To excel in their job, penetration testers need to think and act like attackers. CISOs, in turn, should stay on top of new trends in cyber-criminals’ modus operandi. Since phishing is a driving force of numerous cyber incursions targeting organizations these days, the emerging methods of this e-crime definitely belong in the white hats’ handbook.
Although a trial focusing on a large number of users is easier for a pen tester to orchestrate than a targeted attack, this approach isn’t as effective in terms of the success rate. An “undercover” security professional cannot go with the flow by making such shots in the dark with a low chance of striking home.
Most employees will quite likely fail to identify the threat, but a few will probably suspect something isn’t right and will notify the IT team. As a result, all efforts of the pen tester will go down the drain.
To make sure the phishing attack pans out, a penetration tester has to go through some extensive prepping first. They should take a dive into the business area the company is in, figure out the potential pain points of specific employees, and do some reconnaissance to try and spot imperfections in the enterprise network and protection mechanisms that are in place.
Social engineering is also a matter of thinking out of the box. The sections below shed light on some of the non-mainstream ways of executing targeted phishing attacks pen testers and IT staff should know about.
The Treacherous @ Symbol
Attackers have been using similar looking domains for ages. This strategy isn’t very likely to hoodwink phishing-aware employees these days, but social engineering piggybacks on insufficient vigilance in the first place. Cautious people, who tend to examine hyperlinks before clicking on them, will easily see a red flag in a URL such as: https://brandname.com@phishingpage.com
According to URL composition standards covered in RFC 1738, the @ symbol can perform the function of a separator between the following two attributes: <username><password> and <host>. This way, an authorized user can allow another person to access a password-protected web page by clicking on a link.
The ambush is that no matter what comes before the @ sign, the browser will resolve the page which is in the tail of the URL – and voila, the target ends up on a spoofed site in a snap.
Link Preview Playing into Attackers’ Hands
If you are a Windows user, then you probably know that the operating system doesn’t display known file extensions unless you configure it to. Cyber-criminals often abuse this default set-up to spread malware camouflaged as harmless documents, images, and other objects.
What you might not be aware of, though, is that a similar trick can be done with URLs. Let’s say you receive the following link over email: https://brandname.com:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@phishingpage.com/yyyyyyyyyyyyyyyyyyyyyyyyyy.html. Note that this is a sample URL and an attacker will insert some keywords shown on the authentic website instead of the “xxx…” and “yyy…” strings.
Mozilla Firefox is preconfigured to clip links like that in the middle, which means the “phishingpage.com” part will not be visible. The only thing you will notice is a bunch of characters that appear harmless and match a few keywords you normally see on the original site (brandname.com in this example).
When it comes to other web browsers, they treat such bulky URLs in their own ways. A phisher who did his homework and knows which browser the intended victim uses will be able to adjust the link preview hoax to the circumstances.
Dodgy Encoding
Here’s another recipe for a toxic social engineering snack: take some Arabic symbols, apply the UTF8 to hexadecimal conversion to them, and then spice your URL with the resulting hex string. The link will look somewhat gibberish but won’t necessarily arouse suspicion at first sight. It will be similar to this:
https://brandname.com@%C1%A0%83%B1%A4%36%A0%D3%B0%C7%.
If you hover your mouse over such a hyperlink in a desktop browser, the actual URL will be automatically presented in its decoded shape and you may notice the giveaways as long as you look closely. However, this auto-decoding doesn’t apply to the Outlook email client and web browsers on mobile devices.
Text Message Forwarding
The usefulness of two-factor authentication (2FA) is out of the question, but a clever social engineering trick can help circumvent it. Here’s how the manipulative scheme works. As a launch pad for your penetration test, send the target a text message instructing them to log in to their telecom carrier account. Point out that it’s required to accept the new terms of service or confirm that their personal details are up to date.
Importantly, the SMS should emphasize that this is an urgent matter so that the employee doesn’t contact a customer support agent first. It’s also worth ascertaining that the embedded phishing link matches the conventional URL structure leveraged by the mobile network operator.
As soon as the victim types their credentials on the bogus site and you have them, the next thing you should do is sign in to the real customer account and turn on the text message forwarding feature. This way, you can intercept 2FA verification messages further on and thereby easily access the target’s accounts.
Additional Considerations
If you are a pen tester, there are several extra tips that can make your trial attack more effective and help you find weak links in the organization’s defenses.
- Submit an official inquiry to the organization as if you were a potential or existing customer. Once you get the response, inspect and copy the email design and branding elements to make sure your phishing emails look real.
- Call the personnel as part of your probing work. If the answering machine says an employee is away on vacation, capitalize on this fact by contacting the co-workers from a forged email account. This may help obtain corporate secrets.
- No matter how weird it sounds, you can make the target want to find your phishing page. This subtle manipulation involves an info bait that captures the person’s attention. If they google the subject, they might visit your phishing site that will be one of the top search results.
Conclusion
When it comes to dealing with cyber-attacks, most businesses prioritize a reactive tactic over proactive defenses nowadays. This can be a source of serious issues down the road because new threats will easily bypass the protection based on such archaic security practices.
Despite the fact that phishing hoaxes have been dominating the landscape of enterprise threats for years, many companies continue to boil their security posture down to physical protection of the premises rather than digital security. Some business executives still believe that classic anti-virus solutions combined with garden-variety security guidelines for the personnel are enough to fend off hacker attacks.
Both of the above perspectives are a slippery slope and don’t work anymore. The truth is, social engineering in general and phishing hoaxes, in particular, are the top threats companies need to watch out for.