SPEAR PHISHING TESTING

METHODOLOGY

From

An article on our Spear Phishing Testing Methodology which can be used in social

engineering exercise to determine organization wide susceptibility to an APT style

attack.

Spear Phishing Testing and Methodology

Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of 6

Document Tracker

Author Version Summary of Changes

Manasdeep September 2012 Document Created

Spear Phishing Testing and Methodology

Confidential Network Intelligence (India) Pvt. Ltd. Page 3 of 6

Contents 1. Introduction .............................................................................................................................. 4

2. Methodology for Spear Phishing Testing: ................................................................................... 5

Spear Phishing Testing and Methodology

Confidential Network Intelligence (India) Pvt. Ltd. Page 4 of 6

1. INTRODUCTION Spear phishing is an e-mail spoofing fraud attempt that targeting an organization to glean out confidential data and gain unauthorized access to organization's confidential data or internal network. Attacker may be motivated to carry confidential internal information to seek out financial gain, trade secrets or proprietary information. The emails sent to internal employees in spear phishing attempt appear to originate from a high ranking authoritative source positioned in the company. It is purposefully done so that very few people will question the intent regarding this request and readily provide the "supposed authority" with the requested details.

Necessary factors for successful spear phishing attack: a. A known trusted "highly placed" authoritative figure in organization

b. The message must complement the context in what is being said and the

contained information supplements its validity

c. The recipient can draw a "firm need" or a logical reason for the request made by

sender.

Popular Techniques used for the Spear Phishing attack comprise of mixture of social engineering, client side attacks, and requests via social networking sites etc.

Spear Phishing Testing and Methodology

Confidential Network Intelligence (India) Pvt. Ltd. Page 5 of 6

2. METHODOLOGY FOR SPEAR PHISHING TESTING:

a. Identify targets

We identify our target audience which can easily be convinced into believing our

story. To know about their mode of working we can interact frequently with

helpdesk employees, security guards etc. which are frequently involved in front-

line customer interaction. We can use this gathered information to construct our

fake impersonated identity handle to do spear phishing.

b. Planning and Using Pretexts:

While selecting your pretext background it is imperative to consider a few key

questions:

What problem am I trying to solve?

What questions am I trying to answer?

What information do I seek?

The nature of the person whom we will be contacting

One of attacker’s goals in pre-texting is to bring the target to logical conclusion,

to do that we must anticipate their attitudes to be spontaneous enough to lead

them down the path we want.

c. Establishing Trust:

The attacker smartly walks through his way to the perimeter defence of "human

trust" by impersonating as well known authoritative high ranking personnel

requesting confidential details. For e.g.

“Hi, This is your system admin from mail server. We recently discovered that your mail was sending mail bounces. As per corporate policy, your mail address has been temporarily blocked for 48 hrs. Please reply with your user name and password by logging on ww.thisfakesite.com for verifying your account and saving it from getting blocked. “

d. Stresses the "need":

The attacker now presses the urgency of the action required on part to be done

by the user. He crafts the message accordingly which supports the context

making it to appear genuine in eyes of victim. For e.g.

“If you don’t activate your account by clicking this link within 48 hour deadline, as per corporate policy, your mail address will be permanently blocked and you will lose all your files and mails stored on the mail server.“

e. Convincing user:

The attacker now has convinced user to take action to carry out the necessary

action required to access the organization network. He gets friendly with user to

assist him for revealing more sensitive details about the organization. For e.g.

“Thank you for your prompt and timely action. Unfortunately, I was unable to recover 2 mails belonging to your department. Please use the recovery backup website to login with your department credentials. Once you are logged in, your mails will be immediately restored. Thanks for your cooperation. Have a great day !!

Spear Phishing Testing and Methodology

Confidential Network Intelligence (India) Pvt. Ltd. Page 6 of 6

f. Newer ways to get information:

Attacker utilizes innovative tools, techniques and social interaction ways to

ultimately obtain access in organization through various avenues. A good

attacker doesn't uses the same trick repeatedly for long to evade detection which

rules out consistency behaviour patterns emerging from the analyst point of

view.

g. Buffer periods:

To iron out any possibility of any alarm raised due to emerging patterns of

attempts, a buffer period of 1-2 weeks is usually taken to break the pattern chain.

Popular Phishing Tools Used:

SET (Social Engineering Toolkit)

Super Phisher Creator

Manual mass mailing via any mass mail solution