Phish Sticks; Hate the Smell, Love the Taste

By: Forrest Kasler

15 May 2024 at 12:35

Phishing School

I’ll Make You Great at Phishing or Your Money Back

I am already making you better at phishing.

Right now.

How could that be possible? Please, don’t worry about specifics right now. Just trust that I am making you better at phishing.

Why would I be so selfless to boost your phishing skills free of charge? Again, you don’t need to know. Just know that this is our agreement: you keep reading my words, and I will make you better at phishing. Nay. Great at phishing! It will only hurt a little, but the pain will be well worth it. Sounds like a bargain? Then welcome to my school of phish! Now please open your textbooks to lesson number 1…

Don’t Give Up Before You Start!

If you’ve done penetration testing for any extended length of time, you’ll regularly hear the phrase, “no one likes phishing” in regards to client requests to perform social engineering as part of a penetration test or red team operation.

For many, this request always seems to entail the mind-numbingly banal task of setting up phishing infrastructure, choosing a pretext scenario, testing the scenario, and crossing your frustrated fingers in the hopes that you’ll dupe someone into clicking a malicious link. The overall approach is blunt, half-hearted, and can leave you feeling either guilty for ruining someone else’s day or just downright bored.

Here are some other general gripes I’ve heard from my fellow pen-testers regarding phishing:

One Phish — Phishing is a total crapshoot, especially since you can’t consistently replicate your results
No Phish — Since impact happens in post-exploitation, the phishing portion of the assessment is nothing but a waste of time
Gross Phish — Social engineering can make red teamers feel icky about themselves, so they prefer to avoid it entirely
Eventual Phish — If we follow the concept of “assume breach”, phishing seems pointless because something is inevitably bound to work and infiltrate the environment
Struggle Phish — My client just wants me to flounder (pun intended)

These are all valid points, and I’ve probably used each of these arguments myself on multiple occasions to either explain to my boss or client why we shouldn’t do phishing. However, I would like to challenge you with a simple question:

Let’s assume your phishing attempt is actually successful. Some poor unsuspecting target clicked your link or file, you delivered a payload that called home and you just got the alert that you have a shell. On a scale from, “Ugh. This is so boring! I’ll just take my lunch break and deal with this later…” to, “Holy crap! It worked! I’m going to dance around the office and look for someone to high five!”, how do you feel?

If an outside observer saw your reaction to getting an “organic” shell, they might be fooled into thinking you really like phishing. They may even think you …love… it?

If you are in the right industry, you love shells, and you better be honest with me that you feel like a beast when you cede access for yourself. So…does everyone hate phishing? Not really! In fact, most of us may like it a thousand times more than we think we do! When we say we “hate phishing,” that’s only because we don’t want to admit something else:

What we actually hate is losing!

Penetration testing isn’t a game, but it can still “feel” like it is and it’s extremely hard to let go of that feeling. We also want to do a good job and if our phish fries and dies versus catching the target hook, line, and sinker; it can feel like we’ve done a bad job. And here’s the worst part: I know it hurts to hear, but if you “hate phishing”, it’s most likely because your phishing campaigns suck. That may sting a little, but please just let that sink in for a minute. Let’s use that feeling as motivation to improve.

If you are completely new to penetration testing, a dead in the water phishing attempt may not even be your fault. You were likely thrown into the deep end without any formal training (or worse: had a bad teacher and only learned some bad or outdated techniques). However, in a field of highly curious self-learners, I think that “I’m a complete guppy at this” has limited reach. At some point, we need to face the fact that most phishing campaigns don’t work because we don’t put the same level of effort into them as we do post-exploitation. If you’re still with me at this point, let’s talk about how we as a “grouper” can do better.

“Phishing is Hard”

Yes, winning at phishing is hard, but it’s a lot easier than evading the latest ERD/XRD/AI endpoint defenses; so don’t kid yourself into thinking you can’t do it. As red teamers, we bypass endpoint defense products every day and many of the same methodologies and techniques we use to bypass those products can be applied to bypass email security as well.

Often, it’s the unknowns that bug us the most when it comes to failed phishing attempts. There are multiple steps that all have to go right to have a successful phishing campaign. To give ourselves the best chance of success, we need to identify potential failure points and address each one. Let’s drag all of these lurking failure points out into the light where we can see and analyze them:

Bad Email List (“Sparse Waters”) — You can’t find good contacts to target
Sender Reputation Block (“Smelling Phishy”) — Before the mail server even lets you send a message, they might not trust you; this could be because your IP or domain have a bad reputation or no reputation at all
Content Block (“Bad Bait”) — You try sending any reference to “Nigeria” and “prince” in the same message; in other words, the computer thinks you’re phishy
Link Filter (“Tough Net”) — Some products scrub links with hrefs to untrusted domains and may even block the entire message
User Ignores Email (“Nothing’s Biting”) — The email either looks phishy to the user or they aren’t motivated to click your link
Link Crawler (“Throw ‘er Back”) — The user clicks your link but a bot checks the link first and blocks the user from visiting your site
DNS / Web Proxy Block (“Hitting a Dam”) — The web proxy looks at your reputation, IP, or URL and blocks the user from visiting your site
Proxy / Browser Blocks Payload (“Phish Stays in the Barrel”) — The user can view the site, but the proxy doesn’t allow the user to download .exe files or whatever payload type you are using
Endpoint Control Blocks Payload (“Recognized Bait”) — Either the MOTW, modified default application settings, app whitelisting, or AV catches your RAT.
C2 Callback is Blocked (“Broken Reel”) — The RAT runs, but can’t reach home 🙁

I find it helpful to conceptualize these common failures by grouping them into the following buckets:

Message Inbound → User Outbound → Payload Inbound → C2 Outbound

It’s hard to deliver payloads and collect sensitive data using nothing but email. In most cases, you’ll need to entice our phish out into open waters where we have the advantage. You then have a great deal of flexibility in how you exploit your target, but you need to ensure each link in the chain succeeds; otherwise, it’s just bad bait.

The overall probability of the success of a phishing campaign is the product of each of the probabilities of success of each of these steps:

Good User% × Reputation% × Content% × Click Through Rate% × Link Allowed% × …

The Bad News:

Unfortunately, this means a low probability on a single item could completely wreck your overall probability rate if the target organization is doing even the bare minimum for that control. If you fail to take into account one of these controls, you’re likely to be doomed with bad phishing success rates (and may need to do a little “fine tuna-ing” to get another bite).

The Good News:

Conversely, if you look at the list, and realize you have not even been attempting to circumvent a particular control, then applying any best-guess approach to boosting your probability in that one area will likely drastically improve the overall probabilities of success for all of your phishing campaigns compared to your current approach. If you then actually test and measure the effectiveness of your control bypasses, you can achieve high probabilities in all areas.

Getting to Know the Unknowns: Better Logging, Duh!

Steps 2 through 5 are often, but not always, a black hole from our perspective. We don’t know the email hit an inbox until our phishing links generate some visible traffic. Even then, it could just be a bot checking the link before delivering the message to a target. However, we can get hints about which steps succeeded and which failed if we collect the right data.

Remote CSS loads — Can indicate a user previewed the email
Tracking Image loads — Usually a clear sign a user has “enabled content” on the email
Immediate visit (within seconds of receiving) — Likely a bot checking it out
Two back-to-back visits — Likely user and then a bot
We actually correspond with a target — Must be getting through
SMTP logs — Error messages can be very informative! Are you reading them?
Bounce messages — Clearly not getting through, but does your phishing toolkit receive bounces for you to know?

When looking at the task from this perspective, it should hopefully look less daunting. If I challenged any seasoned red teamer to bypass any individual control/issue on the list, they would likely solve it within hours and possibly in multiple ways. If we then find bypasses that work well for us, we can weaponize and streamline the deployment of our techniques. This is no different than collecting known bypasses for various endpoint protections.

For now, follow me in the next blog where we will dive in to Message Inbound Controls with how to collect a good targets list:

Plenty of Phish in the Sea

Phish Sticks; Hate the Smell, Love the Taste was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Phish Sticks; Hate the Smell, Love the Taste appeared first on Security Boulevard.

Normal view