Today, I’m going to show you how we used a spear phishing attack to get a company’s vice president of compliance’s credentials and bypass Two Factor Authentication and get access to very sensitive company information.
Of course, we did this during an authorized penetration test.
We were able to compromise the company without using:
0-day attacks.
Fancy exploits.
Or complicated Metasploit payloads (not that there’s not a time for them)
In this case study, I’ll walk you through the exact step-by-step process we used.
It’s the process we use to get nearly 50% click rate on every phishing testing engagement we do.
Get Better Phishing Success Rates: Get access to a free downloadable PDF checklist that will show you how to train your employees to spot and stop spear phishing techniques.
Spear Phishing Attacks
We recently did a penetration test for a U.S. based client in the financial space.
Out of the several thousand employees they have, we were able to target 50 specific ones for phishing and vishing to gain access to as much sensitive information as possible.
As usual, we chose a spear phishing attack approach over sending mass emails and hoping someone bites.
We were able to get access to their entire CRM system with all of their customers, customer contact info, contracts, and more.
We also got customer connection credentials, financial information and a bunch more.
Now, let’s dive into the detailed spear phishing process;
Note: Because we don’t want to jeopardize the security of our client, graphics are taken from random websites for exemplary purposes only. They are not the company we tested.
Step 1: Researching the target’s environment, systems, and people
Spear phishing attacks, just like every penetration testing engagement, begins with thorough reconnaissance.
Remember Abraham Lincoln’s Quote
Give me six hours to chop down a tree and I will spend the first four sharpening the ax
The same goes for reconnaissance.
You can never do too much.
In fact, if you want your social engineering attacks to go over well, you had better spend time learning as much about your target as you possibly can.
Let’s take a look at what we did to learn more about our targets.
Spear phishing reconnaissance and OSINT
The first places our team looked was the company’s website.
Companies put more and more valuable information on their websites and social media pages these days.
Here’s what we were interested in:
The company board members .
The company’s leadership team.
The different offices that the company has.
Then, we just browsed the site looking for anything of interest.
This led us to their “in the news” section where we made notes of several of the company’s recent accomplishments.
Information like this can be perfect for spear phishing attacks.
You see:
Society has a negative outlook on bragging.
Even so, people are actually very proud of their accomplishments and want to be able to discuss them.
If you can craft a social engineering scenario that gives them this opportunity, they will almost always fall for it.
Our team made note of several accomplishments before heading to our next recon spot – social media.
Using social media for spear phishing reconnaissance
Social media is a trove of valuable data for anyone putting together a spear phishing attack.
Most people simply don’t realize how an attacker can use bits of information they find to trick a company’s employees into giving them other valuable bits of information.
We typically start our reconnaissance on LinkedIn.
First, our team looked at the company’s LinkedIn page.
We got a feel for the company’s values, what they do, how large they are, etc.
Then we went to the nice “See All Employees” feature.
Now we were able to view all of the employees from the company and begin understanding who works in what departments, what they do, and how long they’ve been working for the company.
New employees can sometimes be soft targets.
They don’t know the company environment, they possibly haven’t been completely trained on security, and things like insurance, 401(k) usually begin after a few months of working — all perfect scenarios for spear phishing attacks.
As we looked at each employee on social media, we took notes in an application called KeepNote.
We create a folder for each person we think may be a valuable target.
Inside the folders, we make a page for each social media account for the person like so.
As we go, we keep notes on spear phishing scenario ideas.
Our team also did some reconnaissance on Twitter.
The first place we looked was the company’s own Twitter account.
We wanted to get a grasp on the company culture, pictures of inside of the office, any employees who have commented or liked the company’s tweets, any employees who may be following the company, and any events the company or it’s employees might have attended or sponsored.
We didn’t find a whole lot of valuable information, but we did find that one of the company’s employees posted some pretty useful information.
Just the week before our phishing testing, he had taken and failed an IT security certification.
We made sure to make a note of this in his “dossier” as we felt we could use it to target him.
When we look at Instagram for spear phishing attacks, we look for a few things.
Mainly, we want to find pictures of inside of the organization.
For example, many people post desktop pictures like this.
While it seems like there’s nothing an attacker can use in the photo, we now know that the target is using Windows.
If we decide to carry out a vishing attack, we have that much more legitimacy.
While we look through employee’s Instagram pages, we’re looking for anything that will indicate the software used by the organization and especially the endpoint protection they have.
Once we are comfortable with the information we have gathered on our target, we begin formulating spear phishing attacks and getting our infrastructure ready to go.
Step 2: Setting up phishing email and website servers
Many attackers simply try to alter parts of an email to appear as if someone else is sending it.
They change the email “from” components of the email header.
The problem with this is that a lot of email security systems catch this.
If you’re counting on this method to get your emails through, there’s a high chance they won’t make it to the target’s inbox.
That’s why a lot of times we take a different approach.
We purchase actual domains that fit our spear phishing scenarios.
(There are drawbacks to this approach. New domains for example, are more prone to go to spam).
Spear phishing attack domain acquisition and setup
There are tons of domain registrars that you can buy a domain from, but we typically just use Google domains.
From our teams reconnaissance, we had a list of 4 domains that we thought would be effective for the phishing scenarios.
Next, we setup a CPanel server on Vultr where we could temporarily host the websites.
Spinning up a VM on VULTR is super easy.
Choose the virtual machine specs you want, enter payment, and they’ll have it ready to roll in just a few minutes.
Then we set up CPanel (hosting) accounts for each of the domains.
Note: A lesson we learned on this was to not allow CPanel to automatically set up SPF and DKIM keys when it sets up the account. This caused us some issues getting through the target’s email security system.
Putting the phishing site behind CloudFlare
Because of recent changes, Google (and most browsers) give a very obvious warning when accessing a website that doesn’t use an SSL.
To avoid this, we put our spear phishing sites behind Cloudflare security system.
It gives you a free SSL that’s signed by a trusted third party.
With Cloudflare’s free account, you can secure one website
Create a Cloudflare account for your phishing site.
We followed the account setup steps and pointed the DNS nameserver settings to cloudflare.
Then in the security settings, we chose “full SSL”
And with that we went back to CPanel and set up the phishing websites.
Here’s an example of our 401(k) phishing site:
Email server setup
For our spear phishing email server, we chose Godaddy’s webmail service.
It’s very easy to setup and very cheap too.
It’s only $1.99 per mailbox per month.
When we first set up the Godaddy email for the domain, we had to prove domain owner ship and add a few DNS settings to allow proper mail delivery.
After that all we had to do was log in and send emails.
To make our spear phishing emails even more realistic looking, we got a copy of an email from the actual 401k company and copied the html.
We used that as the basis for all of the emails we sent.
Step 3: Getting the credentials
With all of the infrastructure in place, we moved on to the next phase – sending the spear phishing attack and getting the user’s credentials.
This part was actually pretty simple.
Of course, we started with thorough reconnaissance about the target.
First, we went to crt.sh and searched for all of the subdomains the organization was using.
We found that they were using the MailProtect secure email system by Zix.
Next, we started looking for a scenario that we could create that would “require them to open a secure email.”
Of course, we made a replica of their secure email portal for them to log in.
We found the perfect email looking at the announcements on their website.
The company had just been endorsed by a prestigious financial organization.
That was it!
I sent an email that appeared to be from the Chief Marketing Officer.
The spear phishing email went like this:
When the user clicked the link, it redirected them to the “secure email login portal”
Of course this was the look-a-like site we created using WordPress.
Phishing attack success
We sent the spear phish to two people and within hours both of them had enthusiastically agreed to complete the questionnaire for the “Wall Stree Journal Article”
There was a problem though:
The organization’s firewall was blocking the malicious PDF from coming through.
I didn’t have to work hard at this though.
One of the targets decided to use their hotspot instead of the company internet.
With that, we had two sets of credentials.
Both of whom were organizational Vice Presidents.
But when we went to login, there was a problem.
Step 4: How we bypassed two-factor-authentication
Our spear phishing attack went perfectly.
We had the credentials of two of the company’s vice presidents.
But when we went to log in…
Two-factor authentication was enforced.
But that wasn’t a problem for us.
We already had a plan to get around this.
I called the user; the conversation went like this:
(Note: Names and places are changed)
Victim: Good morning, -company name- this is Tim.
Me: Tim, how are you today?
Victim: I’m good.
Me: It is John from the security team in the Texas office.
Victim: Yeah, hey.
Me: Um, yeah. We were working on an office upgrade and had an issue with some of the accounts being locked out. It looks like yours isn’t locked out yet. We had an access management upgrade go south.
Victim: Mhmm.
Me: So, if I can send you a code, can you send that to me so we can get it activated before it locks you out of everything?
Victim: John, just to make sure I’m covering my bases, is this your cell phone you’re calling me from?
Me: Yeah, I’m actually on vacation but because of the issue, I’m using my…
Victim: Laugh
Me: VoIP client
Pause
Victim: Always concerned. Last year I got hit with social engineering.
Me: Chuckle…Never trust. Always verify.
Victim: John, what’s your last name?
Me: Smith
Pause
Victim: Alright. Thank you, sir. Where are you on vacation at?
Me: I’m up at a cabin in the mountains.
Victim: Oh. That’s nice.
Me: Yep, taking a little break.
Victim: So, you have a upgrade that has gone wrong.
Me: Yes. Back-end with the office sync portal.
Victim: Alright, so are you going to send me a code through my email?
Me: No, it’s going to send you a text.
Victim: To which phone?
Me: Um, it’s showing the one that ends in 77. We can’t see the actual number for security reasons obviously.
Victim: Ok.
–I log in and press to send the 2FA code.
Me: Alright, it should have just sent it.
Victim: 603989
Pause
Me: Perfect, you should be good to go.
Victim: Alright, thanks
Me: Thank you. Don’t want to interrupt your busy day. That would be not nice.
Victim: Yeah, I appreciate it. Have fun on your vacation.
And with that, we were in the Vice President’s Office 365 portal and had access to tons of sensitive data.
Conclusion
Statistics show that 97% of cyber attacks today rely on human errors of some form.
As attackers, it’s so much easier to target humans that robust devices.
Phishing is an attackers choice tool.
But spear phishing attacks are even better – the scenarios are carefully crafted to not arouse suspicion.
In our own engagements, we get around a 50% click rate from spear phishing emails.
Train your employees to be very careful and to spot suspicious emails.
If you need help, check out our managed security awareness training program.
