Proofpoint closes acquisition of Tessian. Read More ->

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

How Easy is it To Phish?

Charles Brook • Wednesday, March 17th 2021
How Easy is it To Phish?

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

You might assume that to carry out a phishing campaign you’d need to be fairly tech savvy or have committed a lot of time to learning how to become a “hacker”. But this is not necessarily the case. 

Part of the continued increase in both the volume and sophistication of phishing attacks is due to the availability of free to use open source social engineering tools. These tools are primarily intended for use by security professionals but are not exclusively available to them.

With a little bit of Googling, these tools can be easily found and be put to use by anyone—not just experienced cybercriminals. Of course, it is easier if an individual already has a fairly technical background, but this is not a requirement. 

This blog is for educational purposes only, intended to help security professionals protect themselves against these email threats by better understanding how they are created.

Creating a phishing campaign

All anyone needs to be able to create their own phishing campaign is:

  • An anonymous or disposable email address
  • A target
  • The ability to follow instructions

One tool available that is commonly used by malicious and ethical hackers alike is the Social Engineering Toolkit, or SET for short. This is part of the default toolset that comes preinstalled on Kali, a Linux distribution built specifically for penetration testing and information security purposes.

SET provides an intuitive command line interface, which provides step-by-step guidance for creating a social engineering scenario. This includes steps for phishing.

With this tool a cybercriminal can easily create a phishing campaign on a mass scale against a list of email addresses they’ve sourced. Or they can create a more personalized and targeted spear phishing campaign. Depending on the type of attack a cybercriminal wants to perform, it can even include instructions on how to automatically clone a website login page to harvest credentials, or create a malicious file to infect targeted user machines.

  • Credential Harvesting

    Credential harvesting is often an end goal of spear phishing attacks. Attackers will use coercive emails to direct targets to fake login pages or other websites in order to capture their credentials (i.e usernames and passwords). Attackers can monetize credentials by selling them, or by using stolen account information to make purchases. With login credentials, attackers can even take over email accounts and begin targeting victims’ contacts—this is called an account takeover attack.

SET is an extremely powerful tool in crafting social engineering attacks. It does require a cybercriminal to have a reasonable level of technical understanding though and, as stated at the start of this blog, not all cybercriminals need a deep technical background to create a phishing attack. Worryingly, there are a number of free open source tools that provide wannabe attackers with simple guides to building and deploying phishing campaigns. 

Gophish is an example of another free and open source tool which provides a platform for crafting and deploying phishing campaigns, but with the added benefit of a friendly-looking graphic user interface.

These tools tend to be used by security professionals for the purpose of testing and educating, but are available to anyone, which unfortunately includes people with bad intentions or motivations. That means bad actors could leverage them to potentially compromise an individual or organization. Tools like these require only a small amount of research in order to find, and there is no shortage of tutorials available explaining how to operate them. They often have the functionality to clone existing web pages and create fake or look-alike landing pages, to help campaigns appear more convincing.

Additionally some even provide reporting functionality that allows you to visualize the “performance” of a campaign. For example, an attacker can view metrics on how many people were reached, how many clicked on a link, and how many credentials were captured or machines infected etc.

Source: Gophish documentation (https://docs.getgophish.com/user-guide/getting-started)

An even more basic method of phishing is display name impersonation, which does not require any special tools. All an attacker has to do is register a new email address and simply change the display name on the account to appear as someone else. This can be effective against recipients viewing emails on mobile devices, which typically only show the display name of a sender. 

Phishing for Hire

A cybercriminal doesn’t have to carry out an attack on their own. Hacking for hire is available across some of the less reputable parts of the internet, like the dark web—the part of the internet only accessible by means of special software that will allow someone to remain anonymous and untraceable while browsing. This is an online area where illegal or blackmarket activity regularly takes place.

All you need to hire a hacker for a phishing campaign is:

  • Ability to view the dark web via an anonymous browser
  • Some cryptocurrency

Accessing and browsing the dark web is also not as difficult as many might think. The Tor Project offers the most commonly used browser that will allow individuals to browse the internet anonymously and access the dark web

From this browser, you can start searching using the default search engine provided to look for pages that will offer links to dark web marketplaces. Some of these links are even referenced by articles or research pieces that are indexed by major search engines making them easier to find. With enough browsing you will find more and more “hidden wiki” pages that will provide many more links that help navigate the dark web.

There is a reasonable element of risk that comes with browsing the dark web. Plenty of scams and fake services exist, which even an experienced cybercriminal could fall victim to. But, if careful and persistent enough, it isn’t too difficult for an individual to find someone who could build and deploy a phishing campaign for them. These will be pages maintained by cybercriminals, outlining their services for hire, the specific techniques they offer, and their pricing structure. There are even reviews of hacking-for-hire services available, so that users can find the ones that will be the most reliable!

Examples of Hacking-for-Hire sites

The cost of hiring a hacker? It can vary depending on who is hired and the specific service required, but services that might need social engineering could start from as little as $200 – $300 in cryptocurrency. 

An example of a phishing attack detected by Tessian

Phishing attacks can take many forms. Here is one example of a phishing email that was flagged by Tessian Defender:

Spear phishing email flagged by Tessian Defender

In this example, an attacker is attempting to convince the recipient that they are a new HR Manager from an outsourced firm (a third-party vendor). 

The key indicators that identify this as a phishing email are:

  1. It contains hyperlinked text concealing a link to a malicious website. Upon hovering, the suspicious URL is revealed.
  2. The sender plays on human kindness by pretending to be a new starter looking for help.
  3. A sense of urgency is used to encourage the recipient to act fast or something bad might happen.
  4. There are some minor grammatical errors, which are common amongst phishing emails.
  5. The email domain is not often seen across networks defended by Tessian. This is an additional flag made possible from insight generated by the Tessian Defender platform.

This type of phishing email could have been easily constructed, distributed and tracked by a cybercriminal using an open source social engineering tool.

Tessian Defender was able to identify the anomalous signals in this email and nudge the recipient into exercising caution.

Looking for more examples of phishing attacks flagged by Tessian Defender? Check out this article.

Conclusions

The main conclusion to be drawn here is that it really isn’t very difficult for anyone to launch a phishing attack as long as they have the time and the will to do so. Some methods may require a little more technical ability or effort to research than others, and some may be riskier. But the availability of advanced and intuitive social engineering tools make phishing very accessible and simple to do. 

This is likely to be a factor in why the volumes of phishing attacks are so high and why there are new campaigns appearing all the time. It’s the newer and more targeted spear phishing campaigns that present the greatest threat to individuals and organizations as they are more difficult to spot.

The newer a phishing campaign is, the less likely it is to be flagged by conventional spam filters or rule-based detection platforms. If the campaign is highly targeted, then it will likely have been tailored to have the best chance of bypassing legacy controls and deceiving the target. The social engineering tools described in this post make it much easier for someone to customize and tailor a phishing campaign against a specific target demographic.

What can you do to protect yourself?

Most spam filters or rule-based email protection platforms are capable of detecting and mitigating the majority of known or recurring phishing campaigns. But this only applies to known campaigns and the detection platforms are only as good as their latest release, which is why it is important to keep your software up to date.

One way to reduce your risk of compromise if you do ever fall for a phishing attack aimed at credential harvesting, is to make sure all your major online accounts have two-factor or multi-factor authentication enabled. This makes it more difficult for an attacker as they would also need the authentication token required to login with your credentials. It is also best practice to avoid using the same password repeatedly across different accounts. A common technique used by attackers with a list of stolen account credentials is to attempt to login with them across multiple online services on the off chance any of the same email address and password combinations may have been used. This technique is referred to as credential stuffing.

Organizations can also make sure it is difficult for cybercriminals to spoof their domains by publishing and maintaining their DMARC authentication protocol records. They can also go a step further by adding canarytokens to their webpages so it’s easier to spot when cybercriminals are cloning their website for use in phishing campaigns. But, even DMARC isn’t enough to stop targeted impersonation attacks. Learn why.

  • Canarytoken

    This is a unique identifier that if added to a website can act as a tripwire to alert you if that site has been cloned.

Targeted spear phishing can be much harder to detect with automated tools. This is why it is important to be vigilant if you receive a suspicious looking email appearing to originate from someone you trust. If the content of the email or the behavior surrounding it feels abnormal in any way, then this can be a strong indicator that something is not right. You can find some specific examples of red flags to look out for in this article: What Does a Spear Phishing Email Look Like?

Tessian Defender aims to identify this sort of anomalous behavior to help keep you protected from attackers who may try to socially engineer you into letting your guard down so they may achieve their malicious goals.

You might have assumed that phishing requires a lot of skill and technical knowledge, but you’d be mistaken. Anyone can be phished by anyone.

Charles Brook Threat Intelligence Specialist