Aug 21 2024 |
Teach a Man to Phish
PHISHING SCHOOL
A Decade of Distilled Phishing Wisdom
I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead.
Key Takeaways
If I could teach you only three things about phishing:
- Phishing can be an absolute thrill: The effort is worth the payoff!
- Canned templates won’t get you far: Just a little creativity goes a long way
- Whatever controls you are up against, there is probably a bypass (or multiple): Play around with multiple techniques and document what works for your team
Distilled Wisdom
This whole series was designed to break down phishing into its individual challenges, and provide advice for each. Here’s the list of lessons learned from each post:
Phish Sticks; Hate the Smell, Love the Taste: I’ll Make You Great at Phishing, Or Your Money Back
- Don’t quit before you start! You secretly love phishing (trust me)
- To be successful, we must recognize and address each control that will try to stop us
- Logging is your friend and will guide you if you pay attention
Plenty of Phish in the Sea: How to Find the Right Phishing Targets
- Cast a wide net. Get all the contacts you can; then pair down the list
- Use industry specific sources when you can
- Focus on small groups so we can be targeted with our pretexts
One Phish Two Phish, Red Teams Spew Phish: How to Give your Phishing Domains a Reputation Boost
- SPF is not a silver bullet. We can take advantage of misconfigurations
- When you buy domains for phishing, set up your own mail security records
- There are many options to get our domains categorized. Make sure to use at least one
Fly Phishing: How to Bypass Spam Filters
- “Click” is a very dirty word. Don’t use foul language like that in your emails
- There are many tricks we can use to disguise our message. Experiment with many
- AI is not a silver bullet against phishing messages
- Test, Measure, Repeat!
Feeding the Phishes: Bypass Phishing Link Filters
- Most link filters use simple string matching. There are several tricks to bypass them
- Sometimes it’s more useful to put your link inside an attachment
I Will Make you Phishers of Men: Convincing Targets to Click Your Links
- Phishing is a game of odds. If we understand the math, we can boost our success
- Targeted campaigns are always better than generic emails
- We can appeal to a variety of emotions and motivations to drive click rates
- People love furry animals
Like Shooting Phish in a Barrel: How to Bypass Link Crawlers
- Link crawlers are pretty basic bots. Classic bot protections like CAPTCHAs work fine
- Fingerprinting using JavaScript can be even more effective
Drink Like a Phish: How to Make Your Phishing Sites Blend In
- Expect your phishing sites to be crawled, and prepare for it
- Don’t just directly clone sites
- Don’t server phishing site contents to just anyone
- Browser-in-the-Middle can be extremely effective
Phish Out of Water: Bypass Web Proxies so Your Phish Don’t Suffocate
- Most attempts to block malicious file types only look for one of three indicators: Extension, MIME, or Magic number. We can control all three.
- There are tons of malicious file types we can use for initial access. It’s unlikely that every one will be blocked
- When in doubt, just ask the phishing target to circumvent controls for you
Deep Sea Phishing Pt. 1: How to Bypass EDR With Custom Payloads
- We need our payloads to stay off the “known bad” list
- Writing your own payloads is one of the best ways to achieve “unknown bad” status
- Make your code modular, and keep it as simple as possible
- You don’t always need a super feature rich implant to be successful
Deep Sea Phishing Pt. 2: Making Your Malware Look Legit So It Bypasses EDR
- EDR evasion is all about looking like legitimate software
- There are many ways we can trick trusted, signed binaries into doing our bidding
- Help desk software can be a bombshell when used with social engineering
Sleeping With the Phishes: Hide C2 With Stealthy Callback Channels
- HTTP(S) and DNS are not the only C2 channels out there
- SMTP is a hidden gem of a C2 channel
- Have you heard of STUN and TURN? They are protocols that traverse firewalls by design, and your target network probably allows them
- Data in and data out don’t have to take the same path
Bon Voyage
That’s 42 practical phishing lessons, and only just my top picks. There are many more nuggets of wisdom throughout the series, but I understand if you don’t have time to basically read a whole book about phishing. Feel free to skip around and reference as needed.
Hope you’ve had fun learning at my school of phish. Tight lines my friends!
Teach a Man to Phish was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.