I’ve conducted phishing campaigns at many different companies. Overall, I probably have a 10% success rate. Some were a little higher and some a little lower. That doesn’t sound too impressive, right? How many successes does it take to compromise a network? One. One user clicking on a link in an email exposes the entire network. So, for most companies, I got significantly more than that one success. How did I do it? More importantly, what tricks do I have up my sleeve that other penetration testers could steal? At almost every conference you will see a talk on some super sweet post-exploitation tool or privilege escalation technique if you can talk to the speaker 9 times out of 10 they gained initial network access through phishing. Phishing is the dirty pen testing secret that we all do but nobody wants to talk about because it isn’t nearly as cool as remote code execution.
Generally, there are two methods for generating lists for phishing campaigns: either the client will provide you a list (which is boring) or you can find valid targets and get the list approved. Where can you find valid targets? I consider a valid target any email address already exposed on the internet.
- Web content
In the future, we will look at each of these methods in depth, but for now, let’s just assume you have a list.
The FROM line in the address is just as important as the TO. Are you sending a fairly generic phishing email hoping to get a few clicks? If so, your success rate is going to be fairly low. For a company without security awareness training in place, this might be appropriate, but most tests are meant to be more sophisticated. I am going to show you how I make the sausage; fair warning, it isn’t pretty.
If you are going for a generic attempt without a spoofed email address, you can try to get an email address from any of the normal providers like Gmail or Outlook. Registering an email that looks at least semi-plausible will help. Outlook has a built-in limitation for new accounts to restrict the number of emails sent until the account ages or milestones are met (such as phone number verification). Also, filling in the display name and information to seem legitimate will increase the chance of success. CompanyHelpDesk@gmail is better than PhishingAttempt6@yahoo.
If you are allowed to spoof email addresses, a few better options are available. Setting up sendmail and sending everything through Social-Engineering Toolkit (SET) is a great option. Using a webmail service that allows spoofed emails is also a great option and protects your fixed IP from being banned for email abuse. It is also smart to pay the small fee that allows the footer to be removed. If you are performing a penetration test, it is the cost of doing business. I personally like using Sharpmail out of the UK but have used a couple other servers, as well. Sharpmail has SMS functionality, which I have used on assessments in the past.
Everyone has seen poorly crafted phishing emails signed Help Desk, so you need to step up your game and do some research. Find the company on Linkedin, and figure out who the IT person is. Getting an email from a help desk address signed Gary when employees know there is an IT person named Gary is way more convincing. The correct tone is important too, as a busy help desk person sending a curt email stating, ‘We are testing a new web server for email, can you log in and test it? -Gary‘ is more believable than a two-paragraph, formal-sounding email. I rarely even hide my URL behind a link for the same reason; I wouldn’t do that as a systems administrator in a company and want them to be believable.
Some clients will also want you to get the email text and targets approved. I’ve had to add typos and dumb down my emails for clients who wanted to make it easier to be spotted. Those assessments are the best because you can almost guarantee success if even their employers think they are going to click on anything. Most of these assessments will come shortly after the company has been breached by a phishing attack.
Microsoft Outlook Web Access or a VPN login page are my two favorite sites to clone in SET. We will conduct a primer on SET soon, but for now, just know that I use the clone website function with the capture credentials module. I’ve used Browser Exploitation Framework (BeEF) in the past, but keeping it simple usually works better.
The first time I was assigned a phishing campaign, I had no idea what to do. I fired up SET but didn’t have sendmail installed and configured. The client for that assessment wanted multiple tests done. Not only was it testing employee awareness, it was testing the email security appliance in place. Sendmail took me most of the day to get set up and start sending emails. Let’s just say that it did not go well; the appliance blocked all my spoofing attempts and having an included URL hidden behind link text tripped the heuristics, with the end result being the end users didn’t even get the attempts. Not only that, but because I worked from home, the IP I paid for from my ISP got blacklisted for sending spam.
What lessons did I learn? One, I rarely use my own sendmail account anymore. Two, I’ve gotten simpler in my messages. Three, I respond to replies. What? That’s right, when your login fails on the credential harvesting site I’ve created and you reply to the email complaining, I’ll tell you I’m working on it and that I will let you know when it’s fixed. Why? So that you don’t tell other people you’re having a problem and potentially prevent them from giving me their credentials. Sneaky right?
Reporting on phishing is simple; we normally produce a statistics-based report that shows how many credentials were gathered versus the number of emails sent. We avoid giving specific names, which clients always want, because it is normally a systemic issue, not a user issue. We have performed custom redirects, after credential harvesting, to a site that forces users to complete a short training on phishing awareness.
Pulling it All Together
Now that you have read this tradecraft on phishing, you may be asking, “what are the next steps?” Next, we are going to create some primers on setting up phishing campaigns using sendmail and Sharpmail and using SET to clone a website and harvest credentials. This simply gave you a glimpse into the mindset of how we think about attacks and some of the pitfalls encountered.