I’m often times asked how I perform email phishing attacks. Email phishing attacks are very compelling, and unique to each situation. The process of creating a successful email phishing campaign is very methodical, and most of the time and effort goes up front into the planning phase.
Understanding that good security is a multilayer approach and we will have many layers of security that could potentially destroy our email phishing campaign. Some of these layers may include Email Gateway Spam Filters, Outlook ‘Junk Email’ Filters, Host based Antivirus, Intrusion Prevention Systems, Web Proxy Servers, Egress filtering, and the list goes on and on.
Now that we know some of the most common security layers we will encounter, lets walk through some of them to see how they can be bypassed. Some of these methodologies were adopted fromBrav0Hax and purehate‘s phishing talks. Huge shutout to those guys and the work they’ve done for the infosec community. If you haven’t seen their email phishing presentation it will answer a lot of questions you may have, check it out here.
Enumerating Email Addresses
One of the first things we need to do in any phishing campaign is enumerate email addresses. How are we going to send emails if we don’t know where we are sending to? This is where Jigsaw comes in handy to quickly and easily enumerate email addresses for us. It now has database support and can output to a nice CSV file as well. Thanks R3dy! The jigsaw developers and R3dy have been playing cat and mouse with this neat little script. The jigsaw developers are attempting to block the script from executing properly, so make sure you download the latest version for the best results.
Jigsaw works the best when you sign up for a free account on jigsaw.com and pass your credentials as arguments on the cli.
We are not going to spend a ton of time on antivirus evasion because the topic has been heavily covered by many blogs, irc channels, youtube videos, and virtually every other communication channel. If you want to learn more about antivirus evasion techniques checkout metasploit’sevading antivirus wiki which also highlights our very own metasm technique.
Having knowledge of the antivirus software your up against can greatly assist in the process of creating a successful phishing campaign. There is a great article here that discussed some ways to use DNS cache snooping to determine which antivirus product the target may be running.
Take the time up front to install an antivirus in a Virtual Machine (VM) before sending your phishing emails. Ideally you would install the exact version your target is running, but this is not always feasible. at a minimum you should install a couple free antivirus products like Microsoft Security Essentials, AVG, Comodo, and others. If you can’t bypass an antivirus in your VM, why would it be any different when you launch your phishing attack? Spend the time up front to test, and do not send your payloads to VirusTotal!
Packers are typically flagged by Antivirus products, but file protectors often times will slip right past most scan engines. If your looking for that little extra, feel free to purchase a valid certificate and sign your binary using signtool.exe inside SDK. That way your victims always know your binary is legit.