Introduction

The pentester uses psychological manipulation of people to obtain information or perform actions they do not want to do.

Bribing

Bribing the target organisation's staff by offering money or other inducements to obtain any information or advantage in the attack. Poorly paid or disgruntled employees may be prone to collaborate in such attacks.

Phishing

Phishing is a type of social engineering attack often used to trick the victim into doing things, such as downloading malware or directing them to a scam website, for obtaining credentials, with the purpose of gaining a foothold in corporate networks.

Spear phishing

Spear phishing targets specific individuals instead of a wide group of people. It is a more in-depth version of phishing that requires special knowledge about an organisation, including its corporate structure.

Vishing

It is a fraudulent phone call designed to obtain sensitive information such as login credentials where the attacker impersonates a company, a trusted person or a fellow employee. For instance, the attacker might call pretending to be the company's support agent requiring your login information for a system update. New employees are often vulnerable to these scams, but this can happen to anyone.

Phishing methodology

An attack might play out as follows:

1. A perpetrator researches the names, emails and phone numbers of employees within the organisation using OSINT or HUMINT techniques.

   1. For each employee, search for login portals used by the victim to impersonate.

2. Prepare the landing page: A fake web page similar to the original one so the end-user trusts it and provides us with their credentials.

   1. Create or import the web page that will be impersonated.

   2. Buy a similar domain: Some tools create lookalike domains with typos so you can register them, such as dnstwist, urlcrazy and Typo Generator.

   3. Configure the hosting.

3. Prepare the email template: The email content, the email addresses and names of targets,

4. Send the emails: phishing emails should be sent out in a phased manner, over a period of hours or days, depending on the number of employees in scope, and then the email campaign will stay open/active for a week or two to allow for recipients who do not read their email daily.

Finally, there are tools like gophis and SocialFish that create the phishing infrastructure (the landing page and sending email), so the attacker only has to provide the web to impersonate the email template, the sending email profile and the list of victim emails. But, if you want more advanced attacks, try setting up evilgophish.

Evasion detection techniques

1. Use legitimate links: To evade detection, add legitimate links to their phishing emails because many email filters will scan some legitimate links and assume the email is legit.

2. Mix legitimate and malicious code: A known phishing email or malware virus contains a signature that can be detected by EOP. One technique for obfuscating the signature is to mix legitimate and malicious code. For example, include CSS and JavaScript from real Microsoft webpages, such as the Office 365 login page. Other techniques include encoding characters at random, adding invisible text, inserting white spaces... The goal is to make each email appear unique to the filter.

3. Abuse redirections: To quell victims into thinking nothing is odd, redirect them to the legitimate web page after the phishing attack.

4. Obfuscating brand logos: logos include HTML attributes that can be detected by an email filter that is scanning for signatures. To avoid detection, alter brand logos in ways that are invisible to the naked eye but unique to a filter.

References

• Social engineering penetration testing

• Phishing methodology

• 5 Common Phishing Techniques