Welcome to part 4, my Phishing friends. Thanks for returning to our Phishing For Success series! As you probably know by now, I’m a Senior Threat Emulation Specialist here at White Oak Security and spent lots of time doing Red Team Operations and Social Engineering. In our part 1 and part 2 posts we addressed some of the common pitfalls and risks of conducting a phishing campaign. Part 3 introduced a phishing tool, autosneakphish, which can help automate and make it more efficient for you.
In this part 4 blog, we will focus on practical steps to create phishing templates and landing pages that will evade Proofpoint. Examples used throughout this post are not from a company I have phished – any real attack data has been redacted.
I remember how much time I spent writing my phishing templates from scratch on my first few phishing engagements – constantly going back to the drawing board and trying to make little alterations. The best starting point for a phishing campaign is to find some kind of online form hosted by your target that you are reasonably certain will result in receiving an email from them, which will provide you with the initial formatting and style details to get started, as in the following example:
Then we wait for an email to arrive:
This is perfect. I downloaded the email and opened it in a text editor. Next, you just need to extract the HTML document from the downloaded email.
---redacted---
<tr>
<td align="left" valign="top" width="45"><img src="http://image.e.embracepetinsurance.com/lib/fe8813727d6d077474/m/1/clock_gray_65x65.png" alt="" style="display:block;" border="0" width="45"></td>
<td width="23"><img src="http://image.e.embracepetinsurance.com/lib/fe8813727d6d077474/m/1/spacer_img.gif" alt="" style="display:block;" border="0" height="1" width="1"></td>
<td style="font-family:Arial, sans-serif; font-size:18px; line-height:23px; color:#414042;" align="left">Don’t wait! Protect Balto today.</td>
</tr>
---redacted---
For this blog, we teamed up with a great client who kindly let me send a phishing email to them to verify we have evaded Proofpoint and Microsoft’s email security measures.
Our first attempt made it to their inbox!
Our handy dandy GoPhish Dashboard proves it was opened:
What does Proofpoint think of our friendly BBQ raffle?
As shown above, we received a score of zero. Now we are cooking with gas!
ACHTUNG! – Do not send a lot of emails very fast or it will get nabbed by Proofpoint!!!
Creating a good landing page follows the same basic guidelines.
First, you need to find a good template for your pretext. We are going with a free BBQ sweepstakes pretext, so this is what I found for that:
With some simple modifications, we end up with this:
What does VirusTotal think of my landing page?
The key is to remove as little as possible from the landing page you cloned. Leave all the silly little bits that are no longer relevant, especially the links that point to well-known resources or ads.
Let us take a look at a landing page that I found in an email that made it to my spam filter:
What does VirusTotal think of this landing page?
Pretty weak sauce landing page….
Yes and no. You might get lucky and not include any words that make Proofpoint mad. Just remember that you have to ensure you are not throwing in too many keywords that might get you caught. All decent email security tools use a combination of heuristic and static analysis.
An email from IT Support that asks you to reset your password might be more likely to be caught by Proofpoint than asking people to log in to be added to a BBQ raffle. 😉
In this blog, we have laid out a very simple and extremely effective method of building email templates and landing pages that will evade security controls, including Proofpoint! This method is so simple that it surprised me how effective it is. The key to this method as I have mentioned above is that you want to remove as little code as possible from your HTML clones. This blog concludes our series Phishing for Success. Our goal was to empower leaders and technical teams to successfully implement phishing testing for their companies. Doing this well can lead to a very significant strengthening of security posture! Good luck everyone.
Cyber Advisors specializes in providing fully customizable cyber security solutions & services. Our knowledgeable, highly skilled, talented security experts are here to help design, deliver, implement, manage, monitor, put your defenses to the test, & strengthen your systems - so you don’t have to.
Read more from our technical experts...