Alright then, we’re half way through OWASP 10 and I would like to take a break. Let’s talk about different kinds of pentest. What if I tell you that you can penteset … a person? Wait, what? Let’s take a look.
There’s a cybercrime called phishing. Targets of this crime are contacted by various means of communication (phone, email, SMS, even in person) by an attacker who pretends to be a representative of come legitimate institution. For example, you can get an email from Bob who claims to be your financial consultant and asks for you credit card data to fix some things for you. You might feel that something is wrong here since you don’t know Bob and don’t have a credit card at all, but otherwise who knows.
It sounds stupid, but phishing is out there for a long time and is not going to go anywhere. The first phishing lawsuit was filed in 2004 against a teenage guy from California who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts.
Here’s a graph from SANS report about most common attacks with significant impact in 2017:
And here are attack vectors from the same report:
It’s all the same every year – user is still the most vulnerable part of every system.
So, phishing is here to stay
In fact, phishing evolved in past 10 years. Today we have the following classification:
- Spear Phishing
It’s good old phishing that targets a special group of people. You probably won’t respond to Bob’s email from example above, but if an attacker knows you well, he can tailor this email. He can find out what bank you are using and who might be your accountant. Attacker can browse through your social network pages to know you better, find out your hobbies and interests to make phishing email extremely viable.
Whaling is a type of spear phising that targets high-level executives. In many companies regular employees have no access to valuable information. So, there’s no point to phish them, you won’t discover anything anyway. Instead, attacker should focus on managers and higher-level staff using the same techniques.
Vishing is a little different form of phishing which uses phone calls or VoIP. One day you can receive a message or email that encourages to call some number for some reason. Attacker on the other side will try to talk you into something you wouldn’t normally do. This is relatively difficult thing because it requires very high communication skills and the gift of persuasion.
So what? Where the penetration testing here? We’re just getting to it.
Companies spend fortunes to get a decent protection from cyber threats. They also spend a lot of money to teach employees basics of cyber security. But how do they know that education goes well? What if money spent for nothing? I know companies who see education as some form of stimulation – hey, go to another city, spend some time in a class, learn anything.
Ok, number of security related incidents might decrease because of education. But what if it’s just a coincidence? Instead we can launch our own fully controlled phishing attack and see how our employees react on this.
Ready, set, go
There a bunch of tools to do this, we’ll look at freeware solution I use, it’s called goPhish
goPhish is a framework phishing attacks inside your organization. Each attack (or Campaigns) consists of a number of functional blocks. Let’s walk through them.
- Users and groups
It’s straightforward. We type emails and names of our victims. Unfortunately, there’s no integration with Active Directory, but can import from CSV-file. It looks like this:
- E-mail template
Template can be created manually or imported from a real message. It’s actually preferable because you can make your message really authentic. You can use usual html markup and some variables like name, email, url and so on. We can also add some attachments.The most interesting thing here is an URL, because we’re going to redirect victim to fake page that looks exactly like a real one:
- Landing Page
Well, since we have phising email with an url, we also need a landing page. It can be imported from a real one to make things easier. We can redirect our victims to this page, collect the data and then redirect them to a real page afterwards.Everything can be done manually but real-life pages have a lot of custom formatting, so importing is almost always a better choice.
- Sending profile
Sending profile is basically a reference to our MTA and all the necessary settings. Easy.
So, I’ve created fake facebook.com page and an email that looks like originated from a support team specialist Adam Jansen. He says that your password is expired and you have to change it, just click the link. «You never asked for this», right?
Now we can switch back to goPhish web UI and follow all the stages of our phishing attack:
- Campaign started.
- Messages are away.
- Message received.
- Message opened.
- Link is clicked.
- User enters his data to phising site.
We can also see some global statistics.
Everyone is vulnerable
So, what’s next? What if everybody clicked this link? Well, it’s time to spend some resources on education and launch similar test once again after some time, and then compare results.
Our only weapon here is education, because you can’t install a patch or an update to you co-workers. Yet =)