Hello everyone and welcome to the first installment of Phishing with Minks.
To start off, here’s a bit about myself and this new series.
I love fishing. Most of my free time away from the screen is spent on creeks chasing rainbows and smallies. For me, the rush of catching a trophy lunker really is hard to beat. And if the lunkers aren’t biting, the soothing lullaby of the creek will do me just fine. It is a great way to escape the continued chaos in the cyber world and connect with the physical world and universe that we live in.
It’s funny that my way to escape is through fishing, because the reason I often need to escape in the first place is phishing. Waiting for the next dreaded phone call about an organization in need of support is something that often keeps me up at night. But, as stressful as it can tend to be, I realize how important my line of work is in helping people. And so was born Phishing with Minks.
The goal of this series is going to be arm you with knowledge you’ll need to identify and catch a big phish–and prevent it from causing mayhem in your enterprise. I might even eventually give you a few tips on how to reel in some big fish as well, but let’s drop one line at a time.
Setting the Stage
I’m sure you all know what phishing is, so I’ll spare you the high level. If you want a refresher, go check out this great overview from Team Ambush.
Instead, we’re going to start this by building the blocks of a successful attack. To do this, it’s important to understand the people behind these attacks, their thought process and skill sets, and how they identify and target you and your business. Throughout the series we’ll continue to build this knowledge until you have a solid understanding of all the aspects involved in a successful phish.
What is Social Engineering?
So, let’s start really simple–you really need to understand what a phish is. A phish is a social engineering attack.
What is social engineering?
A social engineering attack is just like any other attack–it relies upon the identification of a vulnerability and successful exploit of the said vulnerability.
In this case, the vulnerability is you, and the exploit is tricking you into doing something that can be used for the attacker’s benefit. I almost said unknowingly, but that wouldn’t be fair. I often see that folks do realize they’ve been had, but fear strikes. They don’t know what to do, and just quietly sit back and hope nothing happens. We’ll go into that more later in the series, I promise.
Social engineering is nothing new. Conmen of days of old made a living off of tricking innocent folks time and time again. Gregor MacGregor was a Scottish soldier who ran a scam that lasted for nearly 16 years during the early 1800s in which he convinced British and French nationals that a paradise, Cazique of Poyais, existed in South America. Many invested heavily in this fake territory through purchasing bonds and land certificates. Unfortunately, the scam went so far that over 250 British and French nationals migrated across the ocean to find nothing but a very unforgiving jungle. A large number of these immigrants met their ultimate demise as a result of this old school social engineer.
Human life impact is the most serious result we ever encounter–and potential of this continues to exist today.
Social Engineering for Good
On the flip side, many social engineers use their power for good.
Penetration testers go to work everyday developing simulated attacks and testing clients in social engineering exercises built to assist and empower them to prevent the adversary from doing the same.
Law enforcement use their skills to extract information from targets that can be used to solve crimes.
Executive recruiters utilize ethical methods to identify good candidates to fill needed employment positions.
You probably even use some social engineering techniques to influence your children into making better decisions—and I’m sure they use techniques against you to do get what they want.
A Combination of Efforts
Social engineering attacks are nothing new, and they are more prevalent today than ever before. Year after year we continue to see a rise in the frequency of these attacks as well as the sophistication of the attack. There is one simple reason why social engineering attacks are here to stay–they work!
Social engineering attacks rely on the success of many other initiatives like identifying an entity to target, identifying individuals within the target, determining the valuable targets and assets within that entity, gathering information on your target that can be used to build the attack, building rapport/context/influence, designing a lucrative attack vector, successfully delivering your attack, and so on.
We will continue to dive deep into each of these initiatives, so you understand the mind of the attacker and hopefully use this to up your defenses.
The Best Place to Start
I see so many companies investing thousands and even millions of dollars into building their “security stack” with the pre-conceived notion that this is how a secure environment is achieved.
While some of those technologies may decrease the frequency in which social engineering attempts reach their employee base, it does not stop them. There is no technology in existence that can prevent you or your employees from becoming a victim.
The ONLY thing that can prevent this is education, and that is the goal of this series. As we continue this narrative through future posts, we’ll dive into the building blocks we have laid here, along with the psychology of an attacker, goals of the attacker, how attackers obtain information, how attackers determine to target, common attacks, as well as a wealth of real-world scenarios that will arm you with the bait you need to catch these folks.
With that in mind, let’s begin to explore our first topic.
Any good attack begins with a solid information gathering exercise. It is just as it sounds, but it is a bit of dark art that can take many paths.
The information gathering phase relies upon Open-Source Intelligence (OSINT) research. This practice takes advantage of all publicly available information and is used to develop the attack narrative.
What type of information is targeted? All of it.
Let’s start with the obvious—contact information. You can’t target someone if you don’t know how to reach them.
Enumerating a list of emails for a targeted company is rather simple. A popular tool among attackers is known as the Harvester. The harvester takes a passive information gathering approach and harvests any publicly available email addresses for the target.
You can configure the tool to scour the internet using the search engine of your choice and get a good list of all potential targets through a very trivial exercise.
Deciding What to Do with the Emails
After we’ve gathered all these email addresses, now what? We’ve got a fork in the road here.
Some attackers will go for the gold and use this information to start scraping breach databases for any leaked credentials, while enumerating your public footprint to look for logon opportunities.
They may also use these breach records and pivot to any personal accounts that may be identified for the targets in hopes that they are re-using passwords.
For You, The Target
Moral of this? Know your breach history, don’t use those passwords again, don’t reuse passwords, use complex passwords, and implement a password manager. Keeper, Lastpass, and Dashlane are a few good options—but go with what works best for you.
More Info Gathering for Building Target Lists
Once decided, going back to gathering more information that can be used in the attack is the next step. We need to know who the people behind these email addresses are.
Here comes our friend the Harvester again.
We can simply input your business details into the tool, link it to LinkedIn, and scrape job titles, length of engagement, phone numbers, contacts and affiliates, and (if we’re lucky) some personal information that can later be used when we build context. We can also employ some old school google dorking techniques to scrape the internet and see what clues exist for each person.
We’ll use the results of this information to identify who may be our soft targets and who may be our most valuable targets.
Soft targets may be folks with an extensive breach history, or folks who may be new to the organization and less familiar with standard business processes. High value targets will be folks that likely have administrator privilege, the ability to execute financial transactions, or executives who can use the power of influence over others in the organization.
We now have a solid target list, contact information, and some basic information on the targets.
What’s next? In the next installment, we’ll dive into more information gathering through social media, personal accounts, and leaked information scraping to begin developing a context to be used in the attack.
Feel free to send feedback on topics that you’d like to dive into, and be sure to subscribe to our paired webinar series “The Hackle Box,” where we dive into real-world cyber threat intelligence from the perspective of folks who are in the trenches every day.