It’s 3:45 pm on Friday and you are ready to be done for the week. A last-minute email from your boss pops into your inbox. It’s a Google file invitation that says you need to update this document before the end of the day. Being the dedicated employee that you are, you click the link and end up at a Google login page. The login page displays your name and even your email address in the username field, but a blinking cursor is awaiting your highly secure, tough-to-guess, minimum of 12-character password. You take two seconds to curse the interwebs.

“I thought I was already logged in. Why do I always have to log in? Oh, well. Here is my password again, you forgetful website.” One click later you see a login error page and assume you entered your password incorrectly. You re-enter it and login successfully to finish out your day.

Unfortunately, that email wasn’t from your boss and you didn’t mistype your password the first time. What’s even worse is that while you are obliviously moving on with your life, a hacker halfway around the world is smiling as your Google credentials flow into an encrypted file stored on a web server he hacked just yesterday. You, my friend, have just fallen victim to a spearphishing attack, and you didn’t even know it.

It may sound like something from a movie full of computer screens in a dark room with line after line of computer code scrolling past and file transfer progress bars suspensefully crawling towards 100%, but it isn’t. This is the anatomy of spearphishing attacks that take place in the real-world every single day. In fact, according to SecureWorks, it is now believed that this is almost exactly what happened to unsuspecting members of Hillary Clinton’s campaign staff as well as members of the Democratic National Committee (DNC), leading to the leak of an unknown number of emails that are now being released.

In this article, we will take a look at just how members of these organizations fell for this attack, we’ll examine how an attacker might have gone through the process of launching such an attack and how someone could do the same to you. More important, in a bit of shameless self-promotion, we will introduce you to SecurityIQ’s phishing attack simulator, PhishSim, and explore how using a simple training tool like PhishSim could have saved the DNC and the Clinton campaign from this digital nightmare.

Before we jump in, a few quick notes about SecurityIQ’s PhishSim. PhishSim is an easy-to-use web-based tool that allows organizations to launch simulated phishing attacks against its users and deliver immediate training to those who take the bait. Ultimately, you want your users to be phished by us instead of the bad guys, because the bad guys aren’t going to teach your users how to avoid being phished in the future. Simulated phishing attacks could be one of the most important and effective security tools you have at your disposal for combating this growing threat.

Details are now coming to light on just how hackers were able to gain access to the Gmail account of John Podesta, chairman of Hillary Clinton’s presidential campaign, along with a lengthy list of others associated with the campaign and the DNC. During their investigation, SecureWorks found that hackers had crafted an email that looked exactly like the Google security notification any Gmail user would receive when abnormal activity is detected on an account. The spearphishing email, which was sent to Podesta and possibly others, indicated that someone had tried to sign into his account from Ukraine. It then prompted him to reset his password by clicking on a link contained within the email. Opportunity #1 to avoid being phished: Had the recipients of this email known how to examine the link that was actually “behind the text,” a vital clue would have been revealed, showing them that something wasn’t quite right. In this case, it appears that they would have seen a shortened bit.ly link that obscures the actual URL that the user would be taken to after clicking. If you see this in an email, stop! Do some more digging on who is sending this email to you and where that link might lead.

Even though Podesta may not have known how to identify suspicious links, he had his suspicions regarding the email itself and apparently even asked his IT staff for advice. The bad news is that the staff had never been trained with PhishSim and, as a result, missed the warning signs and said the email was legitimate. The good news is that they told him to go directly to Google’s website to initiate the password reset instead of using the link in the email just to be on the safe side. Based on the stream of email being released on a daily basis now, it may be safe to assume we know which route he took. Once he clicked the link, he was taken to a fake Google login page that collected the information he entered, thus allowing the attackers to access his email account.

1

This fake Google login page is what the victims saw once they clicked the link in the phishing email.

Opportunity #2 to avoid being phished: Unless you requested it, if you receive an email asking you to reset your password or to update account information, go directly to the associated website instead of using a link in the email. Then use that site’s password reset or account update features to make the necessary changes.

How does a spearphishing attack like this actually work and how can it be avoided? To the untrained eye, this data collection attack is almost undetectable and presents very few clues as to what is really happening. To the trained eye, though, there are enough subtle hints that would help one to recognize what is taking place and to avoid this potentially disastrous event. This is why security awareness training with an emphasis on phishing avoidance is critical for any organization or individual.

In our scenario, the goal is to convince a user (the target) to click a link in an email and direct them to a website that imitates a Google login form. Once there, they will enter their username and password. Upon entering that data, we will collect the information they provide, send them along to the real Google website, and begin using the collected data for our own hypothetical nefarious activities. In the case of Podesta and the DNC, the real goal was to extract email messages from the victim’s Gmail accounts. To conduct a data entry attack, we will need three things. First, a list of individuals we wish to target and their email addresses. Second, we need to construct a fake Google login page, where we force the target to enter their credentials. When they do this, an attacker would take that information and begin accessing the account themselves. SecurityIQ’s PhishSim data entry attack does not collect data, but it does register the fact that data was entered and can deliver training based on that action. And third, we will need to craft an email inviting the target to click on a link that will lead them to our data collection site. For our purposes, we will send them an invitation to view a file stored on Google Drive. This may sound like a lengthy process, but with PhishSim, we can have this simulated attack underway before you could tell us the first concert you attended, your mother’s maiden name, and the name of the street you grew up on.

Before we get started, we need to define our target. In many cases, an attacker would have some idea of who the target may be. If not, there are a number of places on the web that can help us. LinkedIn is a personal favorite. If an attacker knows the name of the company they need to target, a few minutes spent on LinkedIn.com can result in a treasure trove of information such as first and last name, position within the company, and a detailed work-related background. Once the right people have been chosen, it’s time to find some email addresses.

2

The target of today’s spearphishing attack is Seymour Skinner, principal of Springfield Elementary School. Just imagine the email he has stored away on all those naughty kids. So now we have a target, but we need his email address. Sometimes, email addresses can be tricky to find through simple web searches. Fortunately for us, we have a tool called hunter.io, which shows likely email address formats for a given domain and can also provide listings of actual email addresses for that domain which have been found on the web. We will start with a quick search for thesimpsons.com and see if we can determine the email address pattern used for the domain.

3

And just like that, we have a list! The results not only give us what the likely email address pattern is, but it has also given us a list of email address for this domain that it has found around the web. At this point, we could either guess what Principal Skinner’s email address is, based on the pattern, or we could go one step further and do an actual search to see if hunder.io has identified his address by clicking “find someone” and entering his name.

4

Phase 1: Complete! We have a target and we have their info.

So now we know who we are targeting and how to reach them. Next, we need somewhere to send them. It’s time to create our fake data entry page. Data entry attacks try to fool a user into believing that they are on a legitimate website where it is safe for them to enter specific information, such as a username and password. During a PhishSim simulated phishing attack, users are trained to look at the URL behind the link in an email or to examine the URL in the address bar of their browser before clicking or providing information. Had they taken this simple step, John Podesta and his IT staff could have stopped this attack dead in its tracks. It turns out that Principal Skinner uses Gmail too. Going forward, Gmail will be our target. Now some people may think to themselves, “I don’t know anything about creating web pages or Google logins. How am I supposed to do this?” Fortunately, PhishSim has done all of the hard work for you. An array of data entry pages has already been created, imitating real-world websites that users log into everyday. If you’d like to make changes to these pages or you want to create your own, that’s also very simple to do. For today, we will be using the Google login page provided by SecurityIQ. If we were to edit an existing page, you would notice a few things, but most important would be some odd-looking text that we call variables. {{learner_first}}, for example, is used in the template below. Any time that this page or an email is displayed to the target, that variable is replaced with the learner’s first name to customize the appearance of the page. A similar technique was used in the DNC attack to pre-populate the fake Google login page with the user’s email address and name. This is a very common way to create a sense of trust with a target. They think “Hey… I’ve been here before. See, it knows me!” This level of customization is just one of the many useful features that make PhishSim such an effective training and education tool.

5

With a data collection page ready to go, an attacker next wants to provide the target with every reason to open and click a link in their email. Especially in a spearphishing attack, this can be done easily because you can tailor the message to the individual or group with content that is relevant to them. PhishSim makes this step incredibly simple by allowing a user to choose or modify a wide range of existing phishing email templates or by letting them create their own. For the sake of our attack, we are going to modify an existing template and customize it to meet our needs.

As you can see below, we have chosen a Google file invitation template to go along with our Google login page. We simply opened this template, which is provided in PhishSim, and edited it with some basic information to make the user feel as though it is truly meant for them. At this point, we could include some of the more than 15 variables associated with the user in PhishSim, define the from name and email address, select which type of attack we are simulating, and, perhaps most important, choose which training to deliver to the user immediately after they are phished.

6

Once the email has been created, the attacker is ready to cast his bait and wait for a bite. In the case of PhishSim, this takes the form of creating a PhishSim campaign, deciding which individuals within your organization should receive it, which of our phishing emails they will receive, and when they should receive them. The process of enrolling learners, selecting templates, and configuring a campaign takes only a few minutes with PhishSim and the results could save your organization an immeasurable amount of time and money in the long run. How much of both could have been saved by the DNC and Clinton campaign had they used PhishSim?

7

And that’s it … Right? Well, in the real world, yes. Once the user takes the bait, the attacker has their information, while the user doesn’t know it and can move on with life until someone lets them know they’ve been compromised. With PhishSim though, this is where the magic begins. Instead of having their data stolen or computer system infected with malware or ransomware, a PhishSim simulated attack is the beginning of a highly developed and effective training program that takes the teachable moment that exists immediately after being phished and teaches the user how to begin changing their behavior. This is done through the use of interactive training materials and exercises that have been developed by InfoSec Institute, an information security training company with nearly 20 years of experience in providing hands-on and online technology training for individuals and organizations in both the public and private sectors.

It happened to the DNC, John Podesta, countless other individuals and organization around the world, and it will happen to your organization, too. Take the step that they didn’t. Make sure that PhishSim is on the sending side of the next phishing email your organization opens and train your users to keep from falling for the real thing.

Interested in learning how your organization can turn itself into a phishing-resistant machine? Create a free SecurityIQ demo account right now and begin a simulated phishing campaign on your users in under 15 minutes.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources