Learn the Tactics Savvy Attackers Use to Dodge Anti-Spam Protection and Infiltrate Networks
Social engineering attacks are commonly used in red teaming simulations and breaches. While many companies are reducing their web and network attack surfaces, most employees – if not every employee – has one or more of the following communication surfaces that are essential to perform most job functions, including email, phone, and social networking accounts.
These mediums are accessible attack surfaces and are often the easiest way for attackers to gain a foothold into organizations. Email and social media accounts remain the most popular for attackers to take advantage of.
Because social engineering attacks are a highly common cause of breaches, we decided to write a series of case studies showcasing our social engineering efforts and their results to shed some light on how organizations can protect themselves against these types of campaigns and how DirectDefense can help.
Case Study #1 – Email Phishing Campaign
A client enlisted our services to pursue an email phishing campaign against their organization. They wanted to test their anti-spam protection, understand their staff’s level of social engineering awareness, and assess how the staff went about reporting it. The client provided a domain and a list of target email addresses, which is typical in most email phishing engagements.
Our first step was to provision a domain by which to send the phishing emails. I usually use similar domains, for example, ‘directdefense.com’ to ‘diretcdefense.com’.
The ‘ct’ letter inversion can be hard to catch.
Here are five common domain name tricks threat actors use to make you believe their phishing email is legitimate.
|#1 – Substituting characters|
Substituting a character with another that has a similar shape and size, for example, ‘directdefense.com’ to ‘direcldefense.com’, can be overlooked by targets. Letters such as ‘l’ and ‘f’ can easily be mistaken for a ‘t’ if the target is not observing this level of detail.
#2 – Changing the domain extension
We can change the domain extension to persuade the targets to believe that this is the real domain. In this case, we bet on the fact that we have the right name to make the targets ignore the extension change.
For example, ‘directdefense.com’ could be ‘directdefense.org’. Usually, ‘.org’, ‘.co’, ‘.inc’, or ‘.info’ are good extensions to try, but there are many more.
#3 – Separating words
This is another situation that we can take advantage of – when two or more words are in the domain name, for example, ‘directdefense.com’, we can try ‘direct-defense.com’ or ‘directanddefense.com’.
#4 – Inverting letters and words
Another trick is purchasing a similar domain and inverting letters and words. In this case, we can use ‘directdefense.com’ and turn it into ‘defensedirect.com’, or any other inversion that can trick the targets’ eyes and confuse them.
Secondly, I like to investigate the company. LinkedIn is an excellent platform for this activity. Using LinkedIn, you can analyze the organization, including its employees, contacts, and possible company relationships or connections, among many other details.
After doing my research on this client, I decided to send the email posing as a Human Resources manager.
Human Resources and Information Technology are always good targets for impersonation.
Thirdly, we brainstorm the email’s purpose and pretext, and the first step is to investigate our target. We need to know what we are talking about, right? We enumerate domains and subdomains, applications, services, and anything else that could help us with crafting our message. I suggest using PhantomBuster for enumerating LinkedIn profiles from a specific company. We then use the information that we gathered about the target to construct a more convincing pretext; for example, talking about a technology we know they use while pretending to be a person from the company. Also, to bypass the AntiSpam tool, we should not imply urgency. Messages such as, ‘This is urgent’ or ‘I need this done ASAP’ will be flagged by the AntiSpam protection.
For this engagement, I leveraged an HR application that was used by most of the employees and asked the targets about odd messages sent to the company’s director.
FYI – Phishing can also be a resource to collect information and support other attacks instead of capturing sensitive data.
Lucy is used for identifying targets that clicked on the malicious link and to host a HTML file for redirecting to the evilginx2.
So, now that we have done our research, came up with the pretext, and crafted the email, we just need to send it, right? Well, not quite yet.
In this case, our client was protected by a highly-regarded anti-spam technology that I didn’t take into account. Unfortunately, I couldn’t use the domain I purchased because this platform flags similar domains, but that didn’t hold me up for too long. I simply purchased another domain. This time, it was related to the HR application that I selected for my phishing scheme.
Luckily for this client, their anti-spam technology also blocked emails where the sender and receiver have identical email aliases or display names. For example, it would block anyone trying to send an email as ‘bruno.oliveira’ or ‘Bruno Oliveira’ to ‘DirectDefense’. To get around this, I changed the name to Bruna Oliveira, changing only one letter in the name.
Finally, the email phishing campaign was sent out successfully and was not caught by the anti-spam protection platform. We delivered emails to about 40 recipients and of the 40, 27 submitted their credentials and we were able to collect them by using a reverse proxy.
While anti-spam applications are great tools to protect organizations from most email phishing schemes, savvy and motivated threat actors will still try to find a way in.
Stay tuned for our next phishing case study, this time involving social media.