May 15 2024 |
Plenty of Phish in the Sea
Phishing School
How to Find the Right Phishing Targets
A weapon is useless unless you have something to aim it at. When we weaponize social engineering, our targets are the humans who have the ability to give us access to the systems and data we want to compromise. In this post, we’ll explore ways to find target users for our phishing campaigns. We’ll then talk about what makes a “good” target vs. a “bad” target.
When looking for the “right” targets, our general approach will be to collect as many potential contacts as possible and then pair down the list based on what we can learn about each individual.
Casting a Wider Net
Before diving into contact collection, we want to make sure that we have a clear picture of the available attack surface. I’ve seen many pentesters take only the main domain the client supplied, run it through theHarvester, linkedInt, maltego, etc. and call the output a targets list. In doing so, these pentesters completely overlooked valuable attack surfaces associated with the target organization’s other domains. We can do better. Here are some of my favorite ways to find our target’s other domains:
WHOIS Data — Whoxy and WhoisXML
When you register a domain, you have to fill out some basic contact information like the organization name and “abuse email” for the WHOIS service. While you can technically put anything you want, and most registrars offer a WHOIS anonymizing service, many organizations still fill out the form with identifiable information. This means that we can often cross-reference WHOIS contact information and find associated domains.
Unfortunately, the WHOIS protocol was never intended to allow lookups based on contact information; however, there are paid APIs like Whoxy and WhoisXML that have indexed millions of WHOIS records and made them searchable. Whoxy is a nice quick check because its API credits are insanely cheap; however, its search functionality is case sensitive and they do not have the same coverage as WhoisXML.
Of course, the WHOIS protocol is a very simple, text-based, call-and-response protocol. With a little scripting and distributed computing, we could pretty easily mine and index our own data as well. If you decide to go this route, keep in mind that many WHOIS providers expressly forbid data mining. You’ve been warned!
O365 Mining (All the Phish in a Barrel)
If your target organization uses AzureAD, then you can use the autodiscover service to get a list of all of their tenant’s domains. Dr. Nestori Syynimaa released a great tool and blog post that covers this method:
Just looking: Azure Active Directory reconnaissance as an outsider
Backlinks
When organizations set up a website on a domain, they will often add a link back to their main domain somewhere on the website. In the SEO world, these are referred to as “backlinks”. You can use free SEO tools online to enumerate these links and look for any domains you missed with other methods. You will also often see backlinks from other organizations that do business with your target organization. Take note of these as you find them, as we might be able to abuse an implicit trust between these organizations when crafting our campaigns.
Sanity Check
Once we have a list of associated domains, we should do a quick sanity check to find out which ones have a published MX record. There is no use enumerating email addresses for a domain that doesn’t even have a mail server. This is to make sure we don’t waste time or API credits during email collection:
dig mx -f domains.txt | grep ANSWER -A 1 | grep MX
Hi-Ho (Hi-Ho. Let’s grab a net and go!)
Now that we have a list of associated domains, we can search for contacts at (@) each one. In the next sections, we are going to cover a range of contact collection methods starting with the well-known and simple (little phish) and working up to the more obscure and difficult (bigger phish).
While most of these methods are focused on obtaining email addresses, some of them will also give you phone numbers and mailing addresses. Don’t overlook this extra data! You can call phone numbers to see if they are direct lines and check if the target is still employed at the organization. We can also deliver payloads over the phone or even via snail mail if we have to. Likewise, if your data source includes information like job titles, grab this information too. It could be useful when pairing down our list.
The Classics
Read the website: This is a (hopefully) obvious first step, but you might be surprised by the number of times I’ve seen pentesters skip it. On more than one occasion, I’ve found an employee directory on the main website after hearing co-workers complain about “not finding any email addresses” with OSINT tools.
Google dorks: Along the same lines, it’s worth a quick Google search to see if there are any employee listings that are not hosted on the main website. There are plenty of OSINT tools that can even automate some common dorks for you. Try using Google to find some 😉
theHarvester/Skiddy Scripts: While I haven’t used theHarvester in a while now, I was pleasantly surprised to see that it is still being actively maintained as of 1/1/24. The reason I don’t currently use it is because I tend to view tools like this as just a wrapper for their data sources. If you like using a particular email mining OSINT tool, by all means keep using it. Though I would challenge you to at least peek under the hood to see how your favorite scripts work, and familiarize yourself with where the data comes from.
LinkedIn Mining: LinkedIn (LI) is a great source for employee names, positions, departments, and other useful target data we can collect in a variety of ways. If you’ve never built your own LinkedIn miner, I would highly recommend it as an exercise. The skills you learn can be applied to mining other OSINT sources as well:
LI Mining (Beginner): Go to the target organization, click on their employees, and copy-pasta each page. Next, grep/cut/sed foo to get your results. Taking this a step further, you can write a JavaScript one-liner to select the elements you want to mine and print them to the developer console and speed up the process significantly.
LI Mining (Intermediate): Use BurpSuite or Zap Proxy to intercept your traffic while navigating LI. Next, write a script to replicate the API calls used to retrieve user records. Conversely, just use one of the many existing tools that already do the same thing (LinkedInt, AttackSurfaceMapper, etc.).
LI Mining (Advanced): Use a framework like Puppeteer to write a bot that mines each page for you. Keep in mind that when you navigate to a page of employees, there will only be a few on the page until you scroll down. Scrolling to the bottom of the page triggers an AJAX request to grab the rest of the user records for that page. Then have the bot wait a second or two for the results to populate and inject some JavaScript (possibly from your ‘beginner’ script above) to mine the useful data. While this may seem like a lot of work, the overall advantage is that, when done correctly, you can build a bot that mimics a human using the site and potentially extend the useful life of your account. Obvious attempts to mine data can result in having your account locked. If you would like to take this approach, keep in mind that Puppeteer (and other automation frameworks) default settings include things like an obvious user agent string that will definitely get you burned, so do your research.
Note on LI Connections: For any of these methods to be fruitful, you will need first and second connections with your targets. It’s worthwhile to log into your OSINT account and connect with various users at your target organization well in advance of your test. If you have the budget, another option is to pay for “LinkedIn Sales Navigator” to skip all the organic connections and get unfettered access to search your targets.
Lesser Known
Hunter.io and Zoominfo: These websites are all about finding marketing leads at companies. If you think about it, cold emailing is basically the exact same thing as phishing. Online marketing is all about finding the right people in the target organization to interact with your message. Online marketers face many of the same challenges as we do, and therefore, good marketing tools can be extremely useful for setting up phishing campaigns. Both of these sites will give you a few free search results and also have paid search APIs. One of the things I love about Hunter.io is that you get the URL where each contact was found on the Internet. This will often lead you directly to employee directories where you can mine more contacts.
phonebook.cz: This is a tool with a great free tier that is meant to highlight the power of intelx.io’s database. The service used to be completely open, but now requires you to register an account to limit abuse. The search is still completely free.
Dehashed: This tool is a searchable aggregation of a large number of public data breaches. If employees of your target organization used their work email for any of these breached services, you get their work email address at a minimum, and frequently get passwords, full names, usernames, and other potentially useful data. It’s a paid API, but the pricing is quite reasonable. I’ve had a few engagements where social engineering was not even necessary because we found valid passwords credential stuffing with Dehashed results.
Industry Specific Data
It’s generally a good idea to learn a little bit about your target organization’s industry and if there are any data sources you can mine that might have names and contacts for potential targets. Here’s just a few examples.
Rate My Professor — If you happen to be pentesting a client in higher education, you can often get a good list of current employees from Rate My Professor. The API is simple and easy to mine. Students crowdsource the data and keep it up-to-date.
Nationwide Multistate Licensing System (NMLS) — If your client is a bank, credit union, or other financial institution, you can often find contact information for loan officers through the NMLS. You also have the added benefit of identifying a sub-group within the organization that might respond well to certain pretexts pertaining to loans.
CPAVerify — Most large organizations have full-time accounting staff and many of them are certified! When CPAs renew their license each year, they have to fill out contact information including their current employer. There are free sites to “verify” CPA licenses and many of them support searching company names. If you really want to ruffle some feathers, send a phish to the CPAs saying they might be losing their license just before tax season. I know this works well because an overzealous pentest team did it to my previous employer (a large accounting firm), and got themselves fired for causing too much of a disruption.
Hard Mode
Call them and ask for a directory!: Social engineering, when done well, is often an iterative process. You get some access, mine some useful data, and use it to target another user with more access. If you’re struggling to find contacts, it’s worth a shot to just call anyone in the organization, impersonate a new employee, come up with a sob story about how you’re trying to reach people on your team but can’t find the employee directory, and see if they’ll email a copy to your Gmail account. While it might be an odd request, it likely won’t raise suspicion as much as asking them to tell you their password or go to some sketchy website, and most people will take the time to help out a fellow employee. This isn’t exactly “hard” as much as it is uncomfortable, but is well worth the payoff when it works.
Mine the internet yourself: If API limits are cramping your style, or the APIs you are searching don’t have the data in a format that works well for you, then why not just build your own OSINT database? CommonCrawl is a massive open source repository of web crawl data from a sizable portion of the web. Their website features lots of cool projects that showcase how to use the dataset to mine interesting stuff.
Common Crawl – Example Projects
You can mine emails and associated URLs from the dataset to build your own OSINT database. For example, you can modify the open source tool WARCannon to ‘grep the Internet’ for email addresses, and then use ElasticSearch to index your results:
GitHub – c6fc/warcannon: High speed/Low cost CommonCrawl RegExp in Node.js
If you want to take it a step further, you can use AWS Lambda for Rust to do the same thing on a very low budget. If you space out the processing a bit, you can even do it all on the free tier.
Stealer logs: A “stealer” is a form of malware used to continually harvest user data like email addresses, account names, and passwords from an infected host. Operators who write and distribute this type of malware often take an opportunistic approach and simply try to infect as many systems as possible, amassing data from hundreds of thousands of systems. Some of these “stealer logs” have been leaked and contain a massive amount of user data. If an employee at your target organization happens to have been a victim of one of these trojans, then that data can be very useful on a pentest. Unfortunately, to make these breaches useful, you will have to normalize and index large volumes of loosely structured data yourself.
The Global Address List (GAL): If you happen to compromise access to a user’s o365 account, then you can use the GAL to pull contact information for everyone in the tenant. This can be done directly from the developer tab in the browser:
https://medium.com/media/7cff880f2402de320ee1e7aed48654fe/href
It’s not exactly a backdoor, but it does greatly increase your chances of gaining another foothold if your access is lost. Like asking for an employee directory, this is another technique we can use to perform iterative social engineering to go after more privileged access once we compromise a single user.
Choosing your Targets
Once we have a list of contacts, we should pair down the list into groups of targets that might be susceptible to various pretexts. This step is all about increasing our success rate as defined by the ratio of clicks to emails sent. Ideally, we would find a single, highly-susceptible target, and send a single email with a success rate of 100%. Of course, we have no way to measure susceptibility ahead of time, so we will have to make best guesses instead. We will do this based on some generic traits that we tend to see in common between “good” (high success rate) targets and avoid targets with traits commonly associated with low success rates.
Why not phish everyone?
If we just spent all this time mining contacts to maximize our potential blast radius, then why wouldn’t we just phish everyone? Wouldn’t that give us the highest chance of success?
If we only plan to send a single pretext, then the answer is yes. Exposing every target to the chosen pretext will maximize our chance of success, but there is a major flaw to this approach: If we want to phish everyone, then we are going to need an extremely generic pretext. These generic phishing messages will only work against the lowest common denominator (most susceptible) targets and will be easily recognized as a phish by everyone else. Compared to more targeted pretexts, generic pretexts have a very low click-through rate while overexposing the campaign to incident responders potentially discovering them.
Instead, I have found that we can more consistently craft scenarios with click-through rates over 50% when we take the approach of targeting either individuals or small groups of targets with similar job positions and interests. My goal is always to identify at least a few small groups of employees to target with specific pretexts. With a very convincing pretext, we may be able to obtain a foothold with only 3–5 total target interactions.
What makes a “good” target?
Online Presence — The more we know about a target, the more likely we will be able to come up with a pretext they will believe. Simply having a lot of available information online for a particular user makes them a potentially good candidate for spear phishing.
Bad Hygiene — When I see cases of employees using their company email as a personal contact or posting questions on forums with identifiable usernames, I know I have a good target. People who like to use their company email for “everything” frequently get personal emails on their work device. This opens up a whole new set of potential pretexts that often have a high success rate. You might also find cases of employees who like to “put themselves out there” online, which means these individuals are frequently responding to unsolicited emails from strangers.
Check-the-Box Worker — In my experience, it seems that there are a couple of workflow types that tend to leave certain workers susceptible to phishing more so than the average user. One of those types is what I’ll refer to as a “check-the-box” work style. Individuals whose main objective each day is to accomplish as many tasks as possible from their queue can often rush through tasks so quickly that they miss the telltales of a phish when a little social engineering is thrown into the mix.
Customer-Pleasing — If sales and customer support teams are taught that the “customer is always right” or similar rhetoric, they may be overly trusting of outside requests. While most of their interactions with customers are legitimate and benign, they could be tripped up when a malicious request comes in.
Guppies — New employees who have not yet been thoroughly trained on the company’s security policies and procedures, and have less knowledge of how a typical interaction or request is “supposed” to look, are inherently more susceptible to all forms of social engineering. Go look at your LinkedIn results to see how long each employee has been with your target organization.
What makes a “bad” target?
Now that we know how to identify good targets, we can also identify bad targets as ones that either lack “good” qualities, or exhibit an opposite trait:
Just an email — If we can’t mine any additional context about the human behind the address, we have no clue what types of pretexts might be useful against that target.
Rarely works with others — People who do most of their job solo tend to question any random request that is sent their way, whether it’s legitimate or not. Beware of being pushy with these skeptics.
Senior Executives and IT Staff (A.K.A. Whales) — While successfully phishing one of these users is typically going to get you privileged access right away, your overall chance of success is very low with this group. If you want to go whaling for the bragging rights, go right ahead, but just know that this is not a repeatable approach. When going after initial access, we will have more consistent success targeting other groups.
Plenty of Phish in the Sea was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.