Phishing For Phun!

By Kristoffer Marshall

@CrunkComputing

Photos totally allowed.

Disclaimer

I, nor my employer, are responsible for the actions of attendees or anyone who has access to this presentation. All information contained in this presentation is for educational purposes only.

About Kristoffer Marshall

(Kristoff)

• Currently a Security Engineer on a Cyber Defense Team.
• Still “the email guy” with about 7 years of professional experience.
• A couple of Associate’s Degrees, JNCIA, CEH.
• CompTIA Linux+ SME
• Past
• Freelance IT guy
• Helpdesk
• Programmer
• Linux Admin
• Time Magazine’s Person of the Year (2006)
• Hobbies
• Programming
• Microcontrollers
• Beer, wine, mead, kombucha
• Horticulture
• Stupid websites

“The security aspect of cyber is very very tough. And maybe it's hardly doable.” - Donald Trump

What is phishing?

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

- Wikipedia

Phishing email usually has the following things:

• A sense of urgency
• Request to click a link or email back
• A request, either in response or in a linked page, for personal information or account credentials
• Often times your name is included in the email

​

​

​

​

What are the threats of phishing?

• Daily operations can be interrupted.
• Your company’s reputation can be tainted.
• If credentials are stolen, you can be just as vulnerable as if you were to have a disgruntled employee, or worse.
• If your company has a large amount of bandwidth, it can be used in a DoS attack.

​

​

Sometimes employees even forward phishing emails to others, for various reasons. When that happens, it kinda looks like this:

​

Why does phishing work?

• Curiosity
• Fear
• Sense of duty

​

Curiosity is obviously the fun one.

​

​

Why should we phish our employees?

• No matter how many technical controls you have in place, your coworkers are still your biggest threat to the business.
• It’s really, really fun to do (and a bit frightening).
• Anti-phishing software isn’t fail-proof. It only takes one time for a message to get through.

​

• You need to educate your employees on proper security procedures before the bad guy does.

​

​

​

Phishing vs. Spam

Phishing email is technically spam, but spam is not just phishing email.

For instance, this is phishing:

​

​

This is just spam:

​

​

We have 4 days fully comprehensive PMP(R) - Project Management Professional Training scheduled on below mentioned dates.

Location : Detroit ,MI

Batch 1 : Mar 28th - 31st 2016

To know more call @323 982 8682

Hey John! Can you send me the account details for the deal we just signed?

Unfolding of Events (1/2)

• 1:06PM - The phishing email gets sent out to all employees.
• 1:16PM - 13% of employees have clicked the link, 5% tried logging in.
• 1:45PM - People start reporting the link.
• 2:41PM - An escalation coordinator informs the whole company that this issue is being investigated.

​

What I was doing at this point

Unfolding of Events (2/2)

• 2:58PM - My DNS provider’s Legal and Abuse Department sends me a heads-up and blackholes my domains.
• 4:15PM - My VPS provider sends me an abuse report. My account is flagged, but the VM is never shut down. I find out who reported me.
• 4:28PM - I ask the guy who reported me to email my providers back.
• 7:23PM - The DNS provider unlocks my domains, although I don't remember getting the site to work until the next day.
• Sometime later - The VPS provider closes my ticket.
• 5PM the next day - People have stopped clicking the link. Pretty much everyone hates me now.

​

Statistics

• Percentage of people who reported the email: 12%
• Percentage of people who clicked the link: 18%
• Percentage of people who attempted to login to the fake website: 9%

​

How the attack process works

1. Send out the email
2. The user clicks the link that goes to a page at examplė.com
3. An intermediary page logs who clicked the link by cross-referencing the referral URL with the corresponding user
4. The intermediary page immediately redirects to a login page at exmple.com, so the punycode is no longer visible in the location bar
5. The user sees that it’s a familiar or professional looking page, a little HTTPS lock shows the page is encrypted, the URL looks familiar, and they log in
6. The form logs the user’s input (their email address)
7. The user gets scorned

On to the good stuff - Prep

• Contact the appropriate parties at the company.
• Getting sign-off from upper management is key.
• Will someone get fired if (blank name) isn’t informed prior?
• Regardless, you WILL piss people off, and that’s good.
• Get list of employee email addresses.
• Names are a plus.
• Test, test, test!
• Send test email messages to yourself from the origin computer/IP you’re going to send from.
• Don’t overdo it!

​

Uh-oh!

Things I didn’t consider, but definitely will next time:

• Contact your DNS provider first.
• Contact your VPS provider first.
• Whoever hosts your Internet service where you’re sending the email from may need to be notified.
• You can be temporarily or permanently shut down, or worse case scenario - legal action may be taken against you.
• You may have better results using smaller providers.

​

Postfix

• Set it up.
• It’s not hard to do.
• yum install postfix
• service postfix start, or systemctl start postfix
• chkconfig postfix on or systemctl enable postfix
• Now you can put Postfix on your resume.
• Postfix shouldn’t be configured as an open relay by default, unless you’re running something a distro like Billy Bob’s Kickass Linux System.

VPS

• Linux virtual servers are cheeeeap.
• Example: 2 core, 1GB RAM, 60GB HDD, CentOS 6 64-bit box in New York for $5.67/mo, $68.04/yr.

Cheap options include:

• RamNode
• DigitalOcean
• Linode
• HostGator
• GoDaddy

Check out lowendbox.com for some good deals. Or just host your own server.

DNS - Homoglyphs

• Think of a domain name similar to your company’s domain. There are websites for helping out.
• (IDN) homograph/homoglyph attack: Using unicode to create similar looking domains
• http://www.irongeek.com/homoglyph-attack-generator.php helps.
• Example: googlė.com is not google.com
• Punycode: http://xn--googl-b0a.com/
• Text inline in HTML will show googlė.com. Lower left popup will ALSO show googlė.com.
• Some of my favorite unicode characters:
• ä е ｅ ė ë e ｏ 0 O o Ο ο О о l ι ا ⅼｌi l і ⅰ ｉ
• Don’t rely on homoglyphs.
• People notice them.
• Registering a domain with unicode can be challenging.
• They work great inline in email messages. Headers are a different story.
• Postfix needs to be compiled with SMTPUTF8 to send from a unicode address.
• Python needs some kind of goat sacrifice to send from a unicode address.
• No, I haven’t successfully sent email from a unicode domain … yet.

DNS - Miscellaneous

• Namecheap.com is $10.69/yr for a .com domain.
• Don’t piss people off to where you have to surrender the domain.
• Create an SPF record, or don’t.
• Test to see if an SPF will be beneficial.
• If there is an SPF record on the domain you’re using, make sure you’re sending from a valid IP.
• Sending email from your work network may work if you want to spoof your company’s real domain.
• If you want to act as an outside vendor instead, think of a domain name. http://www.domainbimbo.com (! Some domain names are NSFW !)

​

Let’s Encrypt!

Yes, you too can have an encrypted website for FREE! Do it. People trust HTTPS sites. Browsers complain less about HTTPS sites.

https://letsencrypt.org/

​

​

Email process

1. Get email addresses (and names if possible).
2. Create a CSV with above info.
3. Iterate through CSV and create a unique identifier for each person (a hash).
4. Email every person individually with a uniquely crafted URL.
5. Sit back and tail the logs.

“I made a mistake using a private email.” - Hillary Clinton, last week

Developing the phishing script

I took the list of names and email addresses and formatted them into a CSV as follows:

​

​

Then I created a completely random string with apg.

​

Which creates something like this:

​

​

John Doe,jdoe@example.com

Jane Doe,jdoe1@example.com

Kevin Mitnick,kmitnick@example.com

IFS=$'\n'; for x in $(awk -F, '{print $1","$2","}' email-addresses.csv); do echo -n $x; apg -a 1 -M nc -n1 -m 32 | tr '[:upper:]' '[:lower:]' ; done > email-addresses-hashed.csv

John Doe,jdoe@example.com,l8w74t2ua9r0u7hdhgius8253u5p0k1i

Jane Doe,jdoe1@example.com,rva2qdw563r787rm1l3ec8w0mlejhir3

Developing the phishing script

./sendEmail John jdoe@example.com gzosbis9mphkw3ei9wugaigkonow1dum

​

Sending out the email

To send out email, each line looks something like this:

​

​

Easy right? Just create a BASH loop. I tried, but I was seeing some very unexpected results. Instead, I created a BASH script to be executed:

​

./sendEmail John jdoe@examplecom 6ecfe51d4fead49d3c4ac13b537a0d8f

./sendEmail Joe Schmoe jschmoe@example.com 4abe5c529fa35858fec60718f1cf2272

[ … ]

IFS=$'\n'; for x in $(cat email-addresses-hashed | awk -F, '{split($1,a," "); print a[1]" "$2" "$3}'); do echo -e "./sendEmail ${x}\nsleep .3" ; done > sendPhish.sh

What the user pretty much saw

(email)

What the user didn’t actually see (email footer)

This communication and any attached files may contain information that is not confidential or privileged. This is a simulated phishing attempt and will not harm your computer. If you are reading the entirety of this message, good job. Please do not click the link as the event will be logged.

Website process

• Find a login URL your company hosts that you want to copy.
• Make a local copy of the website.
• Modify all URLs in the website to point to your own (this is important).
• Disable the password field from sending a password (value="").
• Point the form to a script you’re going to write to capture the data.
• Write that script to log who actually tried logging in, then a the user.

​

​

The Wrapper Page

clicked.log

The Login Page (index.html.template)

<input class="login-form" type="password" id="logPassword" value="" maxlength="64" autocorrect="off" autocapitalize="off" placeholder="Password">

​

​

Copy a pre-existing page and modify

• or -

Create your own official-looking login page

The Intermediary Page

submitted.log

Login Page

What the user saw

after trying to log in

What a random winner won

What a random culprit won

Other considerations

• Send out the email during normal work hours when most people are working (ie. not late on a Friday).
• Try acting as a vendor, but think twice about copying a real vendor’s website, especially buying a domain similar to that vendor.
• Try sending a “secure” email that requires a user to log in.
• Skip the whole login page completely and just harvest legit email addresses.
• Target specific departments with tailored messages for specific technologies.
• Sending slower, randomly, and from different IPs in different blocks may be more ideal.
• Fonts are important with homoglyphs!
• Insert an externally hosted image, with a name unique to the user
• XSS? Sure!
• Hiding flags for a CTF game is a fun idea.

That’s all there is to it!

Q&A

For the latest version of this presentation

Twitter: @CrunkComputing

How’s my driving?

Tell me what you think!

How can I improve this presentation?