Directed Phishing - a Modern Security Threat

The proliferation of targeted phishing attacks is due to their effectiveness and the weak ability of traditional security solutions to counter them. While the usual phishing attack is sent en masse, spear phishing attacks are carried out against specific subjects.

Spear phishing

Currently, the percentage of targeted phishing attacks that are organized through emails is growing, in which a particular organization or group of individuals can be identified. Target users receive carefully crafted phishing emails that force a person to enter sensitive personal information — such as a username and password — that give access to corporate networks or databases with critical information. In addition to requesting credentials, targeted phishing emails can also contain malware.
')
Directed phishing has become the most common type of targeted attack for one simple reason: this technique really works, misleading even those users who are serious about security. It creates for hackers a strong point for penetrating the corporate network. According to a Check Point survey conducted among more than 10,000 organizations worldwide, 84% of them have downloaded at least one infected document in the past 12 months. This happens because an attacker simply needs to get an idea of ​​the company or its specific employees on the Internet, and then write a letter that will cause even the most vigilant employee to open a malicious attachment and thereby initiate a hacker attack.

Attack targets

To determine the list of goals, attackers can use several ways:

• get a list of employees from the site (the level of information trust is very high);
• get a list of employees with the help of social engineering technicians - call or mailing (the level of information confidence is very high);
• get the full name from the metadata of documents posted on the site (the level of information trust is high);
• linkedin (the level of information trust is medium);
• parse the social network (the level of information trust is low).

The higher the level of information trust, the higher the likelihood that this subject is directly connected with the organization of interest.

After a preliminary collection of the list of possible employees of the organization, data is collected on their field of activity, areas of responsibility and horizontal links. It also searches for an entry point to attack the selected subjects. After analyzing the information received, you can create an attack scenario.

Attack psychology

A targeted phishing attack always contains well-developed sociotechnical methods and techniques for manipulating the human mind.
From the point of view of psychology, an attack by methods of social engineering always bypasses the analytical tools of the mind. It operates primarily at the level of the emotional sphere, which is habitually suppressed by the majority of people engaged in mental work. That is why social engineering techniques often succeed even when the attacker's intelligence is noticeably lower than that of the victim.

High IQ does little to deceive, since SI methods beat patterns of behavior, deep fears and adaptive reflexes developed under the pressure of the microsocium. So that the advanced block of critical perception of the victim does not interfere with the attack, it is simply overloaded with data flow, switching to the analysis of secondary information, or using the urgency factor to disable it altogether and force it to act thoughtlessly. All this is similar to the attack of the key nodes of the neural network.

One of the basic techniques of social engineering is the creation of a time deficit, an event to which the victim must react immediately. Urgent decisions are difficult to make precisely because you have to act in the face of a lack of reliable information. In such situations, there is no time to consult and verify all the data reported by the attacker, so the victim begins to act, guided by strong feelings: a desire to help, a desire to gain recognition or quickly get rid of an unexpected problem. It is also often possible to play on the thirst for easy money, fear of losing money, work, results of work or reputation.

The victim may be told in the forehead that the situation is urgent, or allow her to come to such a conclusion independently. The second is more effective, since for a person it will be his own thought, which does not cause doubts. He will rely on it in his minimal arguments, more and more trusting in the heard legend.

Example

The object of the attack is the organization Romashka. From the website of the company obtained data on the head of the company, the secretary and the system administrator. With the help of a phone call, the name and email of the chief accountant was clarified. Full company details were obtained from the OGRN / Incorporation database.

The objects of the attack are the chief accountant and secretary, under which the following attack scenarios were involved (vector - email):
Chief Accountant:

• From: neutral address, type %surname%%birthyear%@mail.ru
• Subject of the letter: FWD statement of reconciliation
• Text of the letter: Good afternoon, full name. According to the preliminary agreement I am sending the reconciliation statement.
• Appendix: Act of reconciliation OOO Romashka.xls

Secretary:

• From: info@msk.arbitr.ru (fake address)
• Subject of the letter: Claim for recovery of debt
• The Arbitration Court of Moscow filed a claim No. 23401-16 for recovery of debt from Romashka LLC, Incorporation: HKHKHKHKHKHKHKHKH, INN: HKHKHKHKHKHKHKHK .
• Claim:
• In accordance with Art. 395 of the Civil Code of the Russian Federation for using other people's funds as a result of their unlawful withholding, evasion of their return, any delay in their payment, or unjustified receipt or savings at the expense of another person, interest on the amount of these funds is payable.
• Appendix: Judgment 23401-16.docx

An attacker can serve as a so-called. office backdoor . The system administrator at the time of the attack, you can "take" an attack on the network perimeter, DoS / DDoS attack site, etc.

Staff training

In many companies, trainings are held to raise awareness of staff to social and technical attacks.

Technical phishing protection measures, such as filtering and analyzing mail / web traffic, restricting the software environment, and banning the launch of investments, are very effective, but they cannot withstand new threats and, more importantly, they cannot withstand human stupidity of curiosity and laziness. There were cases when the user, being unable to open / launch malicious content in the workplace, sent it to his home computer and started it, with all the consequences ... Therefore, no matter how solid the technical protection system is, don't forget about such an important factor as user training.

Periodic briefings and newsletters are an important component of staff training, but, as practice shows, their effectiveness is much lower than staff training on their own mistakes, given the factor of involvement in the process.

The simplest system that allows testing and training of personnel to identify phishing attacks is as follows:

• Preparing script and letter templates;
• Sending phishing emails to users;
• Redirect responding users to a specialized warning page;
• Statistical accounting of the effectiveness of the attack.

Screenshot of the "notifying" page generated by the sptoolkit framework. At the moment the project is frozen.

To facilitate this kind of "teachings", you can use a specialized gophish framework. There are other utilities to facilitate the task of a social engineer, for example, setoolkit, but they have redundant functionality and are intended more for an active attack. There are also several online services, but they are mostly English-speaking and are not suitable for use among Russian-speaking purposes of a phishing company.

Gopgish is a multiplatform framework with a user-friendly web interface and the simplest deployment. This framework is developed on Golang and most likely will not work on shared hosting, keep this in mind.

With it, you can create a phishing company for a specific group of users:

---

For distribution, you can use a variety of templates. To evaluate the effectiveness of the distribution, a tracking system is used:

---

On a phishing page, you can "collect" the data entered by users:

---

After the company, you can evaluate its effectiveness:

Precautionary measures

As measures of protection, it is necessary to establish control over email attachments and links, conduct trainings with personnel about the presence of new threats, observe precautions and notify all suspicious cases to technical personnel.