Categories
Phishing

Default Phishing Pretexts

Pretexts are the story that will make it look like a good idea to open an attachment or follow a link. Obviously, the more sound the better. As old pretexts may be well known after a while, it is better to come up with new ones occasionally.

As it sometimes can be hard to think about new pretexts, in this post a short overview of different pretext templates is presented and analysed.

Please note that in the context of phishing, template is often used to refer to email templates as well as website templates (for credentials phishing). Here only email templates are discussed. Nevertheless, both have to be properly aligned to the chosen pretext.

Default templates

For an initial assessment, four different sets of default email templates for phishing are presented. Each set correspond to a phishing tool. The tools considered are: SET, SPF, King Phisher and Phishing Pretexts.

Social Engineer Toolkit (SET)

The social engineer toolkit (SET) is a comprehensive framework for social engineering attacks. It features a broad set of different attack vectors. However, for this post only the default templates from the spear phishing-module are considered.

There are ten templates available. All are in plain text (no HTML) and come with a predefined subject and body.

subject: WOAAAA!!!!!!!!!! This is crazy…

You have to see the attached file… I can’t believe it…

subject: How long has it been?

How long has it been since you saw this? Attached…

subject: Have you seen this?

Hey.. Not sure if you saw this but I wasn’t aware of it…

subject: Baby Pics

Baby pics of little Sabitha at 6 months, shes so cute..

subject: Dan Brown’s Angels & Demons

Hey

I found a pdf version of Dan Brown’s book “Angels & Demons” on the internet.
I already read the book and it is great. You will enjoy reading it at least once.

Have fun reading it and write me back how you liked it.

Bye

subject: New Update

There was a new update to the overall document that I need you to review. You’ll notice the changes on page 2 and 3.

Thanks for the help!

James

subject: Order Confirmation

Hello,
Attached you will find your receipt for the order that you placed. Please be aware that it may take 2-3 business days for items to be shipped.

It has been a pleasure to have your business.

Thank you
Jim Woznaky

subject: Computer Issue

Greetings,

I have been recently experiencing issues with my computer and have been unable to run this report, I believe that the file may be messed up however, I cannot confirm this. Can someone please take a look and identify if it is my machine or just this file? I have an immediate deadline to produce this report, any help would be greatly appreciated.


Sincerely,

Jeff

subject: Status Report

Greetings,

Please view the latest status report.

Thanks,

Rich

subject: Strange internet usage from your computer

Greetings,

We have been noticing strange internet traffic originating from your computer. It appears there has been a small outbreak of viruses that may have spread across the network. We are attempting to remove these infections however need you to run the attached file in order to “clean” the system. Your help in this manner is greatly appreciated.

Warm regards,

The Systems Administration Team

Obviously, the quality of the pretext depend on the information available on the target. The templates included in SET are quite generic. When they are used, it is strongly recommend to adapt at least the greetings and farewell phrases. If available, additional information included in the message body would also increase the effectiveness. For example, is the target really interested in Dan Brown or was it Steven King or maybe not even books but baseball.

SpeedPhish Framework (SPF)

The SpeedPhish Framework (SPF) is a framework for email-based phishing, thus being more specific than SET. Just like SET it includes seven non-HTML email templates with subject and message.

subject: Updated CISCO VPN Server

Due to recent issues with the Cisco VPN gateway and growing Internet based threats, we have deployed an updated access server.

[[TARGET]]

Please verify that you can access the site.


Service Desk, Information Technology

subject: Updated Citrix Server

Due to recent issues with the Citrix gateway and growing Internet based threats, we have deployed an updated access server.

[[TARGET]]

Please verify that you can access the site.


Service Desk, Information Technology

subject: New Domino Server

As part of improvements to company Internet security, we have rolled out an updated new webmail access server.

[[TARGET]]

Please verify that you can access the site before this Friday.

IT Support

subject: New Login Portal

As part of improvements to company Internet security, we have rolled out an updated new remote access server.

[[TARGET]]

Please verify that you can access the site before this Friday.

IT Support

subject: Updated Juniper VPN Server

Due to recent issues with the Juniper VPN gateway and growing Internet based threats, we have deployed an updated access server.

[[TARGET]]

Please verify that you can access the site.


Service Desk, Information Technology

subject: Webmail – Office 365

Hello,

In an effort to continue bringing you the best available technology, our team has implemented the newest version of Microsoft’s Office 365 Webmail.

Your existing emails, contacts. and calendar events will be seamlessly transfered to your new account.

Visit [[TARGET]]

and login with your current username and password to confirm your new account.

Thankyou,
IT Support

subject: New OWA Server

As part of improvements to company Internet security, we have rolled out an updated new webmail access server.

[[TARGET]]

Please verify that you can access the site before this Friday.

IT Support

In contrast to SET, SPF uses URL-based payloads. The URL placeholder is [[TARGET]]. In terms of individuality, SPF suffers from lack of additional information, making it more suitable for a large number of targets. The message content itself is heavily based on IT department-style emails, claiming to have a new system online. In such a scenario, the effectiveness can be increased significantly, if the name of IT department staff members or a actual email send by the IT department can be enumerated in advance. The later scenario describes dynamite phishing.

King Phisher

King Phisher puts much more effort into the templates. There is a total of 13 variables that can be included in a template. Such variables are, for example, the first and last name of the target or the spoofed sender. Such information can be used to make the pretext more credible. In many cases, such information can be extracted from the email address itself or by OSINT tools, such as The Harvester.

A total of 11 templates in 3 groups are included in King Phisher. The calendar invite and credentials group contain templates for URL-based payloads, while the shell group has templates for attachment-based payloads.

Calendar Invite Group

alt text

While MeetMe appears to be dating app nowadays, the idea to exploit common properties of meeting invitations in business context can be applied to other tools as well.

  • It common that such emails do not show the URL but instead some simplified text (“Click Here to Join”).
  • Legit server URLs may not be well-known
  • Frequently, the sender is unknown (from a new project) or some server-side application managing a mailing list.

Popular applications that can be used as templates are Doodle, Zoom, Webex, Slack and so on. Effectiveness may be increased by enumerating applications that are actually used within the target organisation or by the target person.

Credentials Group

alt text
alt text
alt text
alt text

For credential phishing, it is crucial to know with applications are used by the target. Email login pages are always a good idea, as almost everybody uses email. Nevertheless, the login page should resemble the actual login page of the target, which has therefore be known in advance.

The two HTML templates are nice examples of how HTML buttons can be leveraged to obfuscate URLs.

Shell Group

alt text
alt text
alt text
alt text
alt text
alt text

For attachment-based payloads, King Phisher provides only non-HTML templates. Topics are virus containment, court requests, company policies, tax documents and (most creatively) phishing awareness.

The last one may be a little more risky, as the email itself explains why it’s not a a good idea to follow links/open attachments. On the other hand, it may be perceived as trustworthy.

Court requests (or orders) as well as lax enforcement inquires should be adapted to the target country. The same is true for specific documents (e.g. W-2 tax forms) and policies (generic BYOD vs. European GDPR). The target country may be determined with little effort.

Phishing Pretexts

Phishing Pretexts is a library of 14 pretexts for URL and attachment-based phishing. A typical template has a around six variables (e.g. name, greeting, URL etc.) to tweak them with more specific information. Variables are indicated by $.

Even though, all templates are HTML, non of them include any boxes, background colours or buttons.

Credential Capture Payloads

subject: $service Account Deactivation Policy

$greeting $firstname,

Due to a new $organization policy to save on unused licenses, we are looking to deactivate accounts which aren’t being actively used. According to our logs, it seems you haven’t logged in to your $organization $service account in over 30 days. If you would like to keep your existing account, please access the portal below before $date. Otherwise, there’s no need to do anything else.

$evilurl

Thank you,

$organization IT

$signature

This is an automated message generated by the $organization $service system intended for $name. For further assistance, please reply directly to this message.

subject: Compromised Accounts

$greeting $firstname,

The $organization IT Security department has been made aware that some internal user accounts were recently compromised in a cyber attack. In order to identify which accounts have been compromised, we ask that you follow the instructions below as soon as possible. The site mentioned below (HaveIBeenPwned) is well-known and contains a database of popular breaches which have occured [sic!] in the last 7+ years.

If the site determines that your account has NOT been compromised, there is nothing more for you to do.

However, if the site tells you that your password HAS been compromised, please change your password immediately in order to protect company assets and data.

Thank you for your prompt assistance in this matter.

$organization IT Security
$signature

————————————————————–

Instructions:

Step 1: Access the “Have I Been Pwned” website here [href to $evilurl].

Step 2: To ensure your connection to the site is secure, verify that you see the green padlock icon in your broswer [sic!] location bar.

Step 3: Enter your current $organization login password in the field provided. DO NOT enter your username or any other identifying information.

Step 4: Click the “Pwned?” button or press “Enter”.


As mentioned above, if the site determines that your account has NOT been compromised, you are done. If the site determines your password has been stolen, please change it IMMEDIATELY.

subject: REQUIRED: GDPR Policy Acknowledgement

$firstname,

As part of the newly implemented General Data Protection Regulation (GDPR) requirements, we ask that you please read and acknowledge $organization’s policy by $time on $date.

$evilurl

Thank you for your cooperation,

$legalemployee

$signature

subject: Incident Acknowledgement Form

$firstname,

We have been notified of your possibly being a 3rd party witness to an incident which took place on $incidentdate. Per $organization’s Employee Handbook Rules, we require employees to confirm the incident before proceeding with further questions, should they arise.

Please carefully read the anonymized incident description and confirm whether or not you were a witness. Once you have completed the form, we ask that you please use your best judgement and refrain from discussing the incident further.

$evilurl

Once the form is submitted, there is no need for further action and we ask that you please wait for someone from HR to contact you if we have any questions.

Thank you for your cooperation,

$hremployee

$signature

Please note that this template requires a incident confirmation page to be set up as well. Phishing Pretexts gives also a template for the page.

subject: URGENT: Annual Information Security Training

$firstname,

According to our training records, you have not completed the following annual training requirements:

– Information Security Awareness (SA46559)
– Information Security Password Policy Training (SA46189)

If these courses are not completed by $date, your supervisor will be notified daily until the courses have been completed. We take great pride in maintaining a secure environment, and our annual training requirements play a large role in this success.

Follow the link below to login to the $organization training portal:

$evilurl

We understand that you and all of our employees here at $organization work very hard and maintain busy work schedules. We appreciate your prompt attention to ensure that we all stay within regulatory compliance!

Note: Please reply to this email if you have any trouble accessing the training portal.

Thanks,


Information Security

$signature

subject: Your $service Account Has Been Locked

$greeting $firstname,

We are e-mailing you regarding your $organization $service account, which has been automatically locked due to inactivity for security purposes. To avoid service interruption, make sure to access the $service portal within the next 24 hours via this reactivation link:

$evilreactivationurl

Thank you,


$organization IT Team

$signature


This is an automated message generated by the $organization $service system intended for $name. For further assistance, please reply directly to this message.

subject: New Webmail – Office 365 Rollout

Dear colleagues,

In an effort to continue to bring you the best available technology, $organization has implemented the newest version of Microsoft’s Office 365 Webmail. Your existing emails, contacts, and calendar events will be seamlessly transferred to your new account.

Visit the new webmail website [href to $evilurl] and login with your current username and password to confirm your upgraded account.

If you have additional questions or need clarification, please contact the Help Desk at helpdesk@$evildomain.


Thank you,


$organization Office of Information Technology

subject: Verify State for Payroll Deductible

$greeting $firstname,

We’ve been having a few issues with paystubs not showing employees’ correct state for income tax deduction. This has only affected a handful of people from $organization’s $department department so far, however we are being cautious with the issue and asking all employees to make the verification. If the correct state is listed, please disregard this message. Otherwise, please let me know so that myself or someone else from accounting can straighten the issue as soon as possible.

We apologize for the issues and can assure you that we are working on resolving this as fast as we can.

$evilurl

Thank you,

$accountingemployee

$signature

subject: $energyco $holiday Outage Notification

$firstname,

As a valued customer of $electricco, we hope you’re enjoying our national holiday with friends and family. While millions of Americans today are celebrating their country, we have noticed an increase in opportunistic attacks on our infrastructure and networks.

Unfortunately, it appears that a few of our customers’ accounts have been compromised as a result, and your account has been deemed insecure. As such, we ask that you please login to our portal as soon as possible and change your password via the following link:

$evilurl

The security of our customers is our priority and we apologize for any inconvenience you may experience as a result of this attack. We are still investigating the matter and are here to answer any further questions you may have.

Thank you for being a valued customer,

$ciso,
CISO, $energyco

subject: [Partially Resolved] VPN Connection Issues and Outages

Good morning folks,

We are currently experiencing some issues with VPN connectivity in the $location office and surrounding area. If you could please verify connectivity for us by accessing our temporary portal located here [href to $evilurl] and letting us know the results by replying to this e-mail, it would be much appreciated.

For those of you who are still having some issues, we are working on it and hope to have these fixed by end of day.

Thanks,


$itperson

$signature

subject: Confirmation Required for 2018 Benefits

$greeting $firstname,

We are still awaiting on confirmation of your 2018 $organization Employee Benefits Package. Please login to review and acknowledge this year’s benefits.

$evilurl

Should you have any questions, please don’t hesitate to reach out to $hremployee@$evildomain.

Here’s to a productive 2018!


$hremployee

$signature

Attachment-based Payloads

subject: Information regarding the $casename case

$greeting $hremployee,

Some new information regarding the $casename case which went to court last $casedate has been brought to my attention. As you know, we take this kind of information seriously and I wanted to touch base with you for a few things:

– Go over the information. (the file is encrypted with a password: $fakepassword)
– Verify the information.
– Report back with your comments.

I’m sure you’re aware that the nature of the file’s contents are sensitive, and therefore ask that you please not discuss them with anyone outside of this e-mail.


Cordially,


$legalemployee

$signature

subject: New information regarding the ongoing $casename case

$greeting $hremployee,

I am contacting you (as well as other fellow $organization employees) regarding the ongoing $casename case, which has been going through the courts since $casedate1. As you may know, a motion to adjourn was passed on $motiondate to resume on $casedate2. In light of this, we need some help for those in positions relevant to the case in order to review some information. Most of it will likely be a bit repetitive, and we appreciate your collaboration and patience while going over the instructions below.

– Access our extranet with your regular credentials: $evilurl
– Go over the information.
– Verify the information and sign your name.
– Report back with your comments before $date.

I’m sure you’re aware that the nature of the file’s contents are sensitive, and therefore ask that you please not discuss them with anyone outside of this e-mail.


Cordially,


$legalemployee

$signature

subject: $3rdparty Shipping [Do Not Reply] (from donotreply@$3rdparty.com)

Hello $firstname,

Attached is a copy of your invoice for your recent purchase on behalf of $organization. Please review it and make any necessary modifications via our secure portal before delivery on $date.

Total: $12,196.33
Payment Due: $deliverydate
Delivery: $date
Bill To:
$name
$address


**This is an automatically generated email, please do not reply.**

[Include fake logo here]

Analysis

In total 41 templates were presented. A comparative overview is given in the table below:

TemplatePayloadHTMLThemeSender
WOAA!!AttachNoCuriosGeneric
How longAttachNoCuriosGeneric
Baby picsAttachNoCuriosGeneric
BookAttachNoFree stuffGeneric
DocumentAttachNoUpdateColleague
OrderAttachNoShippingext. Supplier
ComputerAttachNoTech. issueColleague
ReportAttachNoUpdateColleague
StrangeAttachNoSecurityIT Dept.
VPNURLNoUpdateIT Dept.
CitrixURLNoUpdateIT Dept.
DominoURLNoUpdateIT Dept.
PortalURLNoUpdateIT Dept.
JuniperURLNoUpdateIT Dept.
Office 365URLNoUpdateIT Dept.
OWAURLNoUpdateIT Dept.
InviteURLYesMeetingApp.
Anti-virURLYesSecurityIT Dept.
MailboxURLYesTech. issueIT Dept.
SurveyURLYesSurveyHR
TicketURLYesTech. issueApp.
VirusAttachNoSecurityIT Dept.
CourtAttachYesJury serviceGov.
BYODAttachNoPolicyHR, legal
PrizesAttachNoMoneyHR
W-2AttachNoPaymentHR
AwareAttachYesSecurityIT Dept.
LicenseURLYesPolicyIT Dept.
PWNDURLYesSecurityIT Dept.
GDPRURLYesPolicyLegal
IncidentURLYesPolicyLegal
TrainingURLYesSecurityHR
Case1AttachYesWitnessLegal
Case2AttachYesWitnessLegal
AccountURLYesSecurityIT Dept.
WebmailURLYesUpdateIT Dept.
PayrollAttachNoPaymentAccounting
EnergyURLNoSecurityext. Supplier
InvoiceURLYesShippingext. Supplier
VPN2URLNoUpdateIT Dept.
BenefitURLNoPaymentHR

The Good, the Bad, the Missing

There are a lot of IT Dept. (41%), update-related (27%) and security-related (20%) templates. While not being necessarily a bad thing, it may be more effective to include more diverse pretexts.

Good examples are the meeting invitation and the survey (who doesn’t like them).

Comparing against the Phishing Taxonomy, further options become visible.

  • Targets: No Whaling-type templates are available.
  • Tactics: Scarcity heuristics (“Only today”, “for a short time”) and status quo bias (“will be deleted”, “will be disabled”). The only authoritative template is the court request. Additional senders can be law enforcement, governmental officials and senior staff/C-level (CEO fraud).
  • Payloads: Non-technical options are not available. Using this type of payload may require an extensive knowledge of the target’s environment. Examples are “…what was the password for … again…”, “…can you add me/my account to…”.

Advanced Pretext Ideas

  • Multiple Personas: Phishing often is a 1-on-1 interaction. However, this is not necessary. More sophisticated efforts may include several personas interacting with each other and/or with the target. For example “my collegue will come back to you”
  • Multiple Communications: In all templates above, the interaction is as follows: One email is sent, the target clicks the link, opens the attachment or is ignoring it. More effective phishing includes several messages (in different media), if possible over a longer period of time.

TL;DR:
1. Use your creativity instead of default templates.
2. Collect as much information as possible (and put it in the email)
3. Establish multiple communications with multiple personas.

Categories
Email Security Phishing

A Curated List of Phishing Resources

Collection of useful resources for red teamers, pentesters, security reseachers and anyone interested in technical and non-technical aspects of phishing and related topics. The GitHub project is available here.

Idea, concept and some resources from Awesome Red Teaming.

Email Security

Encryption Standards

Email Authentication

Filter Techniques

OSINT for Phishers

Phishing Infrastructure

Payloads and Filter Evasion

Tools and Frameworks

OSINT Tools

Phishing Campaign Tools

Payload Tools

Books and Ebooks

Campaign Write-ups

Phishing Prevention and Detection

Phishing-related Scientific Research

Miscellaneous

Phishing Economy

Phishing Ethics

Phishing Filosophy: Some philosophy to consider before launching a phishing test against your own company

Definitions

OpSec

Phishing Quiz

Report Sites

Other

Categories
Phishing

A Phishing Taxonomy

Phishing is a versatile technique. In this post, an overview of the most common communication media, targets, social engineering tactics and payloads are introduced and put into context.

Communication Media

The choice of the medium by which message and payload are delivered is often associated with certain restrictions. For example, voice calls may not be able to transmit attachments.

  • Email: The most classical medium for phishing. An email is send to the recipient. Flexible in terms of payloads and spoofing options.
  • Voice call (Vishing): Voice calls can be much more effective in targeted phishing. No data payload possible.
  • SMS (Smishing): Legacy medium for phishing. May be superseded by instant messaging. 2FA uses SMS in some cases.
  • Instant messaging: Recent medium exploited for phishing. E2E encryption circumvents message filters and gives false sense of security.
  • Social Media: Also a recent trend in phishing. More easy to identify targets as no email address or phone number required a-priori.

There are many other means of communication that are suitable. Basically, any form of communication can be used. However, some media may not be considered phishing. Physical presence (Impersonation) is such a medium. It is considered a social engineering technique but typically not phishing.

Targets

The recipients of phishing attempts can be distinguished in the following classes:

  • Spear phishing: The target is single person. Message and payload are crafted with a lot of details and effort.
  • Dynamite phishing: Like spear phishing, but targets a group. Uses information from previous communications within the target group. Often used after successful spear phishing for lateral movement.
  • Whaling: Spear phishing against senior staff or C-level (whale = big fish).
  • Spam: Target is a large group. Typically, without any personal information.

Social Engineering Tactics

Phishing is lot about psychology. Choosing the right social engineering tactic is essential. The best tactic depends on factors such as target personality and situation. Tactics can be focused on sender (authoritative, enticing, gullibility) or on content (greedy, quid pro quo, commitment, scarcity, status quo).

  • Authoritative: Pose as authority, e.g. federal law enforcement or governmental employee.
  • Enticing: Copy mail templates from well-known parties (clone phishing), e.g. Google or Paypal.
  • Gullibility: Impersonate trusted party, e.g. support staff.
  • Greedy: Pretend to be willing to spend money or promise get-rich-quick-schemes.
  • Quid pro quo (Reciprocity bias): Exploit that humans tend to pay back what they perceive as favour.
  • Commitment (Sunk-costs-fallacy): Exploit that humans tend to make decision that align with previous decisions.
  • Scarcity heuristics: Exploit that humans tend to value things more if they are easier to lose.
  • Status quo bias: Exploit that humans tend to prefer the current state over changes.

Payload Options

The payload is typically the most technical part of phishing. A characteristic of phishing is that user interaction is required. However, after the initial interaction, e.g. open a document, execution should be as automated as possible.

  • Attachment-based: Payloads that are delivered via attachment are most likely to exploit a vulnerability in document render software (e.g. Adobe Acrobat for PDF), execute macros in office documents (e.g. Microsoft Word for .doc/.docx) or be an executable software. Arbitrary code execution may be achieved. A recent post-exploitation method is to change local DNS entries to redirect targets to malicious URLs (Pharming).
  • URL-based: Target follows a URL to a malicious site. The site either mimics a legit authentication form (credential phishing), exploits a vulnerability in the targets’ browser (client-side attack) or collects information for further action (information disclosure).
  • Non-technical: Rely significantly on psychology. Must be perfectly aligned with phishing tactic. Typical scenarios are asking for money transactions (CEO fraud, Nigerian prince), collect information (bank account or SSN) or spread hoax information, e.g. to manipulate stock prices (fake news).