Truth 4 Spear phishing

By now, you know the basics of phishing. What you don’t know, I’m betting, is that identity thieves routinely target employees of organizations that offer online services such as Web mail, virtual private networks (VPNs), or online banking. Since employees often carry the keys to the kingdom, identity thieves often attempt to go right to the source. The premise is still the same; send an email to an individual, and get that person to follow a link where he will submit confidential information into an online application. The difference is that when I go after the employees, I am using what some refer to as spear phishing.

Spear phishing is when you target a specific victim instead of setting an all-purpose trap for any victims who happen by. When spear fishing, the thief often poses as someone the victim trusts. For example, if an identity thief knows that an employee does her personal banking with a specific institution, the thief will send an email to her, addressing her by name on behalf of her bank. Or the identity thief can pose as someone that the victim knows and trusts, perhaps as a member of the corporate tech support group.

When I attack an employee at the office, the first thing I need is his email address. Most organizations do not make their employees’ email addresses public, which means that I have to find them on my own. To start, I gather a list of all the employee names I can track down. To do that, I simply call the organization late at night, and when the voice mail system comes on, I select the option to give me the directory service. When the auto attendant prompts me to enter the first three characters of the employee’s last name, I simply press the number 2, which is the a, b, and c key. After a few seconds, the system times out and starts listing all the names of every employee whose last name starts with the letter a, b, or c. I write down every name and then move on to the number 3 key to get d, e, and f.

I continue this tedious process until I have the name of every employee in that system. Of course, just having a name doesn’t mean I have an email address…or does it? If you work at a company that is similar to just about every other company on the planet, I bet your email address has the same layout as everyone else you work with. For example, if your email is [email protected], I would bet that your coworker has an email that is bill.smith@ yourcompanyhere.com. That’s because most mail server software lets you assign what kind of algorithm you want to use for your company, and every new user receives an email address that matches that algorithm.

So to track down the email address, I simply attempt to send an email to every email version I can possibly think of. For example, if the user’s name is Jane Doe, I would send an email to jane.doe@…, janedoe@…, jdoe@…, janed@…, and so on.

If you’ve ever mistyped an email address, you’ve noticed that within a minute of sending the letter, you receive an email back saying the user did not exist. This lets you know you made a mistake, and you can try again. Well, the same thing happens with the emails that I send. Within a minute or two, all the emails start bouncing back to me. That is, they all start bouncing back with the exception of one. Almost every time I try this, there will be one variation of the email address that doesn’t bounce back. Why? Because that address turned out to be the user’s real email address. So if jane.doe@ yourcompanyhere.com doesn’t bounce back, then bill.smith, and every other first.last name will probably work as well. This means I now have a list of every user’s email address at that company.

For this example, let’s assume that I want to start finding out employees’ user names and passwords for their online Web mail service. I would next call the main office and ask to speak to the IT network manager. When I reach that person, I would simply ask who I was speaking with and then tell the manager I am a vendor selling a product or service. Of course, the IT manager is likely to hang up on me, but I have the information I came for: the IT manager’s name. And I already have his email address.

Before I send my phishing email, I create a simple Web site that looks similar to an online Web mail Web site.

Now for the fun part. Assuming that the IT network manager’s name is Bill Smith, I spoof an email that will come from what looks like Bill Smith, and I will send it to as many employees as I feel like.

Hey <NAME HERE>,

I wanted to let you know we are putting up a new version of the Web mail. This new version should be faster, allow for better search capacities, and ultimately will tie in with everyone’s cell phones.

When you have a second, can you try it out and let me know if you were able to get your email?

The link is http://192.168.1.1/webmail.

Thanks!

Bill Smith

I have done this spear fishing test with hundreds of employees throughout the United States and have over a 98% success rate. The employees receive the email, trust that it really was sent from Bill, and immediately follow the link with no questions asked. Of course, the users are prompted to enter their username and password, which I collect for use later. Often, I modify the return address so it is just a little different from Bill’s real address, so if users reply, those replies will come to me instead of the real Bill Smith.

When I have a username and password, I can become any employee I want to be. I can read employees’ email, send email on their behalf and, even more importantly, learn what systems they can access. I can then request password resets for those systems and have new passwords sent right to the users’ email accounts, which, remember, I have hijacked.

For as complicated as this type of phishing attack actually is, the solution is the exact opposite. It is as easy as picking up the telephone. Email should not be used for everything. If you receive an email that requires you to submit any confidential information or allow potential access to confidential areas, simply pick up the phone, dial the extension of the person who sent the email, and say, “Hi. Did you just send me this email?” It truly is that simple. If the person denies sending the email, you or your IT department should sound the alarm.