December 6, 2020
This is the sixth post of twelve for Mixmax Advent 2020.
At Mixmax, security is critical. Our users trust us to handle their email and other data securely. We do everything we can to merit our customers’ trust. This means that security is the concern of every engineer, every day. We also continually run security exercises throughout the year.
One recent exercise focused on phishing. Phishing involves an attacker tricking a victim into sharing sensitive information, such as their password or other personal information. A traditional attack involves the “spray and pray” method where a malicious message is sent to a large number of potential victims, without any specific targeting, and hoping that someone will fall for the trap. A targeted version of this, spear-phishing, leverages social engineering to increase the likely success of the attack. With this method, the attacker focuses on a chosen individual or organization, and attempts to impersonate a person or entity that the potential victim trusts. The victim is then more likely to provide sensitive information such as a credit card number, password, or social security number. In some cases, the attacker may be looking to gain access to the email account itself. The damage to victims can be immense both financially and reputationally.
For our exercise, we wanted to better understand how a bad actor would go about conducting a spear-phishing attack by running our own mock attack. First, we picked our mark: our manager.
Next, we prepared for our attack by gathering open source intelligence (OSINT) on them. While we had a bit of an artificial advantage, since we were hacking someone we know well, there’s an abundance of data available via social and professional networks, online public records, census data and more. Furthermore, there are various OSINT tools and frameworks that make gathering this information a trivial step.
Our next step was crafting our email bait. Again, this was made easy by existing open source tools. We used GoPhish, which took minutes to set up, to create a professional looking email. We leveraged the OSINT data we collected on LinkedIn to credibly spoof a person we felt they’d be likely to respond to: their manager.
Critically, a spear-phishing attempt will appear to come from someone the victim knows in a position of power, and ask them to do something urgently. In this case, we had their manager ask them to check on a system, and helpfully included a link purportedly to a monitoring tool. Had we been malicious actors, the link would be the conduit for delivering malware, or a spoofed site asking for credentials we could then record. Unfortunately for us, we chose a mark who was over-prepared for the attack. Our link wasn’t clicked, and our trap failed.
While we weren’t successful, the overall ease and lack of complexity in setting up our attack was a good validation of why we focus so intently on security. And the good news is that you can also use these tools to test your teams’ vulnerabilities to such attacks. By regularly conducting mock phishing attacks, you can help prevent your organization from falling victim to the real thing.
To get started, take this quiz to figure out if you’d outwit a phishing attack today.
*Well, we tried