You may think that preventing phishing is as simple as setting up a firewall, blocking malicious domains and installing tools into email clients. While this is a good start, phishing is an attack which aims to exploit the people within your business as much as any weaknesses in your defences. To truly defend and prevent phishing, you need to focus on the people within your business and educating them to recognise and defend against phishing.
In this blog, we’ll look at how successful phishing engagements work, the techniques used by real attackers and how you can use this information to defend against phishing.
What is Phishing?
In my last blog on phishing, vishing and smishing we discussed that phishing is a means of luring a victim into disclosing sensitive information. By sending you an apparently legitimate email, SMS or calling you on the phone, they will attempt to manipulate you into revealing your passwords, bank details, or other personal details.
This common attack doesn’t take a high level of skill and can be conducted using various readily available tools and techniques. One example is the ‘GoPhish framework’ which hosts legitimate landing pages that look very similar to legitimate login portals. If you were to open one of these pages, entering your username and password won’t authenticate the application but instead send your details to the attacker.
How to Recognise and Avoid Phishing
To help you recognise what phishing looks like, Microsoft provide training through their Defender platform. Known as “attack simulation training”, this allows you to send fake phishing emails to people within your organisation. This provides you with insight into how susceptible your employees would be to a real phishing attack, based on how many people open or click links in the email.
If you, or someone in your organisation, is successfully phished by the training email, Defender will provide guidance on how to recognise real attempts in the future. This includes walking you through tell-tale signs of phishing and drawing your attention to specific discrepancies you should look out for.
This type of education is vital and should be a staple for large organisations. However, whilst it is useful, phishing simulations aren’t necessarily realistic when compared to real attacks. In the real world, a phishing campaign performed by real threat actors is a lot more than just a “point and click”.
Phishing assessments are often conducted with some defences down and with a target list already in place so that the assessment can be done quickly. They also provide a defence in depth approach by assuming a threat can already bypass initial spam detection. A real threat won’t have this level of access, so attackers will have to find ways to evade these protections and gather a suitable list of users to target.
One way to overcome this issue is through a long term phishing engagement. In comparison to phishing simulations, this takes place over weeks instead of days. As such, this is useful as part of a wider red team assessment and can accurately recreate how a cyber criminal would attempt to phish your organisation. This gives you better insight into how effective your defences are at preventing phishing emails before they reach you or your employees.
What Phishing Techniques Do Cyber Criminals Use?
Cyber criminals can’t request your organisation to switch off your mail defences. They have to be smarter with how they operate. Instead, they set up seemingly legitimate domains that are more likely to get through your initial endpoint detection. Attacks can make them appear legitimate by “ageing” them, adding TLS certifications.
They’re also likely to conduct a significant amount of Open Source Intelligence Gathering (OSINT) to understand you or your business. They could profile your staff through platforms such as LinkedIn and build a list of those that have access to your company’s most valuable resources or internal networks. They could also build up a list of technologies you use and tailor emails to look exactly like emails you usually receive from them.
In some cases, cyber criminals conduct pretext attacks where they create fake companies to establish a line of trust with your business. Once they have earned your trust, they then deliver malicious links for you to click on and invertedly install malware through.
Phishing doesn’t have to be launched via an email account. If they find a trusted line of communication, such as SMS (smishing) or speaking over the phone (vishing), they can share links to malware or entice staff to disclose sensitive information directly.
Anatomy of a Phishing Attack
A good example of how attackers use these methods is Operation Aurora. In 2010, an advanced persistent threat (APT) group successfully infiltrated multiple internal networks belonging to organisations such as Google, Rackspace and Adobe. The threat group decided on the user they wanted to target by performing thorough background research on a specific member of staff with ideal levels of access.
The group then built a list of who this person spoke to, and what a typical external email exchange looks like. With this information, they spoofed an email that looked identical to what the member of staff would expect, and included a link that redirected them to a web site containing malware. This malware was able to exploit a zero day vulnerability in their Internet Explorer and grant the group access to their machine and, ultimately, the internal network.
Another attack that can be conducted after extensive OSINT is known as a ‘watering hole attack’. This is an attack where cyber criminals locate certain portals or web applications your organisation uses and find typical web application vulnerabilities in these. Using common exploits such as cross-site scripting (XSS), cross-site request forgery (CSRF) and open redirection, criminals can take over your account on the web application itself. Alternatively, they can re-direct you to other vulnerable applications which would then download malware onto the victim’s machine.
Phishing is More Than Capturing Credentials
As you can see from these examples, phishing is more than just gathering usernames, passwords and multifactor authentication (MFA) tokens. Although a lot of attacks do lure victims into providing credentials, in many cases the victim is enticed to install malware and grant access to the internal network or provide sensitive details.
Once an attacker has gained access to an internal network, the phishing may not stop there. With access to one user, they can conduct an internal phish to gain even more credentials. This enables them to move laterally through the domain, escalating their privileges and putting your organisation at greater risk. These threats are also much harder to detect as internal communication is usually inherently trusted.
What Does a Phishing Engagement at Bridewell Look Like?
At Bridewell, we deliver phishing engagements with a primary focus on user education. Our engagements aim to assess how well your organisation is able to recognise phishing attempts without singling out any individual employees. Instead, once we have completed the assessment, we will provide support to help everyone in your business in recognising phishing.
We also have extensive knowledge on Advanced Persistent Threats and how they operate, which enables us to tailor our phishing engagements to specific requirements. For example, these can include training on how your company can perform its own internal phishing campaign or long-term attack simulations testing multiple aspects of your organisations security including user awareness, and SOC diligence.
Contact Bridewell for more information or read more here: https://www.bridewell.com/phishing-assessments.
Author
Jack Jarvis
Penetration Tester