PHISHING SCHOOL
Convincing Targets to Click Your Links
When it comes to phishing advice, the number one question I get from co-workers is “what campaigns are you using?”. People see my success, and wish to emulate it. Well, if a phish is what you wish, I would like you to meet my friend Ish:
Who am I? My name is Ish
On my hand I have a dish.
I have this dish to help me wish.
When I wish to make a wish
I wave my hand with a big swish swish.
Then I say, “I wish for phish!”
And I get phish right on my dish.
So…
If you wish to make a wish,
you may swish for phish with my Ish wish dish.
Ish Wish DishUnfortunately, I don’t have any wish dishes to spare. What I do have are illustrations. Just as the great Dr. Seuss used silly illustrations to encourage kids to read, I would like to use some concrete examples to encourage you to craft custom phishing emails.
These lessons were hard earned. Collected over many years. And they are the foundation of my own perspective on phishing. I am giving you a shortcut. You can learn to think about phishing just the way I do, but there is a catch:
I need you to live these experiences with me.
Otherwise it won’t stick. As you read these examples, I need you to imagine it was you behind the keyboard. Feel the sly grin as you craft your cunning lure. Notice that tense anticipation of waiting for that first click. Hear the ding of your Telegram bot letting you know you have a visitor. See the password hit your Phishmonger dashboard. And taste sweet victory when your C2 agent calls home! Take a moment to immerse yourself in these experiences and make them your own. Get stoked, buckle up, and hang with me for a very short but critical tangent…
What are the Odds?
I’m about to teach you how to win at phishing. Consistently. But first, we will have to do a tiny bit of math. Don’t panic. I’ve written down all the answers for you. Just trust the math is correct. More importantly, trust what the math is telling us!
If we want to have a successful phishing campaign, we should be focusing on quality over quantity. But how likely are we to ‘win’ at this game? Keep in mind, for a phishing campaign to be successful, we typically only need a single employee to let us in the door. Therefore, winning at this game means just getting at least one click.
Let’s say we focus on crafting a highly targeted pretext that will seem very convincing to a small number of users and we can get an expected click-through rate of roughly 50%. If we send our pretext to only 5 targets, our chances of getting at least one click is 96.9%! To calculate the chance of at least one click, we can calculate the chances of getting zero clicks, and subtract that from 100% or 1 for short:
1 — (0.5) ^ 5 = 0.96875
If we compare that to a generic campaign that might have a click-through rate of 10%, our chances of success for a sample of 5 targets is only 41% total:
1 — (0.9) ^ 5 = 0.40951
To achieve the same 96.9% confidence interval with the generic campaign, we would need to target 33 employees:
1 — (0.9) ^ 33 = 0.9690
We would have to send more than six times the emails and have a very high chance of at least one employee reporting our campaign. Therefore, I think it is always worth the effort to be highly targeted with my pretexts. Even if I have to send 5 individualized messages to 5 separate targets, my chances are far better than sending some canned generic campaign to dozens of users hoping for a win before the blue team blocks my phishing site.
How to Achieve 50%+ Click-Through Rate
Rather than spew a bunch of theory, I think some examples will be much better at teaching this subject. Let’s look at some pretexts that I’ve used on assessments and achieved well over 50% click-through.
Warning
Highly effective social engineering pretexts are also often likely to ruffle some feathers, piss some people off, and potentially hurt some targets’ feelings. Always work closely with your client contacts to obtain approval for each scenario before sending to targets. Ideally, send a sample email to your contacts to let them know exactly what it will look like to the end users. Never assume that because a pretext went well at one organization that it will be fine at another. It is always better to maintain a positive relationship with your client than to over-do it because you really wanted some shells. In addition, if you are going to use a pretext that might upset people, it’s always best to upset as few as possible. In general, I prefer to send out emails very slowly, maybe every 20–30 minutes, and then pause the campaign the moment I get my first user interactions. If you use a pretext with an 80% click-through rate against a target list of 100 users, and it’s raining shells faster than you can interact with them, this is a clear sign you are making too much noise.
Stalk Your Prey
One of my favorite sources for collecting email addresses for target users is Hunter.io’s API. The API not only gives you email accounts, but also a timestamp of when they were found online, and most importantly, the URL of the web page where the email was found. Oftentimes, I find cases of employees posting their work email address as a general contact for non-work related communications. In one case, I found an employee who was highly involved with their child’s high school fundraising events, and had posted their work email address as a way for other parents to get involved. As it turns out, this high school had their own domain and website, but had neglected to set up an SPF record to prevent spoofing emails from their domain. This high school also had a full employee directory, complete with contact information for all of their employees, including administrative staff.
So, I sent my target user an email, spoofing the principal of the high school, instructing them that there was an incident with their child, and they would be evaluating the need for disciplinary action, along with a link to see a report of the incident. While this email was from an external source, and likely was stamped with some generic warning about “be careful clicking links”, any legitimate emails from the school always have this message, and my spoof was truly indistinguishable from the real thing to the end user. What do you think was the click-through rate for this pretext? If you guessed 100%, you are absolutely correct. I sent one email, and obtained command and control on one employee’s system within an hour of sending the message. While I had a limited time frame to move off their system and establish a foothold elsewhere in the network before they discovered my message was fake, the pretext itself was highly effective.
Appeal to Curiosity/Fear
Every time I perform a phishing assessment, I make sure to ask my client contacts for phishing ideas. In general, I want to make sure my client contacts know that they are on “my team” and vice versa. In many cases, my clients are excited about the proposition of being an honorary member of the red team and helping to hack their organization. Your clients will always have a much better understanding of the inner workings of their organization and will generally have some great ideas about which pretexts will be successful against their co-workers that you would never think of.
In one case, my client contact let me know that the company had just recently hosted a big company wide pool party and thought it would be fun to spoof a message saying “we just posted a bunch of pictures from the company pool party and some of these pics are hilarious! Click here to check out the album”. I felt like this pretext was almost too mean, but we got approval to run it anyway. Ultimately, the curiosity sparked by this message, in combination with the fear that there might be some embarrassing photos out there that everyone is going to see, culminated in a very high click-through rate for the sample of employees we targeted. Remember that your client contacts can be excellent team members when you invite them to be. Engagements will tend to run more smoothly and be way more fun when you do.
Blending in and Abusing External Trust
One of my favorite reusable pretexts when targeting banks and other financial institutions is to spoof the local chamber of commerce. Especially for regional banks and credit unions, I frequently find that a handful of bank employees will join their local chamber of commerce and use it as a cheap marketing platform to build a reputation in the community. In these cases, our targets are usually paying yearly dues for membership, and these chamber of commerce domains are rarely set up with proper SPF records. By spoofing the treasurer of the chamber of commerce, and telling our targets that the membership fees are about to change soon, I can often generate enough curiosity to convince at least one or two targets to click on my link. These campaigns tend to target anywhere from one to five employees and have a very high overall click-through rate for such a seemingly benign message. I would guess that my overall click-through rate for this targeted pretext over the years has been somewhere around 60–80%.
Appeal to Altruism
Many financial institutions and not-for-profit organizations these days either directly run or partner with philanthropic organizations to build community involvement and recognition as a good brand. Often, these philanthropic branches are legally separate entities with their own distinct names, and their own separate online presence. You can usually find these organizations by looking at your target organization’s recent news, press releases, and social media posts. Employees at your target organization will likely be familiar with their company’s philanthropic arm and may even receive frequent emails from that domain. Because the domains and websites for these philanthropic organizations are typically just used for promotional and marketing materials, they rarely have a strong security posture and may lack email security settings like SPF. One of my favorite pretexts in this case is to email target employees, spoofing the philanthropic organization’s domain, and let them know that they can opt to take a day off of work and volunteer at a number of upcoming philanthropy events. The message might start out something like: “At XYZ company, we know that charity is not always just about financial donations. To foster charity and support our community, we would like to announce that employees can now elect to take a day off work to come help any one of these upcoming charity events…”. I then list some fake partner organizations that include common themes like schools, hospitals, homeless shelters, and food pantries. I also always make sure to look up the local humane society and include them somewhere in the middle of the list. People tend to get pretty excited about the idea of taking a day off work to go hang out with puppies, kitties, and other furry friends, and are usually eager to click on a link to “view a list of upcoming events”. If you stalk your list of potential targets ahead of time, you may also be able to find social media posts with guest appearances from their pets to help narrow down a good list.
Side Note: If abusing people’s innate goodwill and love for animals feels wrong, that’s because it is. As with many aspects of red teaming, we sometimes need to perform activities that would be considered illegal or morally wrong under normal circumstances, in order to emulate threats in a realistic manner. Even though scenarios like this can seem harsh, we need to keep in mind that real criminals frequently use even more extreme tactics that we cannot emulate as red teamers because of ethical boundaries, like using threats of physical violence against targets and their families. It is from this perspective that I hold the personal opinion that ‘appeal to altruism’ and similar scenarios should be considered fair game for red team engagements against organizations with a mature security posture. Though you should be aware of the potential impact on trust within your target organization and use tactics like this sparingly.
Appeal to Hunger (No Such Thing as a Free Lunch)
Phishing is not always about sending fake emails, so here’s an example where I’ve used spoofed phone calls instead. I once had a client that wanted us to include social engineering phone calls but requested that we not use our usual go-to of just spoofing someone in IT. In fact, they specifically requested that we do some sort of ‘free giveaway’ pretext instead. I thought this idea was completely corny and there was no way it would work, so I had to think over the potential angles for quite a while. Eventually, I decided I would like to spoof a local restaurant, and act like the restaurant owner who was calling local businesses to drum up some catering business. With a little searching on Google and Yelp reviews, I was able to actually find that a Cheddars restaurant had recently opened up just down the street from the headquarters of my target organization. I went and cloned their website, and swapped the content on one of the pages to include a ‘Free Entree Coupon’ button that would download an initial access payload. I then spent about an hour practicing a sales pitch for ‘slow cooked BBQ, award winning sauces and loaded salads with homemade salad dressing, all the sides you can’t get enough of like cornbread, cole slaw, green beans with bacon, mashed potatoes, and mac-n-cheese…” until I could rattle off a long list of delicious foods very quickly.
On my first phishing call, when the target picked up the phone, I just launched straight into my sales pitch about how we were now offering catering, and how great our food is, and how they should definitely consider us any time the company needs catering for an event, and I intentionally talked so fast that the target couldn’t get a word in edgewise. After about a full minute of talking their ear off non-stop, I heard some soft laughter on the other end. I could tell that they admired my ‘entrepreneurial grit’ and didn’t want to be rude back. They responded with something like: “that sounds lovely, but you’re talking to the absolute wrong person. I don’t deal with event planning here at all”. I apologized, and asked if they might be able to forward me on to someone that does deal with event planning. They kindly agreed to forward my call to the right person, but before they did, I thanked them profusely for listening to my whole pitch, and I said I would like to send them a coupon for a free meal for all the trouble. They were reluctant at first, but I convinced them to tell me an email address of where to send the “coupon”. I registered a Gmail account called something like ceddarsrestaurant<city-state>@gmail.com and sent them a link to my phishing site. Just as I was gearing up to make my next phone call to my next target, I got an alert from my phishing server that someone had downloaded my payload. A few moments later, I had a remote shell on my first target’s system. In fact, they attempted to open the fake coupon link, and ran the payload multiple times. Maybe calling just before lunch worked in my favor, or maybe I just got lucky, but either way the overall success rate of this campaign turned out to be 100%.
Appeal to Greed
Another highly targeted and often effective phishing technique is what I like to jokingly refer to as ‘the long con’. Most phishing campaigns are fully-packaged pretexts that attempt to elicit action from the targets using a single message. The long con, on the other hand, is when you tease a target with an initial message and try to get the target to engage in a back-and-forth conversation with you before sending them the intended payload. In my experience, this tends to work best when we can appeal to a target’s greed, or play into their desires. For example, my team has had multiple “one shot, one kill” phishing campaigns where we targeted sales people in the organization, and impersonated a potential big buyer. We would try to learn a bit of lingo from our organization’s marketing info, and then set up a fake company that looked like an ideal potential customer for one or more sales offerings. We would then check LinkedIn to find the sales people at our target organization and who they had connections with at other companies. We would then send a short message to a target in the sales department, starting with something like: “I was chatting with my friend Dave over at XYZ company, and he mentioned you might be the right guy to talk to about buying large orders of wizbangs to use in our manufacturing of zippitydoodas… could you send me a price sheet?”. Usually, these sales folks would see dollar signs right away, and were thrilled that this potentially big phish had just fallen into their lap. They’re too busy daydreaming about how a big last-minute sale like this could help them smash their quota in Q4 to realize that this is a little too good to be true. Normally, if we could just get an initial response, we knew we could get the target to download and try to open just about any “purchase order” we followed up with. On two occasions, we had a click-through rate over 100% with this scenario. That is, our initial target clicked our link and executed our payload only to find that “nothing happened”, and then forwarded our payload link to a co-worker or superior so that they could try to open the “purchase order”, and we got two shells for the price of one. In one of these instances, our initial target actually had an account on the wrong Active Directory domain, but their superior who also executed the payload had an account on the corporate domain that we intended to compromise.
Abusing Internal Trust
In general, if you can spoof an internal user at your target organization, the number of options for believable pretexts goes way up, in addition to the overall expected click-through rates for those campaigns. That’s because people inherently trust their co-workers. If they didn’t, then most organizations would simply cease to function. So, whenever possible, it’s useful to attempt to spoof an internal employee or department. In recent years, it seems that a lot more organizations have started to regularly phish their own people to raise awareness about the threat of spoofed emails, so a lot of the oldy-but-goodie scenarios like “new dress code policy” and “change to your w2'’ are quickly losing effectiveness against most users. However, there are still a few lesser known tricks to put a twist on your standard internal employee spoof. One method I’ve found that can help add some legitimacy to spoofed messages is to spoof an email thread instead of just a single email. You simply send emails back and forth between two or more email accounts you own to build up a fake conversation, then forward the whole thread to a tool like Phishmonger where you can do a quick find-and-replace to swap your email addresses for ones at your target organization. So, instead of just asking our target user to do something like clicking a link, we make it appear that multiple of their co-workers have agreed that they must click the link. Another similar technique is to play with the on-behalf-of email header. This header is rarely set in normal conversations, but is supported by all the major email clients, and can be used to make it look like a message is coming from an internal source when it is really coming from a domain we own. These tend to work really well in conjunction with “you need to run ABC update from XYZ vendor”. You buy a doppelganger domain for the vendor, and then make it look like the vendor is sending “on behalf of” someone in the IT department. If you dig around in the RFCs that define SMTP’s headers, you will actually find a few other useful but lesser known headers like this.
Bypassing Warning Banners
Many mail servers today add an extra context clue for users of when a message originates from an external source in the form of a banner in the message itself. These banners are usually some obnoxious color like bright red and say something like “This email originated from an external source. Be extremely careful clicking any links in this message”. Luckily for us, these messages are stamped on every external email, and tend to be included in message sources for email threads. Therefore, by simply getting any user to respond to any email, we can usually know whether our target organization has this control in place, and exactly how it has been implemented. When gearing up for a red team engagement, you will usually be emailing your client contact ahead of the engagement and therefore automatically be privy to this useful data. If you are concerned about warning banners killing your click-through rates, let’s talk about how to address this control.
Option one
Don’t worry too much about them. Most users are completely desensitized to them anyway. You might be surprised how many clicks I’ve gotten when this control was in place and I was still spoofing an internal user without any attempt to bypass the banner. If you can come up with any pretext that spoofs an external trusted source, it will actually play into your favor because messages from those sources always have the banner. If you’re still concerned, let’s talk about a couple bypass options.
Option Two
Push them out of view. I’ve seen a few cases of these banners that were actually applied to the bottom of each email message instead of the top. In these cases, all I had to do to make sure the user never saw the banner was to add a bunch of line breaks (<br> tags) after my message. This would push the banner way down below the bottom of the user’s email preview pane.
Option Three
Collapse them. Another option that works in far more cases is to use CSS to collapse the banner by setting the “font-size” attribute to 0px for all of the banner’s elements. If you have access to an email thread from a user at your target organization, you can usually see how the banner is constructed in the email source. You can then apply styling to specifically collapse the banner. A more generic approach that works in many cases is to apply a global style to collapse all elements in the email, and then apply in-line styles with the “!important” property to elements in your pretext to make them visible.
Note: CSS tricks like this will not work against web-based email clients. If your target uses Outlook to view their emails, these tricks will work just fine. If they use the O365 web portal to view their emails, it will not work. Though, I don’t know of many people who prefer the web portal over a traditional mail client.
In Short
Go write some custom, targeted phishing campaigns! It can be very fun!
I Will Make you Phishers of Men was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.