🎣 Phishing for fun and…

ai-generated photo of a woman phishing at a laptop.

Phishing for fun and.. Raising Security awareness during Cyber Smart Week 2023.

A brief overview of how I tricked my security team into clicking a suspicious-looking link…

Disclaimer: no one was compromised as a result of this exercise.
The purpose of this post is to raise awareness at how easily a scammer could fool anyone and what tactics to look out for if you’re concerned that suspicious email you just received could be illegitimate.

Scammers, con artists, hackers, whatever you want to call them, are everywhere and they’re actively pursuing you, hoping you’ll make just one mistake. That’s all it takes.

A friend of mine recently said:
“I haven’t got anything of value, I haven’t got anything to hide. It’d be a waste of time hacking me”.

Hackers are not after your criminal record, they’re out to make a quick buck. They don’t care about you, it’s what they can do with your information that’s important to them.

How quickly do you think you could sign up for a new credit card?
Now imagine how quickly a hacker could gain one in your name if they had access to your full name, date of birth, mother’s maiden name, name of the street you grew up on, your favourite pet’s name…

Generic security questions are easy to guess and with enough information about you, just as easy to answer. People too often use personally identifiable information in public spaces. Think about how many sites you’ve signed up for in the last year that have asked for your date of birth (and probably didn’t need that information)?
All it takes is for one service with that information to be breached, and the data dumped on pastebin or sold to interested parties for them to start piecing your information together. Imagine if one of those ancestry sites were breached, we’d all be fuc… Oh wait, never mind.
NB: this incident claims it was a result of “credential stuffing”, where the authentication information was obtained from another source.

So what can you do about it?
Be vigilant and acutely aware. Scammers are becoming increasingly efficient at tricking us into falling victim. But there are support services available. Here in New Zealand, CERT NZ was established in 2016 to help people better understand and stay resilient to cyber security threats. They provide a wealth of resources and frameworks for organisations to use to remind people of good security practices. They also drive Cyber Smart Week, an annual awareness campaign of cyber security and best practices.

CERT NZ’s annual awareness campaign takes place 30 October – 5 November 2023.
This year Cyber Smart Week will also mark the official launch of a brand new CERT NZ programme.
Cyber Smart Week aims to reach a broad range of New Zealanders to help raise the importance of cyber security. Businesses and organisations of all sizes can take part.

My company’s security team do an excellent job at helping keep us vigilant and safe throughout the year, but Cyber Smart Week is when they really amp up awareness (and who would say no to cyber security-themed cupcakes).

For this year’s Cyber Smart Week, our Security team came up with daily challenges and events:

  • Security incident hunt – a scavenger hunt of (hopefully obvious) security risks around the office
  • Drawing competition – what security means to you
  • Security Quiz
  • Individual Technical Challenge, and…
  • A Phishing Competition 😈

The Phishing Competition was the one I was most excited about. It was an invitation to attempt to phish one of our security team members by the end of Cyber Smart Week.

What is Phishing?
Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware.

Each day during Cyber Smart Week, the security team shared an update of the leaderboard, who’d scored the best on the individual technical challenge and the security incident hunt. There were rumours of failed phishing attempts on our security team, each had a lot of thought put into them, but there was always something off that the Security Engineer caught. So how was I going to catch the best of the best?

To be successful in this challenge, all we needed the Security Engineer to do was to click on something in an email they shouldn’t (we weren’t really trying to scam this staff member for their information).

In the real world, if a hacker targets you specifically, they might do a bit of digging first to better understand who you are and what services or applications you might use that they could pretend to be. There’s a lot we share publicly online. They might take a look at your job title (usually publicly available on LinkedIn or business sites) and determine what kind of tooling you use based on that. If they figure out your email, they could do a quick check in https://haveibeenpwned.com/ to see if anything you’ve signed up for has been involved in a data breach, revealing another breadcrumb into tooling that they could fake to exploit you.

However, for this exercise, I didn’t need to do that much sleuthing. I knew the Security Engineer well and what they do during their day job. The trick to tricking this engineer was going to be around making the email appear as innocuous as possible. It had to look like something serious enough that they’d take notice, but not so obvious that it was an amateur hacking taking part in a work-run challenge.

I decided to generate a phishing email by creating a fake version of the security monitoring and alerting tool that our Security team used and were regularly notified by email. Why I thought this might work:

Timing is everything.

  • The real alerts are infrequent, but when they do notify our security team, they always make sure someone actions it promptly.
  • The Security Engineer being targeted would be bombarded with obvious crap throughout the week, slowly wearing them down. So the best time to strike would be at the end of the week.
  • It had to look suspicious enough for them to rush to take action (and hopefully by rushing, ignore all other warning signs). So my best bet was to have the email look slightly off, and to do that, I decided to trigger it to send outside of business hours.

So what am I really doing here? I’m Social Engineering my Phishing attack.

What is Social Engineering?

In the context of information securitysocial engineering is the psychological manipulation of people into performing actions or divulging confidential information

I have a fair idea of how this team works and operates (and how humans tend to operate as the weekend draws near). So if I was going to successfully phish them, timing was everything.

How did I fake a world-leading security monitoring and alerting tool? Well, it was actually much easier than it should have been and free for the first month, but I only needed it for a couple of hours.
I won’t share the details here of what I used. I have since shared with the vendor how this attack could be structured and used on other security teams so they are aware of it.

TL;DR: the vendor offered a service where they provided a quick and easy way to set up your own business account, which gave you access to create email accounts on a subdomain that shared the same vendor domain as the Security Monitoring tool I wanted to impersonate.

Allowing me to generate a fake email account named [email protected].

The real notifications come from a similar-looking address, but I knew our pattern matching would pick up that the email was not from a domain we owned or trusted. When that happens, we slap a big bold warning on the recipient’s email to draw their attention and make sure they review the content before clicking on anything.

How on earth was I going to bypass that?!
Well, I wasn’t. This was where Social Engineering timing was going to be everything.
If I could send the email at an odd time to make the Security Engineer panic enough, then maybe they would miss the other warning signs, and click on my suspicious link. Luckily for me, the free vendor service now hosting my fake security tool domain and no-reply account, also offered email scheduling… for 5 AM on the last day of Cyber Smart Week.

It had to look real. Logos, headings, table formats, the lot.
If I send a plain-text email with just a brief message about a garbage breach and a random link, the game will be over. I needed an example of an authentic alert from this security tool. Which I also had access to from a friend who’d used the same tool before (and was keen to see how far we could take this).
After a few tweaks to the alert information, including a couple of subtle breadcrumbs to highlight “Hey, it’s Lisa trying to trick you”, the email was ready to go.
So that I could tell when the Security Engineer had clicked on the email, I used https://www.shorturl.at/ to further mask where the link was redirecting. It also offers a handy click count, so I’d know as soon as that number incremented, they had clicked on the specific link I’d included in the email.

The final morning of Cyber Smart Week rolls around… and I recieved a DM from the Target:

8:55 AM – Security Engineer: Holy shit
8:55 AM – Lisa Taylor: 😏
8:56 AM – Security Engineer: Haven’t even had a coffee yet, not fair ðŸ˜¢
8:56 AM – Lisa Taylor: YOU LIKE DEM PHISH?! Wanna see what I did?
8:58 AM – Security Engineer: Yeah hard out ðŸ˜‚ That’s dedication!

I had successfully completed the challenge and “phished” the Security Engineer.

What’s important to note here is I immediately offered to share “how” I’d done it.
Running these kinds of exercises regularly with our security teams gives us an opportunity to reflect on our practices and identify any loop holes or gotchas that could catch us out if an attacker were targeting us for real. But it’s worth keeping in mind, we’re only human and humans make mistakes. So the best we can do is practice identifying malicious emails and where gaps in our resiliancy are, so that if a malicious email does sneak through our filters, everyone knows how best to handle and report it.

Final takeaways:

  • Work with your security team.
    They have one heck of a tough job. Their goal is to keep you and everyone around you safe online, so do as much as you can to help make their lives easier.
  • We’re all only human.
    If someone’s determined enough to scam or hack you, it only takes one slip up to let them through. Don’t give them the opportunity. Stay vigilant and acutely aware.
  • If challenges like this come up at your organisation, give it a go!
    It was a lot of fun thinking about how I might go about this and if anything, it raises awareness of any potential security risks for our Security teams to follow up on.
  • And finally, coffee. I should have included “lack of coffee” in my Social Engineering plan around timing. But it all worked out in the end 😉

So where did I link the Security Engineer to?
If you’ve made it this far, maybe you’ll find it on this site somewhere…

Leave a Reply

Your email address will not be published. Required fields are marked *