make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Protect against phishing by thinking like a hacker

08/04/2016

Share

Social Logo Social Logo Social Logo Social Logo

Whether it’s a potential client or a competitor, in the business world, there’s nothing like walking a mile in the other guy’s shoes to help you understand how they think before you formulate a sales approach or competitive strategy.

The same goes for information security. What better way to understand hackers using phishing techniques than to look at a target company from the hackers’ point of view? Armed with that insight, you’ll be better equipped to head the “phishermen” off at the pass and protect yourself.

To demonstrate, we’ll use a hypothetical company (we’ll call it False Inc.) and look at the business as a hacker might. But first, some background on phishing.

Generally speaking, phishing is a technique hackers use to trick users into surrendering sensitive information or allowing access to their systems. While there are many types of phishing, here are a few common ones:

  • Phishing – generic attempts via email to acquire sensitive information by tricking users
  • Vishing – cold calls to an entity attempting to trick the recipient of the phone call into performing some action (installing malware on their system, performing a funds transfer, etc.)
  • Spear phishing – targeted phishing attempts aimed at specific individuals or groups within an organization where the attempts are personalized to increase credibility
  • Whaling – highly targeted attempts using email as the communication medium to gather sensitive information from high-value individuals within an organization

Attack plan for False Inc.
Now that we have an outline of the various options for a phishing attack, here’s a plan of attack hackers might employ against our mythical company.

  • Research False Inc. to understand its organizational structure, business drivers, vendors, employee’s social media content and other sources of information.
  • Obtain email addresses for the company by harvesting publicly available emails and “mangling” known employee names (converting employee names to the known email format of the targeted company).
  • Purchase a domain name similar to false.com or a company that False Inc. does business with.
  • Clone a website that resembles the false.com email log-in page, or develop a document with malware that someone inside the company would be likely to open.

To implement the attack plan, we’ll pretend to be a user on LinkedIn who was recently hired into the False Inc. IT department. We’ll use their description of their job responsibilities on LinkedIn to tailor the content of the phishing email and make it more believable.

We’ll also purchase a domain name similar to the company’s real one. Our choice is fa1seinc.com, replacing the letter “l” in “false” with the number “1.” The next step is to clone the company’s Outlook Web Access (OWA) web email portal and host it on a server that our fake domain of owa.fa1seinc.com points to.

After testing to ensure the attack will work consistently and as intended, we send an email like this:

If we’re successful, the recipient will click the link, go to the cloned web email server (which looks just like the company’s regular email web portal), enter their credentials and be redirected to the real OWA server as if nothing is wrong. After the user enters their credentials, we can now log-in to the company’s real OWA portal (unless they require multi-factor authentication) and continue phishing employees using the compromised internal email address.

Depending on an attacker’s motivation, they may broaden their access, gather data, encrypt corporate data to make it unusable (CryptoWare), elevate privileges or do other damage.

Obviously, a hacker can wreak a lot of havoc once they’ve gained access to your company’s information. How can you protect yourself? In an upcoming article, we’ll discuss best practices for warding off phishing attacks.