Cyber criminals are constantly coming up with new and innovative techniques to deliver phishing emails that trick employees.
Understanding what these techniques are, how you can spot them, and how you can replicate them is not something you'll easily find an answer for.
The reason for this is that attackers don't want security vendors to know their techniques, and security vendors don't want to publish these techniques, as it's typically considered proprietary information.
In this article, we'll look to shed some light on how phishing attacks are conducted and how you can replicate these techniques to deliver realistic test phishing emails.
What You'll Learn In This Article.
How to use domain spoofing to add an additional layer of realism to test phishing emails.
How attackers can abuse email marketing platforms to deliver phishing emails.
How to use personal information such as first names, last names, and job titles to personalize phishing.
Where you can find a library of phishing emails to select from for your test phishing campaign.
How to embed malicious payloads within your test phishing emails.
What Is A Phishing Email?
Phishing emails are used to perform social engineering attacks where cyber criminals attempt to convince victims that they're from a legitimate sender. To do this, cyber criminals will commonly attempt to masquerade as seemingly legitimate services or individuals and abuse an implicit trust relationship that the victim has with that service or individual.
The end goal of a phishing attack is to steal sensitive information, harvest account credentials, or directly steal funds through a business email compromise attack (e.g., gift card scams). Considering this, phishing emails need to utilize a variety of tactics and techniques to ensure their success. In the following steps, we'll delve into these tactics and techniques.
Step 1. Abusing Lookalike, Compromised Or Spoofable Domains
This component of a phishing email is all about the address from which a phishing email appears to come. This is often the first thing a target sees; accordingly, it's crucial that the target believes the address appears to come from a trustworthy sender. To do this, attackers have a number of techniques at their disposal:
1.1 Spoofing Email Display Names
Spoofing an email's 'From' display name is a feature that anyone can abuse. This feature is typically used for a range of legitimate purposes, such as identifying yourself by your name, title, the team you represent, or company. However, it's also commonly abused with malicious intent.
1.2 Purchasing Lookalike Phishing Domains
Purchasing domains that look like other domains used by legitimate services is a common technique used by cyber criminals. All an attacker needs is USD$12 to spend with a domain registrar and configure the domain's SPF records, and then they're free to use it for email phishing.
SPF-bypass is a frequently abused technique that allows attackers to bypass SPF authentication checks by misaligning an email's Mail Envelope From Address and the Mail Body From Addresses. SPF checks are conducted against the Mail Envelope From, but email clients display the Mail Body From. DMARC includes an alignment check to protect against this, but many organizations haven't adequately hardened their DMARC records to enforce this.
Step 2. Gaining Access To High Reputation Email Infrastructure
This component of a phishing email is all about the actual delivery of an email from the sender to the recipient. Cyber criminals will often attempt to gain access to high-reputation email infrastructure to increase the likelihood that their emails will land in target inboxes. Typically, attackers will use one of three techniques to do this:
2.1 Abusing Freemium Email Marketing Services
Attackers will often abuse free or freemium email services, such as Gmail, Campaign Monitor, SMTP2GO, etc., for the delivery of phishing emails. The providers of these services do closely monitor their respective platforms and will quickly ban any users who abuse them for malicious intent. For this purpose, attackers will only ever see short-term success or only be able to use these platforms for highly targeted non-bulk phishing campaigns.
2.2 Compromising Email Infrastructure Operated By Legitimate Businesses
The benefit to attackers is that businesses often maintain high reputation email infrastructure as they typically deliver legitimate emails. Because of this, email filtering technologies will place a higher level of trust in emails received from these servers and be less likely to flag them as malicious.
2.3 Purchasing Email Infrastructure From Unsuspecting Hosting Providers
Hosting providers such as Azure, GCP, DigitalOcean, etc., will typically restrict their customers from using their platforms for the delivery of outbound emails over virtual machines. This restriction usually comes in the form of preventing servers from connecting outbound to other SMTP servers over port 25.
However, with a bit of social engineering, this restriction can typically be bypassed. While these cloud providers don't monitor abuse of their computing infrastructure as closely as freemium email service providers, if an external threat intelligence organization flags your IP address as sending malicious material, they will take immediate action to disable your account. For this reason, threat actors will only typically use this infrastructure for spear-phishing attacks.
Step 3. Abusing Personally Identifiable Information To Create Targeted Phishing
With major data breaches making headlines on a near-weekly basis, it's becoming increasingly easier for cyber criminals to gain access to target information such as email addresses, first names, last names, and employers. Attackers will leverage this information to either directly target an individual or learn more about them through social media and other open-source intelligence techniques.
To an attacker, personally identifiable information can indicate what type of phishing material a target may be susceptible to (e.g., Crypto, Banking, or Local Government-themed phishing). To see how simple information such as first names and last names can drastically impact phish click rates, look at our Phishing Email Inbox Simulator.
Step 4. Creating Phishing Emails That Masquerade As Popular Services
With the prevalence of the internet and how intertwined the average individual is with it, any given target may be using upwards of dozens or hundreds of internet-connected services. Services such as Online Banking, Social Media, Online Retail, Cloud Storage, Cloud Collaboration, and much more. It's easy to see how a cyber criminal could easily guess a service a large number of targets are likely using.
To masquerade as a legitimate service, all an attacker needs to do is either identify an open-source repository of phishing emails they can use or sign up for free accounts within the given service provider and replicate an email such as those provided for forgotten passwords, account lockouts, etc.
Cyber criminals are typically motivated by one of three things. They either want to steal sensitive information such as military or trade secrets, blackmail organizations through ransomware-style attacks, or directly steal money through CEO fraud and Business Email Compromise. To achieve these goals, attackers will typically use one of three payload types:
5.1 Credential Harvesting
Credential harvesting attacks typically come in the form of a malicious link embedded within an email. When clicked, the target is led to a phishing website, which masquerades as a trusted service and asks for login credentials. Once credentials are provided, the cyber criminal can then assume the identity of the target and steal information.
5.2 Endpoint Compromise
Endpoint compromise attacks typically come in the form of an attachment embedded within an email. When downloaded and opened, the target then has their endpoint compromised, and an attacker can instantaneously control the target's computer.
Once an endpoint is compromised, the attacker can perform various actions such as stealing information, blackmailing information, and even laterally moving onward to any networks the endpoint may have access to.
5.3 Reply-To Attacks
Reply-to attacks typically come in the form of an email where an attacker is enticing the target to respond to the email directly. This type of payload is typically multi-staged and socially engineers an individual to trust the attacker's identity. The attacker may pretend they're an executive, customer, or trusted partner to build trust. Once trust is obtained, the attacker will progress to the next stage of their attack, which is usually financially motivated.
Sending realistic phishing emails may sound like an easy activity, but when you bundle together all the infrastructural components necessary to kick off a phishing campaign, the technical difficulty adds up. It's for this reason that there are cyber criminals who specialize in phishing and offer phishing kits to the highest bidder. These phishing kits attempt to automate many components necessary to successfully conduct a phishing campaign, with attackers often only needing to supply their own email server, domain, and target list to get started.
The team at CanIPhish looks to protect against phishing by training your employees to be human firewalls. To get started, all you need to do is sign up for a free account and begin sending simulated phishing emails.