Part 2: Target Phishing — It’s Gotten Personal

Breaking Down an Email Phishing Campaign Based on Relationships

We are back, with a new blog in our social engineering series – all about target phishing.

In my previous post, we discussed a phishing campaign engagement where an email is sent to multiple targets, and the attackers wait for replies. Target phishing, however, depends more on the relationship between the attacker and the victim.

We typically utilize this type of social engineering during red team simulations since it is the most accurate attack scenario we can get.

Phase #1 – Recon

Recon is an activity required in any phishing engagement, but in this case, it’s crucial. We need to understand how our target works and who will be phished inside the company, unlike the campaign where the client gives the target email addresses.

There’s no better tool to discover the company’s employees than LinkedIn. This social platform is highly useful for enumeration. However, we should not stop with LinkedIn alone. Now that we have the specific employee’s profile, we can start collecting information about them on other platforms – Facebook, Instagram, Twitter, etc.  This information helps an attacker decide who will be targeted and how to best approach them.

Salespeople are keen to believe in our story because they need to sell, making them an optimal target for phishing.   Trainees are also good targets – they could be unsure about the company’s policies, or they may be hoping for new opportunities.

Phase #2 – Building the Profile

In this case, I used LinkedIn messaging to do the phishing, so we need to set up a phisher profile. This profile must be consistent and have enough information to be credible.

>> Name: We want to choose an easy and common name. We recommend referencing a list of most-used names and surnames from the target company’s country to help you.

>> Age: I like to act as middle-aged person with enough experience to convince, but you should choose a behavior profile you are comfortable with.

>> Photo: I like to take my pick of an AI photo from this site here. Of course, make sure your photo is appropriate, and matches your personal information.

>> Education and Career: Don’t go overboard, claiming to be a postdoc from Harvard or to have 25 years of experience with groundbreaking research. If you are acting as a recruiter, check for common characteristics between recruiters’ profiles – consistency is key.

After creating the profile, it’s time to connect with as many people as you can. Be random. Add people from your city, profession, and related companies to populate your profile. Take your time and don’t rush – patience is part of the game.

Phase #3 – Establishing the Relationship

At this point, you should have defined your phishing targets. It’s time to elaborate on your story. Remember, this game rewards patience above all else.

Don’t keep asking or sending messages to people that do not respond to you.   Conduct a conversation towards your goal, but again, with patience. Ask for some kind of guidance. Everyone is flattered to be a mentor.

In this case, I was acting as a potential buyer asking for help with writing a Request For Proposal (RFP) document. I talked for weeks with two salespeople, asking for opinions on how to format the document. I didn’t send anything at first; I actually requested information from them, including links and any documentation they could offer me.

After establishing trust with them during these weeks, it was time to send the malicious link.

FYI this is not a static procedure. You can decide to change your targets if you don’t feel 100% confident. Just abort the mission and restart.

Phase #4 – Sending our Payload

I had established trust and finally was ready to send the link to the targets. I told them I had the document for the RFP done and I could not share the file using common means, so I sent a OneDrive link from my company.

For this setup, I utilized evilginx2 for the reverse proxy job using their branded Outlook 365 page. The link requested credentials using Office 365, and then they were redirected to a corrupted PDF file. I did not care about the PDF file; I could send an incomplete RFP document or even a payload, but I wanted to be as stealthy as possible.

Both salespeople asked for my file during these weeks, and that’s what we want. We want them fighting to get their hands on our file.

Phase #5 – Collecting the Gold

This story is much more about social engineering than any other technical aspect, however I feel obligated to share our results here.

Both salespeople completed the process and shared their credentials and Outlook 365 sessions.

In one specific account, I had access to several applications in the environment, including Microsoft Teams. The account was from a sales manager, so I sent a message to two subordinates saying that IT was asking them to update their computers, otherwise their password would be locked. They complied.

I said, “IT has just sent me the patch.” Of course, there was no patch. I sent a batch file (.bat) that collected information from the system and sent them through a web server.

Batch (.bat) files are normally allowed on Microsoft Teams conversations and can be an incredible resource for attacks.

At this point, it was officially game over. I was able to gain access to internal systems, applications, and sensitive data.

Our Recommendations

As the cyber landscape evolves, and threat actors too, we recommend strengthening ongoing social engineering awareness activities. As mentioned in my previous post, attackers can leverage more than one medium to get in contact with your employees. Ensure your organization is trained and well aware of the various attack vectors, how to spot a possible phish, and how to report it.

Additionally, we recommend signing up for a penetration testing engagement with us. Receive actionable insights into how your organization currently stands up against simulated attacks and our recommendations and remediations for improvement.

Contact Us Today

Ready to get started? Set up a security consultation or call us at 1 888 720 4633.

Stay Tuned…

In the next post of this series, I will talk about another adventure, but with vishing!