The one vulnerability for which there can never be a patch, update or new anti-virus is that which is human. We can install the latest cyber security programs and perform dozens of penetration tests and security checks, but we can’t prevent human beings from making mistakes. We can warn and inform them, but there will always be a way to use employees to hack into the systems of the organizations at which they are employed.
This type of attack, called “social engineering “, refers to the manipulation of the human factor (in this case, we refer to the organization’s own employees), for the purpose of taking some sort of action. This could be a technical undertaking such as downloading a program, or a non-technical one, such as tricking another employee into revealing login credentials.
The most common attack that internet users encounter daily is a “phishing” attack. Most of today’s phishing will be sent to the victim in the form of an email offering the recipient some sort of deal or the promise of valuable, restricted information. All they need to do is just send their credit card number, money, or simply log in to their account via an innocent link. For the most part, we consider these emails to be “spam”.
This entertaining video from James Veitch titled, “This is what happens when you reply to spam email” illustrates very simply how these “phishing” attacks are not terribly sophisticated, as the perpetrators try to catch a broad range of victims in their net. In order to do that, they can’t prepare an attack that focuses on a single target which is why, in comparison to phishing attacks which are systematically planned and targeted toward a specific entity, they appear so unreliable.
So, how can a phishing attack be successful? Phishing is an art, and to prepare a good phishing attack, you need to be a phishing artist.
A successful phishing attack needs to be carried out on a planned range of victims who all fit a specific profile.
Every phishing attack begins with skillful broad research utilizing OSINT (Open Source Intelligence). Nowadays it’s easier than ever to gather information about your victims with OSINT, thanks to social media. Almost everyone has Facebook, Instagram, Twitter and LinkedIn accounts. We publish personal information in these accounts such as our email address, photographs, and workplace information.
In fact, we can obtain almost all the information required to execute a good phishing attack just by running a search in LinkedIn, for example, using the name of the organization. We can see the organization’s size, website, email address (email@example.com, for example), names of employees and their positions, and other possible relevant information.
After gathering all the required information, the attack can be formulated. The next step is to make ourselves seem more trustworthy. For instance, we may build an online persona that is close to that of the victim. We need our email address to closely resemble a legitimate email address. For example, if our victim uses the first name “Chananel” and the first letter of his last name “g”, and then the domain name for email accounts (“firstname.lastname@example.org”) then we do likewise.
In order to be able to send and receive email, we need to buy a domain. So, if the original address we are trying to mimic is “cworkg.com” we will try to buy “cworkg.co” or “cwrokg.com”. The human eyes and brain automatically try to correct the letters, and thus are very easy to fool.
Moving ahead with that example, we will then visit the “cworkg.com” website and duplicate the design, look and feel. We will build a website with identical content and technology. The only thing that will be different (slightly different) is the domain name of the website.
Now let’s integrate more of our OSINT data into the phishing scenario. We will create a new employee and call her “Naomi Scott”, and she will be employed in the IT department. We will create a LinkedIn profile for Naomi, and “she” will send the organization’s employees a connection request. Our account will look as realistic as possible — with a profile picture, a list of previous workplaces, and a description of her current position (IT). For greater reliability, we will also upload photos of company events to Naomi’s profile so visitors, after connection requests are sent, will see those as well.
Naomi’s email address will be email@example.com. From that address we can send a few harmless queries that may seem like spam and will likely be ignored to some of the employee emails that we have collected. This is in the hope of getting an automatic “Out of Office” reply or similar to see what the company email signature looks like and copy it.
At this point, we now have a reliable “employee” and a legitimate email address from which to carry out a successful phishing attack. Now we come to the last part, which is likely the hardest, and that is to invent a good story that will eventually get us to the goal. For this reason, we have specifically designated our fictitious employee as working in the IT department. I will have gathered all the employee email addresses I need from LinkedIn, but I will intentionally not send any connection requests to employees in the IT department, both because they would naturally be more aware of cyberattacks, and since we are imitating an employee in the IT department and it may raise suspicion.
The content of the email that I will send out now can be whatever we want, but an email from the IT department often provides desired results. For example, the message can be something like:
“Hey, we’re moving to a new messaging system! Please log in to your account in order to download our new program at the following link:
IT Dept. (adding the signature that we have copied)
This link will contain our look-alike website that we created earlier, with a login system which will save every employee’s credentials in the database. After each employee logs in, the website will automatically start downloading our malicious software.
With this simple email, we have scored two major goals: we now have the employee’s credentials and our malicious software is now on the victims’ computers.
This is only one example for how OSINT is used to execute a successful phishing attack with an excellent outcome. There are many other techniques and options that make use of social engineering. But, like I said, this type of attack is here to stay.