May 24, 2016 | Posted in Red Teams by Dan Astor
What is Whaling?
Spear phishing continues to be a trend amongst attackers as one of the easier ways into a company’s environment as it only takes a single user to take the bait. This can be especially troublesome when attackers begin to target high value individuals. Recently we were given the opportunity to go “whaling” after a global company’s C-Suite executives.
- Spear Phishing: Emails target employees within an organization with the intent of obtaining credentials or executing malicious code on the target systems. These emails are well-crafted and entice the user to click. Generally they will appear to come from inside the organization or from a trusted third party.
- Whaling: Spear-phishing focused on the Top Brass.
Let’s Take a Trip to Seaworld
We enjoy being creative with our spear-phishing attacks and this time we developed some Whale bait using the “Panama Papers” hysteria. If you’ve spent the last 3 months 20,000 leagues under the sea, the Panama Papers is a data leak which contains over 11.5 million financial and legal records of off-shore entities. These records have implicated celebrities, politicians, and executives.
Harpooning 101: Ahab, Pequod, and Moby
There a few steps that need to be taken to have a successful whaling adventure, we’ll step through these:
- Domain: Picking a good domain can be a challenge as you want it to appear legitimate and not seem suspicious when the victim visits it. For this particular campaign we went with a domain that appeared to belong to a well-known news organization.
- Website: The website is extremely important as it’s what the user is brought to once they click the link in our email. For this particular scenario, we went with a “captive portal” style landing page which users are first brought to and after submitting their credentials they are taken to our news story. We’ll break this out into two sections, the payload and the design.
- The Payload – For the captive portal, the goal was to harvest any credentials entered by the users in an easy to read format. For this we wrote a custom PHP function which would write any credentials to a file on our server. In addition to the credentials, the function would also grab the tracking token (unique value assigned to each email address) and timestamp. This would ensure we could determine what email entered what set of credentials at what time.
- The Design – For the design we needed to make the sites look authentic and appealing to the targets. The captive portal was something that we have previously used, but cleaned it up a bit and customized it to the target company (see figure 1.1). The news story was slightly different, as it had to be heavily modified for the targets. As there are plenty of great looking news stories for the Panama Papers already out there, we decided to leverage one as a template. After rewriting much of the article to include relevant information about our Whale and a convincing image, we had a compelling site (see figure 1.2).
Fig 1.1 – The login page for our “News” site which prompts the victim to enter their credentials.
Fig. 1.2. –To protect our Whale in this blog we’ve replaced him with a more “Interesting” person.
- Email: Coming up with the email to be used for this particular scenario wasn’t hard. Many news sites have the “Email or Share” features, which provide a nicely formatted email that you can send to co-workers and friends. We thought that this would be a great format to use, but again tailored for our site and story (see figure 1.3). We chose to only provide the Whale a link to our website, however we could’ve easily embedded a malicious MS Office macro file or send them an additional link to download an executable claiming to install a fake news app.
Fig. 1.3 – A modified version of the email template we came up with.
While this was a simulated attack that we performed on behalf of our client, attackers do leverage current events to target organizations and individuals. User awareness training can go a long way to help employees understand and react to spear phishing messages coming into the enterprise.
- Phishing Simulation – Continually testing employees with real world examples and providing them with the tools needed to better identify and protect themselves not only helps engrain secure practices, but also provides you metrics as to see how they’re doing over time and to which types of phish.
- Executive Protection Program – A slight twist to your standard user awareness training, these are one-on-one training and awareness sessions with executives on their own turf.
While many organizations, particularly ones who sell security awareness training are empathetic towards awareness being the only tool against spear phishing attacks, we believe it’s only part of the solution. Having the proper technical controls on endpoints, external portals, and the network plays an equally important part in reducing the effectiveness of spear phishing campaigns targeting the organization.
- Email Filtering – While this is always going to be a challenge to prevent spear phishing emails from reaching employee mailboxes, checking the email sender’s authenticity can help to ensure email addresses are not being spoofed for your domain. The following technologies can help provide protection for email spoofing:
- – Sender Policy Framework (SPF)
– DomainKeys Identified Mail (DKIM)
– Exchange Accepted Domains
– Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- – Sender Policy Framework (SPF)
- Hardened GPO Settings – While an attacker that is successful in getting a remote shell on a user’s workstation, by locking down the Group Policy configuration and only assigning appropriate levels of access you can greatly reduce the ability for an attacker to perform local privilege escalation. A good reference point for configuring hardened GPO settings are benchmarks provided by NIST and CIS. You can test GPO configurations using tools such as PowerUp, which is a PowerShell script that will check for multiple privilege escalation paths.
- Multi-Factor Authentication (MFA) – While it may be possible for an attacker to gain access to employee credentials through the use of spear phishing sites, you can greatly reduce the impact of those stolen credentials through the use of MFA. Ensure external portals are configured with MFA especially for high value targets such as administrators and executives.
- Endpoint Detection and Response (EDR) – Once a system is compromised it can become increasingly difficult to detect and respond to. EDR toolsets can help provide additional insight into what is running and create a timeline of “What Happened” up to and during the compromise. Some toolsets can also provide you the ability to sweep the environment to determine if other systems are compromised once a signature is created.
Alternate but Scrapped Titles for this Post:
- Green Peace Can’t Save You Now: Harpooning Whales in the Panama Canal
- 20 Million Leagues Under an Offshore Bank
- Your Boss’s Boss (Boss’?) is a Whale of a Target
- PANAMA PAPERS!?… AAAAGHHH!