Planning & Prep of a Phishing Attack

May 25, 2016 by Stephen Moramarco

Planning and Preparing a Phishing Attack

Related articles:

[clist id=”1470325158334″ post=”35841″]

Launching a large-scale phishing attack is a very sophisticated affair, involving perhaps dozens of criminals working together anonymously over the dark web. Like breaking into a bank or executing a con, hackers usually go through a number of steps in order to get to their prize. In this article, we’ve outlined common planning, preparation, and execution techniques phishers use in an effort to help expose their ruse.

Step One: Information Gathering

The first thing these nefarious culprits do is agree upon a target. Their meetings, discussions, and planning for their operations are usually conducted through an Internet Relay Chat (IRC) room, an anonymous method of communication that has been around since 1988. It could be said that these underworld phishing groups operate in much the same way as a school of fish, with many participants contributing to the creation and execution of an attack and no true central leader; this is what is commonly referred to as a scale-free network.

These scale-free networks seem to come together, launch a series of phishing scams, and then eventually disband. One of the most notorious was called the Avalanche Gang, discovered in 2008 and thought to be responsible for two-thirds of the phishing attacks that occurred the following year.

Avalanche operated out of Eastern Europe and was thought to be an offshoot of another group called Rock Phish. Although both these syndicates seem to have disintegrated, at least in name, phishing attacks have actually surged in the last half of 2015. This means they are still out there, just as powerful and more dangerous than ever.

Regardless of what they decide to call themselves, the members chat via IRC in a room usually named after the potential targets, like #westernunion or #banking. From there, the participants delegate tasks, with some involved with the coding and design; others fan out and gather as much data as they can about the intended victim, which can involve getting names of employees and even looking up their social media accounts. This is sometimes called “spear-phishing,” which we discussed in more detail in an additional article.

A subset of spear-phishing is called “whaling,” in which scammers focus their efforts on the highest executive levels of an organization. One of the first notable whaling attacks was in 2008, when thousands of C-level executives in the U.S. were emailed a fake subpoena for a federal court in San Diego.

According to reports, the email looked very professional and included the executive’s name, address, and phone number. The provided link was supposed to connect them with the full legal document, but instead secretly downloaded a program that recorded their keystrokes and passwords, sending them back to the thieves. Some 2,000 execs were affected.

Phishing Site and Email Templates

Once the network has identified its target and gathered as much information as possible, they then “bait the hooks,” usually in the form of fake emails as well as website landing pages or popup windows. As part of our ongoing education and prevention of phishing attacks, Infosec IQ has created a series of email templates similar to ones used in common scams, a few of which are illustrated below.

Low Bank Account Balance Alert


In this first example, we see an email that purports to be from Chase Bank (note the logo in the upper right). It may have a subject matter along the lines of “Low Account Balance Alert” and is intended to make the recipient worry about their finances and perhaps react without thinking.

The hook is the link in the line “To see your statement, click here” which would likely take the victim to a phony Chase website, where they would be prompted to enter their real user/password.

Notice that it is a rather innocuous email and merely has one link – recipients are even encouraged to click if they think they’ve received the message in error. But that click can be the gateway the phishers need for total access to a user’s bank account.

Free Pizza Giveaway


This is a phishing attack that targets a user’s appetite – after all, who doesn’t love pizza, especially if it’s FREE? Once again, the link may go to a phony website to capture more information or it may download something to the user’s computer. (What it won’t do is actually give you a coupon for free pizza.)

Facebook Photo Alert


Facebook, of course, is a natural source of bait for phishing attacks. This type of email intends to pique the recipient’s curiosity (or vanity). Again, they mimic the look of an actual Facebook alert, and notice there is a second hook in the smaller “unsubscribe” link.

Hacking Alert


This is an example of a more sophisticated spear phishing-attack, in this case sent to professors at Cypress International University. Notice how it’s a much longer email, and it even includes an email address, phone number, and logo from a legitimate security company (Tenable) to add to its authenticity. The link also appears connect to http://cloud.tenable.com, the name of an actual company server. But if a user were to mouse over the link instead of clicking, the actual address would be revealed as a scam.

“Ms. Wilton” cautions the recipient that hackers have been using their credentials to access the system and they should only use the provided link for access. Of course, the truth is, the hacking will only commence IF they use that link.

Acquiring a Compromised Host

Once the attackers have scored a hit, the rampage begins. If they’ve managed to get admin credentials, they could surreptitiously install vicious scripts and ensnare more users and data. This can be done by a trick called DNS cache poisoning, also known as “pharming,” where the hackers take over the company’s routers and/or entire networks; sometimes they redirect traffic to phony websites that appear to have the correct URL or scan hard drives and email inboxes for more important information, as well as intercept all unencrypted data.

Successful hackers can also install malware or spyware on hard drives to turn them into phishing zombies sending out more viruses or controlling other computers. As mentioned in our other articles, they can record keystrokes, take screenshots, disable antivirus software updates, and basically collect a whole lot of secret information they shouldn’t have.

Configuring Data Transfer Mechanism

Now that they have the access to the desired data, the extraction process can begin. All the vital personal information they want is scraped from the database (e.g., names, addresses, credit cards, social security numbers, passwords, etc.) and put it in a spreadsheet. Depending on the type of attack, they could be gathering this information on the fly via a rogue pop-up window or web form, or by mining the existing data.

[cta id=”1470256071318″ post=”35842″]

Then it’s time to send it off to the bad guys. According to an autopsy of several compromised phishing websites analyzed by our parent company InfoSec, this stolen data is usually either downloaded, or simply emailed to the hacker or group unencrypted.

Both options do come with risk for the phishers: Downloading to a hard drive may require multiple visits to the website, potentially alerting them to the attack. Emailing the information can also trigger alarms. Still, the report concluded, most hackers prefer the email method for its simplicity, and rarely use FTP.

Selling Data on the Black Market

From there, the money starts to roll in as the thieves parse the info and sell it to the highest bidder. TrendMicro did an analysis of global prices for personal information on the black market and calculated the average amount thieves are willing to pay in China, Brazil, and Russia, considered the “axis of evil” for data theft.

On an interactive website, they show that a single individual’s mobile phone number and email address are worth $1236 in Brazil, $81 in China, and $100 in Russia. They go on to extrapolate how much this means in terms of dollars and damage, citing recent large-scale corporate hacks. For example, J.P. Morgan Chase & Co.’s August 2014 breach compromised the data of 76 million households.


Phishing is both complex and simple: it involves scores of criminals working together to fool people into clicking a link. The stolen data is then extracted, sent via email, and the info is sold and/or the computer used for more unsavory deeds.

Now that you know a little more about phishing, it’s time for you to think like a criminal – but in a way that will help others in your organization. On our website, registered Infosec IQ users can peruse the library of sample phishing email templates and modify or create their own.

Then, we suggest you send these emails to employees or coworkers as a means of educating them about phishing scams and see if they pass the test. Don’t worry, our emails are harmless – if the recipient clicks on the baited link, they are taken to a short video where they can learn how to be more vigilant. Sign up for a free Infosec IQ account today!

Posted: May 25, 2016
Stephen Moramarco
View Profile

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.