Cisco’s 2021 reported statistics on phishing attacks showed that 90% of data breaches in 2021 were the result of phishing campaigns, typically targeting a specific member of an organization. The average number of phishing or malicious emails a typical employee receives in a year is around 14. While 14 emails a year may not seem like much, it only takes one email and one employee to open the door to a hacker attempting to access your network and your organization’s sensitive information.
Open-Source Information Leads to the Perfect Phish Email
One of SBS CyberSecurity’s network security engineers recently conducted a social engineering assessment service as part of a more extensive audit for a client. The engineer did some simple, open-source information gathering to build the phishing campaign as part of this service. Visiting favorite sites for information gathering, such as LinkedIn and Facebook, allowed the engineer to get the personal information of the client’s vice president of human resources. The engineer used a combination of organizational information and the vice president’s personal information to build a phishing campaign that targeted internal employees. Simply asking employees to verify that all their information was correct in the newly updated Employee Directory was all it took to encourage interaction with the phishing email.
The engineer sent a total of 23 phishing emails to employees. Eight different employees clicked on the “Here” link, which immediately sent client IP information to the SBS engineer to investigate further. Clicking on the link within the email redirected employees to a landing page that SBS CyberSecurity owns.
Image 1: Sample phishing email used in this assessment.
The landing page was populated with the client’s logo and the page title was changed to resemble a bank-owned site. Here, the login page entices employees to provide credentials to view the newly “Updated Employee Directory.” Of the eight original employees that clicked the link within the email, three employees then provided their credentials on the landing page. Usually, frustrated that the login page would not take them to an “Updated Employee Directory,” they would enter different credentials, thinking they had initially provided the wrong ones, thus giving the engineer multiple sets of credentials for each employee.
Image 2: Sample landing page used in this assessment.
Internal Network Access from Phishing Email
As part of the full audit conducted by the SBS engineer, VPN portals were identified as part of the client’s external network footprint. Using the employee’s supplied credentials, the engineer attempted to login to the VPN portal.
Image 3: Sample VPN portal used in this assessment.
Expecting to be met with a multi-factor authentication (MFA) prompt, the SBS engineer was surprised to find that the employee whose credentials were being used had not set up MFA yet. This allowed the engineer to set up MFA on his own device.
Image 4: Sample multi-factor setup used in this assessment.
After setting up MFA, the engineer was prompted to download the VPN client to his device, which he configured with the VPN server’s information. The successful launch of the VPN client then gave the engineer a VPN portal into the client’s internal network.
Image 5: Sample VPN portal used in this assessment.
Once inside the client’s internal network, the engineer began testing to see how much access to the network had been gained. Using free-to-use tools like Net Scanner, NMAP, and EyeWitness, the engineer could see and test the entire subnet that he landed on.
Controls to Combat Phishing Attacks
There are controls that can be put in place to help combat phishing attacks. Start by ensuring your mail server is configured correctly to reject spoofed emails and your spam and quarantine settings are set up to stop the delivery of emails to your employees that appear to be phishing. Additionally, having MFA enabled for all external login pages and ensuring that it is configured correctly can prevent a hacker from gaining access to your internal network using credentials that may have been stolen from a phishing email. There are ways to enforce user enrollment, depending on the app or service in use. Cloud services like Microsoft Azure, Office365, Amazon Web Services, etc. have MFA enforcement policies that can be configured to require MFA setup before the user’s next login or within 14 days of policy enforcement. Teaching users of MFA to always deny anything they didn’t initiate directly is a necessary piece of the puzzle too. The SBS DFIR team has seen credential thefts when the client had MFA installed just because the user thought they were getting logged out automatically, so they approved the MFA when an attacker initiated the action with stolen credentials.
Layered security is always a best practice in protecting your network. Employee education through training is a significant first step in giving your personnel the right tools when dealing with a potential phishing email. Products such as KnowBe4 allow organizations to simulate phishing attacks, train employees, and use assessments to gauge user proficiency in handling phishing emails.
