try to not get killed by the whale

Just like there are different methods for actual fishing, there are different methods for phishing according to what your target is. Spearphishing is the act of targeting a single person or group of people. Whaling is like spearphishing, but with a greater purpose — specifically targeting individuals of high rank or status. You would be spearphishing if you decided to target the marketing team of a realty company, you would be whaling if you decided to phish the CEO. With the base we’ve already established in previous chapters, this chapter will build on that knowledge and demonstrate these more advanced techniques for landing your phish (or whale).

Recon: The Meat & Potatoes of Targeted Phishing

Let’s say you’re targeting a doctor in Ohio. What does your email say? If you feel like you don’t have enough information to answer that, you’re absolutely right. That’s why recon is so important, especially when administering targeted attacks. Without some type of ‘insider knowledge’ on your target, you can never really hope to get into their bubble of trust. Large scale phishing attacks are mostly a numbers game, with measures taken to ensure a good percentage of phish. You’re not afforded the same comforts with targeted attacks, simply due to the smaller sample size.

Reconnaissance is critical to gaining insight on your target, and crafting a false narrative that best fits the situation. So how exactly do you get this info? Googling is always a good idea. Google the person’s name, location, email address, and anything else you have. Begin creating a dossier of information like so:

Name: John A. Smith Aliases: Johnny, Albert Social Media Profiles:

— facebook.com/johnasmith75

— linkedin.com/in/smith-john-a Email(s):

— jsmith@gmail.com

— john.smith@yahoo.com Current Occupation: Unknown

Add as many fields as you can think of. Take notes. Building a map of this person’s network of friends/contacts will also greatly increase your ability to spoof a connection to them. If you’re not feeling like a real creep, you’re not doing it right.

Tools

you… actually don’t need any of this stuff

The following tools are paid services that will help you get more information on a single person, based on a piece of info you have (i.e., an email address, physical address, or phone number):

- Spokeo

- FullContact

- WhitePages

You’re probably wondering why I haven’t listed 20 different opensource packages or mentioned Kali a dozen times — while I have used many opensource tools in the past, the truth is that I’ve settled on a method that works very well for me that makes use of just a few tools. I’ll cover that next.

Methodology

So, assuming I have a target in mind, I would start by Googling whatever info I have on them. Let’s say I have an email address. By searching for the email address between single quotes, ‘jsmith@gmail.com’, I can force Google to only return full matches. I would also search for ‘jsmith’, because people love to reuse their usernames. I get back a bunch of results for social media profiles, a couple of forums they’ve posted in, and a random pastebin dump. I’m not fluffing anything up here, this is typically what you will see with most people.

I decide to copy the social media profile info and turn my focus to the forums. For some reason, people don’t ever expect to be connected to their forum usernames. What I do next is take the site name and username and run a search like ‘site:coolforums.com jsmith’, which prompts Google to only return results from ‘coolforums.com’ and search for ‘jsmith’ in those results. What I get back are lots of posts from our target. Boom, I found another email address where they prompted someone to contact them, and a phone number as well (our target isn’t very smart). I’d feel bad about how easy I’m portraying this to be, if I hadn’t seen these very results numerous times.

So now I have a name (from social media), 2 email addresses, social media profiles, forum info, and a phone number. I turn to WhitePages.com to get a physical address from their phone number. WhitePages is also gracious enough to provide other people connected to that address. If needed, I could start the process over with each of these people and build a map of connections to the target.

and then burn it

This isn’t a bad start, and I’ve probably only spent an hour doing recon so far. What’s next is a bit more tedious. Using the social media and forum profiles I gathered earlier, I begin to read posts made by the target. I also pay attention to what others are saying to the target. All I’m looking for is some upcoming event they are interested in, an organization they’re connected to, or some new thing they purchased. Any of these things could be a foot in the door to open conversation.

That’s pretty much it. For pulling data on bigger entities like companies, search for their articles of incorporation, look them up on wikipedia, or use a tool like Maltego to map people connected to that company. Unless you’re whaling (and maybe even then), remember who you’re looking for: the idiot with the most access. And what are you looking for? That sweet intel that makes you seem legitimate to them.

Putting Your Work to Work

You now know more about a stranger than you reasonably should. It’s time to use that intel for a purpose and hopefully justify what you just spent hours doing. For the next step of this process, you can think of yourself as a sort of salesperson. You need to sell them on the idea that you are who you say you are, and what you need from them is perfectly legitimate and safe.

While not every spearphishing engagement will require back-and-forth correspondence, you need to be prepared to do so. This is where rapport building comes into play. A good salesperson has this down to a science. The following figure illustrates the stages of building rapport and locking down a sale:

1. Establish Relationship

Attacker: “Hello Mr. Smith, my name is Justin and I work with Cisco. I understand you’re having some problems with one of your networked devices and wanted to reach out. Let me know how I may be of assistance. Thanks.” Target: “Hello Justin. I’m not sure what you’re referring to exactly, but I do manage a few devices. How did you get my email?” Attacker: “There was a ticket submitted on Thursday. Your email was listed as a contact, as well as (the name of his supervisor). Could I get you to verify your CCO ID?” Target: “I get listed on these things sometimes, my CCO ID is (whatever).”

2. Understand Motivations

Attacker: “Perfect, thanks. The ticket matches what you’ve provided. However, the explanation was a little vague. Could you tell me more about the connection issues you’re experiencing?” Target: “Again, I’m not exactly sure what the ticket was about, but we have been experiencing issues with our Meraki device. Could I possibly look at the ticket you’re talking about? None of my colleagues new anything about it.”

3. Create Value

Attacker: “My apologies for the confusion, I can grant you access to the ticket and also give your team some Cisco Learning credits for your trouble.” Target: “Sounds good. Thanks.”

4. Ask For Commitment

Attacker: “Ok, Mr. Smith. You been given access to the service portal to view the ticket in question. You’ll need to log in using your company email. Please have your CCO ID, Customer Number, and Support Passcode available. You may need to validate your account.

Heres the link: https://link-to-fake-login-portal.c1sc0.com" Target: “Perfect, I’ll check it out. Thank you again.”

Conclusion

In a simple, short exchange of emails, the security of the company may have been compromised. By researching the name and place of work of Mr. Smith, and some additional work to find names of vendors to his company, the attacker was able to effectively spoof the type of support correspondence that is normal for Mr. Smith to deal with. Notice how ‘Justin’ was also distrustful of Mr. Smith? It’s important to remember that rapport building is supposed to work both ways, and acting like you trust the target implicitly from the jump is highly suspicious.