As long as you have an email address, you will forever be sent phishing emails attempting to lure you into some malicious activity. While we’re all familiar with the concept of these emails, it’s another thing entirely when it comes to designing one. Pen testers are given just such a task when they are charged with simulating a phishing campaign for an organization.
These campaigns are designed to give an organization data on how vulnerable they are to such attacks and serve as educational opportunities to teach employees about ways to recognize and avoid getting phished. Such campaigns can be the difference between a company that suffers a huge breach, and one that remains secure. With such high stakes, it’s important for pen testers to carefully craft their phish, just as a fly fisher carefully crafts each fly. Read on for key strategies pen testers keep in mind before deploying a social engineering campaign.
Think like an attacker.
In order to simulate a phishing attack, you have to keep the goals of a threat actor in mind. Phishing is typically used for one of two purposes. First, they may be trying to get malicious code past the perimeter. A target would click a link or attempt to open an attachment in an email, releasing malware into the entire organization. This malware could be used for any number of reasons, like creating a backdoor that the threat actor can then use to access the network.
Phishing is also used to convince a user to share their credentials, which can then be used for further attacks. This may be achieved by redirecting a user to a website that is designed to imitate a legitimate site that requires a login.
Design your phish to fit an attacker’s desired outcome. If the goal is to release a malicious payload, you may only need to entice a user to click on a link to a potentially interesting news article. On the other hand, if you need a login, you would want an email that imitates a service that you know they use.
Have a few obvious phish.
Many people still associate phishing with the early days of email, which were fairly easy to spot, with email addresses like firstname.lastname@example.org and vague, misspelled subject lines like “Pleeze Opne.” These days, phishing is usually much more sophisticated, with junk filters catching most of the obvious culprits. That said, some recognizable phish do still sneak through, so a campaign should include some of these easy-to-spot phishes. Having some easy wins along with progressively more challenging options helps to show the full spectrum of phishing. Additionally, if people open such transparent phish, it may show that some users aren’t paying any attention to what they’re opening.
Use phish that are active in the wild.
Sometimes you may not need to look any further than your own inbox to find phish to use in your next campaign. If any have been able to get past your spam filter, or even fooled you upon first glance, it may be a viable candidate to use in a campaign. However, it’s important to ensure that you’re only using an imitation of these real phish. That way you can be sure to strip any actual harmful files or links from these emails before sending them.
Additionally, take the time to study active campaigns using sources like PhishTank to find the latest fish that are currently circulating around the web. Even news stories about phishing attacks can be used as inspiration for creating a phish.
Not only will using wild phish provide valuable data, users who were susceptible to the test version of it during the campaign will now be on the alert. If the real version actually does arrive in their inboxes once the campaign is over, users will think twice before clicking.
Create customized phish.
The more specific a phish is, the more likely it is to be opened. Doing research using open source intelligence resources like the white pages, social media, etc. is critical prep work before launching a phishing campaign. Personalize phish in any way that you can – names, addresses, location, interests, etc. The more specific you can be, the less a user takes time to scrutinize. Simulating a business you know someone uses is far less likely to garner suspicion than an email from a bank they don’t belong to.
Have a variety of phish.
A social engineering penetration test should simulate a real-world situation as much as possible. The best way to do this is to have phish of every level – obvious phish, generic but well-constructed phish, and highly custom bespoke phish. These phish should also have variety in terms of their content – some should attempt to draw users towards a malicious site, others should be intended to get someone to open a link. Some should imitate internal coworkers; others should imitate external companies unrelated to the business. This will provide an organization with the best data in terms of how susceptible their employees are, and what they need to work on.
You aren’t limited to email.
While some organizations may focus entirely on email-based pen testing, it’s good to keep in mind that phishing can be done with other forms of communication. Voice phishing can be used to acquire important pin numbers, for example. Text messages are also becoming increasingly popular, and can be particularly dangerous when used on a company issued cell phone, or even a personal device that is connected to the organization’s network.
Take the time to keep up with the latest techniques and think creatively on different methods. Ensure that you’re using tools that help you get the most out of these tests, like Core Impact. Doing post campaign analysis with metrics like click rates, login numbers, and flagging instances will help show what an organization needs to work on. Additionally, these reports will become even more valuable to show progress after regular retesting.
Ultimately, the most important part of social engineering tests like phishing campaigns is to not rest on your laurels. Since attackers are constantly retooling and trying different tactics, pen testers must do so as well.