Today, I’m going to show you how we used a spear phishing attack to get a company’s vice president of compliance’s credentials and bypass Two Factor Authentication and get access to very sensitive company information.
Of course, we did this during an authorized penetration test.
We were able to compromise the company without using:
0-day attacks.
Fancy exploits.
Or complicated Metasploit payloads (not that there’s not a time for them)
In this case study, I’ll walk you through the exact step-by-step process we used.
It’s the process we use to get nearly 50% click rate on every phishing testing engagement we do.

Get Better Phishing Success Rates: Get access to a free downloadable PDF checklist that will show you how to train your employees to spot and stop spear phishing techniques.

Spear Phishing Attacks

We recently did a penetration test for a U.S. based client in the financial space.
Out of the several thousand employees they have, we were able to target 50 specific ones for phishing and vishing to gain access to as much sensitive information as possible.
As usual, we chose a spear phishing attack approach over sending mass emails and hoping someone bites.

We were able to get access to their entire CRM system with all of their customers, customer contact info, contracts, and more.
We also got customer connection credentials, financial information and a bunch more.
Now, let’s dive into the detailed spear phishing process;

Note: Because we don’t want to jeopardize the security of our client, graphics are taken from random websites for exemplary purposes only. They are not the company we tested.

Step 1: Researching the target’s environment, systems, and people

Spear phishing attacks, just like every penetration testing engagement, begins with thorough reconnaissance.
Remember Abraham Lincoln’s Quote

Give me six hours to chop down a tree and I will spend the first four sharpening the ax

The same goes for reconnaissance.
You can never do too much.
In fact, if you want your social engineering attacks to go over well, you had better spend time learning as much about your target as you possibly can.
Let’s take a look at what we did to learn more about our targets.

Spear phishing reconnaissance and OSINT

The first places our team looked was the company’s website.
Companies put more and more valuable information on their websites and social media pages these days.
Here’s what we were interested in:

The company board members .

The company’s leadership team.

The different offices that the company has.
Then, we just browsed the site looking for anything of interest.
This led us to their “in the news” section where we made notes of several of the company’s recent accomplishments.
Information like this can be perfect for spear phishing attacks.
You see:
Society has a negative outlook on bragging.
Even so, people are actually very proud of their accomplishments and want to be able to discuss them.
If you can craft a social engineering scenario that gives them this opportunity, they will almost always fall for it.

Our team made note of several accomplishments before heading to our next recon spot – social media.

Using social media for spear phishing reconnaissance

Social media is a trove of valuable data for anyone putting together a spear phishing attack.
Most people simply don’t realize how an attacker can use bits of information they find to trick a company’s employees into giving them other valuable bits of information.

LinkedIn

We typically start our reconnaissance on LinkedIn.
First, our team looked at the company’s LinkedIn page.

We got a feel for the company’s values, what they do, how large they are, etc.
Then we went to the nice “See All Employees” feature.

Now we were able to view all of the employees from the company and begin understanding who works in what departments, what they do, and how long they’ve been working for the company.
New employees can sometimes be soft targets.
They don’t know the company environment, they possibly haven’t been completely trained on security, and things like insurance, 401(k) usually begin after a few months of working — all perfect scenarios for spear phishing attacks.
As we looked at each employee on social media, we took notes in an application called KeepNote.

We create a folder for each person we think may be a valuable target.

Inside the folders, we make a page for each social media account for the person like so.

As we go, we keep notes on spear phishing scenario ideas.

Twitter

Our team also did some reconnaissance on Twitter.
The first place we looked was the company’s own Twitter account.
We wanted to get a grasp on the company culture, pictures of inside of the office, any employees who have commented or liked the company’s tweets, any employees who may be following the company, and any events the company or it’s employees might have attended or sponsored.
We didn’t find a whole lot of valuable information, but we did find that one of the company’s employees posted some pretty useful information.

Just the week before our phishing testing, he had taken and failed an IT security certification.
We made sure to make a note of this in his “dossier” as we felt we could use it to target him.

Instagram

When we look at Instagram for spear phishing attacks, we look for a few things.
Mainly, we want to find pictures of inside of the organization.
For example, many people post desktop pictures like this.

While it seems like there’s nothing an attacker can use in the photo, we now know that the target is using Windows.
If we decide to carry out a vishing attack, we have that much more legitimacy.
While we look through employee’s Instagram pages, we’re looking for anything that will indicate the software used by the organization and especially the endpoint protection they have.

Once we are comfortable with the information we have gathered on our target, we begin formulating spear phishing attacks and getting our infrastructure ready to go.

Step 2: Setting up phishing email and website servers

Many attackers simply try to alter parts of an email to appear as if someone else is sending it.
They change the email “from” components of the email header.

The problem with this is that a lot of email security systems catch this.
If you’re counting on this method to get your emails through, there’s a high chance they won’t make it to the target’s inbox.
That’s why a lot of times we take a different approach.
We purchase actual domains that fit our spear phishing scenarios.
(There are drawbacks to this approach. New domains for example, are more prone to go to spam).

Spear phishing attack domain acquisition and setup

There are tons of domain registrars that you can buy a domain from, but we typically just use Google domains.

From our teams reconnaissance, we had a list of 4 domains that we thought would be effective for the phishing scenarios.
Next, we setup a CPanel server on Vultr where we could temporarily host the websites.
Spinning up a VM on VULTR is super easy.

Choose the virtual machine specs you want, enter payment, and they’ll have it ready to roll in just a few minutes.
Then we set up CPanel (hosting) accounts for each of the domains.

Note: A lesson we learned on this was to not allow CPanel to automatically set up SPF and DKIM keys when it sets up the account. This caused us some issues getting through the target’s email security system.

Putting the phishing site behind CloudFlare

Because of recent changes, Google (and most browsers) give a very obvious warning when accessing a website that doesn’t use an SSL.

To avoid this, we put our spear phishing sites behind Cloudflare security system.
It gives you a free SSL that’s signed by a trusted third party.
With Cloudflare’s free account, you can secure one website
Create a Cloudflare account for your phishing site.
We followed the account setup steps and pointed the DNS nameserver settings to cloudflare.

Then in the security settings, we chose “full SSL”
And with that we went back to CPanel and set up the phishing websites.
Here’s an example of our 401(k) phishing site:

Email server setup

For our spear phishing email server, we chose Godaddy’s webmail service.
It’s very easy to setup and very cheap too.
It’s only $1.99 per mailbox per month.
When we first set up the Godaddy email for the domain, we had to prove domain owner ship and add a few DNS settings to allow proper mail delivery.
After that all we had to do was log in and send emails.
To make our spear phishing emails even more realistic looking, we got a copy of an email from the actual 401k company and copied the html.
We used that as the basis for all of the emails we sent.

Step 3: Getting the credentials

With all of the infrastructure in place, we moved on to the next phase – sending the spear phishing attack and getting the user’s credentials.
This part was actually pretty simple.
Of course, we started with thorough reconnaissance about the target.
First, we went to crt.sh and searched for all of the subdomains the organization was using.

We found that they were using the MailProtect secure email system by Zix.
Next, we started looking for a scenario that we could create that would “require them to open a secure email.”
Of course, we made a replica of their secure email portal for them to log in.
We found the perfect email looking at the announcements on their website.

The company had just been endorsed by a prestigious financial organization.
That was it!
I sent an email that appeared to be from the Chief Marketing Officer.
The spear phishing email went like this:

When the user clicked the link, it redirected them to the “secure email login portal”
Of course this was the look-a-like site we created using WordPress.

Phishing attack success

We sent the spear phish to two people and within hours both of them had enthusiastically agreed to complete the questionnaire for the “Wall Stree Journal Article”
There was a problem though:
The organization’s firewall was blocking the malicious PDF from coming through.
I didn’t have to work hard at this though.
One of the targets decided to use their hotspot instead of the company internet.
With that, we had two sets of credentials.
Both of whom were organizational Vice Presidents.
But when we went to login, there was a problem.

Step 4: How we bypassed two-factor-authentication

Our spear phishing attack went perfectly.
We had the credentials of two of the company’s vice presidents.
But when we went to log in…

Two-factor authentication was enforced.
But that wasn’t a problem for us.
We already had a plan to get around this.
I called the user; the conversation went like this:

(Note: Names and places are changed)

Victim: Good morning, -company name- this is Tim.
Me: Tim, how are you today?
Victim: I’m good.
Me: It is John from the security team in the Texas office.
Victim: Yeah, hey.
Me: Um, yeah. We were working on an office upgrade and had an issue with some of the accounts being locked out. It looks like yours isn’t locked out yet. We had an access management upgrade go south.
Victim: Mhmm.
Me: So, if I can send you a code, can you send that to me so we can get it activated before it locks you out of everything?
Victim: John, just to make sure I’m covering my bases, is this your cell phone you’re calling me from?
Me: Yeah, I’m actually on vacation but because of the issue, I’m using my…
Victim: Laugh
Me: VoIP client
Pause
Victim: Always concerned. Last year I got hit with social engineering.
Me: Chuckle…Never trust. Always verify.
Victim: John, what’s your last name?
Me: Smith
Pause
Victim: Alright. Thank you, sir. Where are you on vacation at?
Me: I’m up at a cabin in the mountains.
Victim: Oh. That’s nice.
Me: Yep, taking a little break.
Victim: So, you have a upgrade that has gone wrong.
Me: Yes. Back-end with the office sync portal.
Victim: Alright, so are you going to send me a code through my email?
Me: No, it’s going to send you a text.
Victim: To which phone?
Me: Um, it’s showing the one that ends in 77. We can’t see the actual number for security reasons obviously.
Victim: Ok.
–I log in and press to send the 2FA code.
Me: Alright, it should have just sent it.
Victim: 603989
Pause
Me: Perfect, you should be good to go.
Victim: Alright, thanks
Me: Thank you. Don’t want to interrupt your busy day. That would be not nice.
Victim: Yeah, I appreciate it. Have fun on your vacation.

And with that, we were in the Vice President’s Office 365 portal and had access to tons of sensitive data.

Conclusion

Statistics show that 97% of cyber attacks today rely on human errors of some form.
As attackers, it’s so much easier to target humans that robust devices.
Phishing is an attackers choice tool.
But spear phishing attacks are even better – the scenarios are carefully crafted to not arouse suspicion.
In our own engagements, we get around a 50% click rate from spear phishing emails.
Train your employees to be very careful and to spot suspicious emails.
If you need help, check out our managed security awareness training program.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
close-link
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared
close-link
LET'S FIGURE OUT HOW TO HELP YOU BECOME A CYBER HERO + FREE STUFF!

Reasons to Subscribe to the CyberX Email List:

 
CLICK HERE TO SUBSCRIBE

 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 
 

close-link

Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 
 
DOWNLOAD THE FREE GUIDE
close-link

SAVE MY SPOT!

How would you like us to help you?

Reserves
I want to do my own security using CyberX's proven frameworks.
Warrior
I want CyberX to do my cybersecurity WITH me
We've put together frameworks and guides for you to build a cybersecurity and compliance program
CyberX will help build strategies and/or consult with you or your team to set you in the right direction. Execution is not included.

Tell us about you and your business

It proviedes us with necessary insight into your business and goals

Name

Email

Phone

Only 1 more step

It allows us to create a plan to reach your goals much faster

Monthly IT Budget

Company Name

Almost Ready

What are your struggling with?

What services are you looking for? (Check all that apply)

...expect a quick reply from our team soon!

SEND US YOUR REQUEST