During a recent electronic social engineering penetration testing service engagement, we worked with an organization to test how likely its employees were to fall for a phishing email sent from a simulated malicious actor. We started off the engagement knowing the importance of research in crafting a realistic phishing email, but by the end, we were even further convinced of the capacity for an email to fool users when sent from the right people, with the right topic, and at the right time. Here’s what happened:
OSINT gathering and crafting the phishing email
We commonly start most phishing engagements by trying to learn as much as we can about the organization through a process called Open Source Intelligence (OSINT) gathering. The more information we can gather, the more effective and realistic phishing emails we can create. In this stage, we try to learn information such as whether there are systems certain users access regularly, who employees are and what positions they hold, whether there is any recent news about the company that could be leveraged to gain people’s trust, or whether there is any leaked information that could be used for an attack.
As part of this engagement, we profiled the company and discovered an external host that provided access to internal network resources. We then found posted documents that showed steps to access the external host, as well as applications that would be accessible by including their name and function. We knew we could use this information to gain the trust of users by discussing internal applications they would believe only internal employees would know about. For the phishing email, we cloned the external application’s web page, then created an email account with the same name as an internal employee. The email would look and sound realistic enough that employees would feel the steps outlined in the email were legitimate and should be followed.
Waiting for approval
Next, we spoke with our point of contact (PoC) for the organization and said we were ready for the email to be reviewed to make sure they were comfortable with us sending it out. After speaking with the PoC, we said we’d send out the email in 10 minutes, so they should be on the lookout for it and know who the sender was supposed to be. We allowed some time to pass after sending the email, then checked in to see whether the PoC had received the email and approved it. Surprisingly, they said they hadn’t received it yet.
At this point, we began to wonder whether their email filter had flagged it as malicious since it was a newly registered domain or certain words in it were suspicious. After 30 minutes, we sent the PoC another message. Again, they said they hadn’t received the email.
We also sent it to a test email account and had received it, so we once again thought it may have been blocked on their end. We waited 15 minutes more, then asked one more time if they had received the message—again, they hadn’t.
We figured this time it was more than likely blocked, but checked our logs just in case. That’s when we saw a set of credentials had been entered into the phishing portal page. After inspecting them, it was evident that the credentials certainly belonged to the PoC. After calling the PoC to discuss what we saw, we quickly discovered the power of a well-researched and well-timed phishing email.
What happened in this case is that the phishing email’s so-called sender had just spoken with our PoC about some login issues right before we sent the email. The PoC fully assumed the email was legitimate and came from the real person, so they followed the directions in the email and provided their credentials and potential access to internal network resources.
When discussing, the PoC said, “Oh my gosh, that was a good phishing email. You got me, and I even knew it was coming!”
The phishing email was then approved by the PoC and sent to a limited set of users within the organization. It was very successful in capturing credentials, which meant the organization could use that information in later phishing training with key indicators to look for.
The most important takeaway here is that phishing emails won’t always come at expected times or blatantly look like phishing emails. Malicious actors will do their best to gather as much information as they can about their target or even wait for an event to occur so they can take full advantage. In those cases, they will take their opportunity when it presents itself and send a very effective phishing email at the exact right time.
So, how can organizations stop these realistic emails from tricking their employees? Investing time and resources into developing a proper security awareness training program within your organization is extremely valuable. Users should be trained to identify phishing emails, even in rushed moments, and should know which steps they should take if they have any doubts about an email they have received.