Chapter 0: Introduction

Warning: This material is provided for informational purposes only. Only repeat these actions in practice with proper authorization and agreement! The author is not responsible for the consequences of applying the information obtained in this article.

With this post, I am starting a series of articles on conducting a phishing campaign with the formal purpose of testing an organization's employees and the informal purpose of demonstrating the ineffectiveness of the organization's multi-factor authorization policy.

This article describes general information about phishing. Chapter “Preparation” covers the approach and preparation; chapters “Technical Implementation” and “Example of a phishing campaign” are linked and define the technical and practical implementation; Chapter “Results” presents the results of the phishing technique discussed, and finally, in Chapter “Recommendations,” you will find specific recommendations on what to do. If you know phishing, you can fast forward to Part 2 of this article.

Boring introductory information: phishing is a type of social engineering and fraud where an attacker fraudulently attempts to access sensitive information. The main types of phishing attacks:

• Common/classic Phishing – sending emails that appear to be sent from known organizations or even personal contacts;
• Spear Phishing – a more targeted approach in which the attack is directed at a specific person or organization. The emails contain personalized information to make them more persuasive;
• Whaling – is a form of spear phishing aimed at high-ranking officials or key executives;
• SMS phishing (Smishing) – attackers send SMS messages that claim to be from a bank, store, or other organization, asking you to click on a link or provide personal information;
• Vishing – phishing attacks that use phone calls. Attackers call victims posing as bank or customer service employees and try to persuade them to provide personal information or make financial transactions;
• Pharming – an attack in which an attacker redirects users from legitimate sites to fake sites to steal credentials. It can be accomplished by hacking or infecting DNS servers with a virus.

In some cases, the types of attacks can be combined.

Many organizations analyze phishing attacks and provide statistics. Examples of actual statistics for your reference:

• https://www.stationx.net/phishing-statistics/
• https://www.techopedia.com/phishing-statistics
• https://www.forbes.com/advisor/business/phishing-statistics/

Summarized statistics on recent years:

• 2021: A huge number of phishing attacks were recorded, partly driven by the shift to remote working due to the COVID-19 pandemic. A significant portion of these attacks focused on credential harvesting (DataProt).
• 2022: Phishing attacks remained the dominant threat, as about 30% of data breaches involved phishing. These attacks typically resulted in the theft of sensitive data, which was then used in other fraudulent activities related to social engineering (Comparitech).
• 2023: Phishing attacks increased by 47.2% from the previous year, indicating a significant increase in cyber threats (zscaler). Google blocked about 100 million phishing emails daily, indicating the problem's scale (AAG IT Services).
• 2024: Phishing remains a severe problem as sophisticated attacks use AI to make phishing emails more convincing. Phishing is expected to remain one of the most common methods of initiating cyberattacks (StationX).

The general trend from year to year is to increase the volume and sophistication of attacks, adapt to conditions, and follow trends; maybe right now, your company is in the crosshairs. Phishing attacks are currently one of the most attractive to attackers due to low organization costs and high potential effectiveness. A successfully executed phishing attack can cause significant damage to an organization while requiring minimal resources.

Chapter 1: Preparation

A targeted phishing campaign (spear phishing) involves several basic steps:

1. Goal setting
2. Gathering information about the target
3. Infrastructure preparation
4. Campaign launch, data collection, and validation
5. Report for the customer

Objectives

The first two stages are related to OSINT, a separate big topic, so I will leave the review of all possible options for the future. I will only say that as part of the testing, the customer usually provides the list of employees (their emails) and agrees on the text of the mailing. So it was this time: the customer wanted to test the security awareness of employees who have key access to the company's IT infrastructure and digital assets. A list of more than 40 people - employees of R&D, DevOps, and IT-Ops departments - was formed and became the targets of my attack. In the future, it will be interesting to conduct a mailing on employees theoretically less qualified in IT - sales and marketing, HR, etc. - and compare its results with those obtained from IT specialists. But let's not get ahead of ourselves.

Infrastructure

The third step is infrastructure preparation. It can be divided into two steps:

• Independent of the target attack preparation: setting up a phishing server, email server, or mailing service preparation, countering network scanners, and anti-phishing solutions. More details in Chapter 2.
• Preparation is unique for each targeted phishing campaign: renting a domain and setting records, creating email addresses, preparing a mailing template, modifying or creating a new phishlet if necessary, and testing. Details are presented in Chapter 3.

Mailing list

The fourth stage is the launch of the campaign. Having agreed with the customer on the mailing list, the text of the letter, the time of launch, and having prepared the infrastructure, it may seem that the only thing left to do is to press the start button for the mailing, but this is far from the end. It is equally important to monitor the work of services and record all user actions. If possible, duplicate all received information, as you have only one attempt to conduct a phishing attack, and in case of data loss, it is lost forever. Additionally, I recommend agreeing with the customer on data validation; for example, during a phishing campaign, not only record the access credentials received but also check their validity. Take screenshots and record videos of your screen, especially moments related to gaining access to sensitive information. But never use the access credentials without prior agreement with the customer and for access to third-party services - it can end badly!

Results and report

The last stage is the report on the completed work, the most crucial part for the customer and what he pays for. The customer ordering the service expects to receive not only the process itself but also the result set out in the report. With the report, the customer can continue the work aimed at improving his security: to identify weaknesses, to develop measures to mitigate risks, and finally, to use statistics and data analysis in the future. Therefore, recording and duplicating all data at the previous stage is essential to minimize the chance of information loss. It is important to remember that regardless of the success of a phishing campaign, you can't just write "all is well" or "all is bad". Even before the phishing campaign is launched, clarify the essential points the customer wants to see in the report. The report should include at least the following sections:

1. Attacker model, methodology, and goals of a phishing campaign;
2. Scope of work (target domain, mailing list, email text, allowable actions by the auditor);
3. The result of conducting a phishing attack and analyzing it;
4. Recommendations on the results of a phishing campaign.

Author: @resource_not_found

See also:
Part 2
Part 3