPhish's Domain Tools to identify this for you.
If you have any questions or need additional advice on how to detect phishing attacks, please feel free to reach out to me directly via Email, LinkedIn or the CanIPhish Contact us page.
A Security Professional who loves all things related to Cloud and Email Security.