LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Gone Phishing

Latest news

Gone Phishing

Posted on

Social engineering extremely commonplace, we all experience it every day, and have done from an extremely early age. The most common social engineering we are exposed to is through advertising. Selling the desire to obtain goods or services using a variety of tactics designed to entice us. This is so socially acceptable that we barely even notice it, let alone comment on it anymore, and it’s extremely successful. In Cybersecurity we associate social engineer in a more sinister light. Here it is used to achieve specific goals that would further a compromise of the organisation. The social engineering can take the form of physical interactions, but more often is digital, expressing itself in the forms of Phishing (emails), Vishing (Voice Calls), and Smishing (IM/SMS text messages). In this blog we’ll look at how we run each of these sorts of campaigns to model real world threat actors.

Before we look at the individual techniques, its worth focussing on the target for a second. Often the victims of social engineering in cybersecurity are not selected for who they are, but rather the access or role they are currently delivering for the organisation. The fact of the matter is, anyone can be a victim of social engineering in cybersecurity, all it takes is the right lure, at the wrong time to turn a user into a victim. We spend a significant amount of time training staff on social engineering; however people are only a single (albeit vital) thread in the tapestry of what makes a social engineering attack successful. Users should never be the single control that is preventing an organisation from being hacked, they should not even be the first or final control – there needs to be technical controls supporting users to either prevent attacks from reaching them, or flagging suspicious behaviours to them, through to protecting the environment if a user does fall victim. Regardless of the outcome, a user should have confidence in their organisation to support them in reporting it and responding appropriately.

Phishing

Phishing often presents in one of two ways – mass, or spear. In mass phishing the attacker will send a cookie cutter email to as many targets as possible. They have a low expectation of success against any one target, but instead are trading on the probability to achieve any traction. Consider, if a mass phishing campaign has a 0.1% chance of successfully resulting in a  victim, and they send 10,000 emails using the campaign, which will still result in 10 victims. These attacks are cheap to setup, cheap to run, and even at such low return rates still can result in a profit. Fortunately, automated tools are particularly good at identifying these sorts of mass emails and classifying them as spam.

The alternative approach is a “spear phish” attack. This is when there are very few victims, but each email is carefully crafted to maximise the chance the victim will respond and follow through. They require research into the victim to identify approaches and likely contacts they will respond to. These attacks are much harder to spot, much more likely to succeed, but cost significantly more.

Vishing

Vishing is when a threat actor will call their victim. They will often be working from a script, and possibly some seed data to achieve their specific goal.

Vishing calls will usually employ impersonation, an attempt for the threat actor to pretend to be an authority or individual who is likely to be interacted with by their victim. These sorts of attacks have become more pervasive in recent years thanks to generative AI advances which permit real time voice imitation. Supporting the impersonation, will often be additional tools such as spoofed caller ID.

Tactics employed in vishing calls usually make use of fear or greed, and an attempt to create a sense of urgency. Often the approach will have some sort of partial information (sometimes called seed information) which helps the threat actor drive the initial conversation.

Regardless of the approach taken, the threat actor will often be seeking to either obtain sensitive information or even provide remote access to a device. The remote access might be obvious, such as using Windows Quick Assist, or installing a tool like ScreenConnect, AnyDesk, TeamViewer, RustDesk, etc. or to download and open a document on their behalf.

Smishing

Smishing is when a threat actor will contact their victim using an instant messaging, or short messaging service (SMS).

Smishing attacks are becoming more common, especially with the business movement towards tools like Teams and Slack. For Microsoft Teams this can be particularly insidious as the threat actor can create a throwaway Microsoft Azure account to obtain a “onmicrosoft” domain. They can then rename their account to look more legitimate before making a connection to their target. This massively helps sell the impersonation and makes their targets far more likely to click links shared with them. This is because a significant number of defences are bypassed through this attack vector.

However mobile smishing is also a threat, however like the mass phishing scams are much more difficult to achieve success with, and again rely on sheer weight of numbers to result in a small number of successes.

Protecting yourself

The greatest user defence against phishing in all its forms is scepticism. However it is impossible to be sceptical of every email, phone call and IM that comes to a person working in a role that requires interaction with other people, especially strangers. However there are some steps which can help. The first thing to do, if it is a delayed interactive approach, such as phishing or smishing is not to respond immediately.  The last thing a threat actor employing these tactics wants you to do is to take your time, as it removes the sense of urgency and gives you breathing space to counter fear or greed being employed as part of the lure. Time can also permit you to verify some of their details – call your colleagues or the organisation they are pretending to be to confirm their identity. For interactive approaches, such as vishing, if it is unexpected, then again taking time to verify the caller, and even if they pass those or sound familiar, trust your instincts, if what a trusted source is asking you to do, even if it sounds reasonable, is still unusual, then telling them you will call them back and ask for a number you can check will make a massive difference. If the caller is genuine, they will accept and provide you the information, whilst if not they will try to keep you on the line and get you to change your mind, adding more pressure to the call. In such an event, hanging up and walking away is often the best way to go ahead and allow you to gather your thoughts.

Security controls can help by preventing some of these approaches from getting to users, or permitting suitable responses and protections from harm being inflicted should those defences and scepticism fail. However they are not a panacea, and need to be calibrated and exercised regularly to ensure they are effective.

Final Thoughts

Crafting a phishing attack ethically, is a challenge for cybersecurity companies. We tend to try to avoid using lures which trade on fear or empty promises to achieve the goal of the engagement. For example, cybersecurity companies were careful to avoid using promises of covid vaccines in phishing lures during the pandemic as this would have been unethical in terms of using people’s fear of getting sick and of the hope for a prophylactic to achieve their goal during a time of global desperation and stress. Likewise, a lot of cybersecurity companies will avoid topics which could have legal implications for the client organisations, such as the promise to changes to salary, pensions, holidays, or working hours. A fine line does need to be tread however, as real-world cybercriminals will capitalise on exactly these sorts of topics to achieve their goals.

Ultimately the goal of any phishing test will be either to test staff training (in which case its best if the results are anonymised as the focus should be on how well training was used by staff, not call out individuals), or to achieve a foothold for a red team as part of a threat scenario. In the former, we are testing just the training the user has received and how they put it to use protecting themselves and the organisation. In the latter we are evaluating the technical controls AND user. In red teaming we will also use an “assisted click”. This is when we don’t want to test the user, just the technical controls – this is achieved by having a user briefed to just follow the phish instructions if they receive it, no matter what it asks them to do, but otherwise act as if they had been successfully phished in the event the attack is detected and responded to.

Prism Infosec has a significant amount of experience in conducting social engineering engagements which includes phishing, smishing and vishing. If you would like to know more, then please feel free to contact us to discuss how we can help evaluate your defences and training.

Find out more here: Social engineering simulation mimics attacks on your organisation

FILTER RESULTS

Latest tweets

A great conference @BSidesLondon, thanks for having us at #BSidesLDN2024! Looking forward to continuing the relationship next year!

Prism Infosec is proud to be a gold sponsor of @BSidesLondon 2024! Come and visit us on our stand and join in our cyber scavenger hunt! #CyberSecurity #bsides

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.