Skip to main content

Resources

Behind the Hack: How Employee Handling of Phishing Emails Can Allow a Hacker Inside Your Network

Behind the Hack: How Employee Handling of Phishing Emails Can Allow a Hacker Inside Your Network

Cisco’s 2021 reported statistics on phishing attacks showed that 90% of data breaches in 2021 were the result of phishing campaigns, typically targeting a specific member of an organization. The average number of phishing or malicious emails a typical employee receives in a year is around 14. While 14 emails a year may not seem like much, it only takes one email and one employee to open the door to a hacker attempting to access your network and your organization’s sensitive information.

 

Open-Source Information Leads to the Perfect Phish Email

One of SBS CyberSecurity’s network security engineers recently conducted a social engineering assessment service as part of a more extensive audit for a client. The engineer did some simple, open-source information gathering to build the phishing campaign as part of this service. Visiting favorite sites for information gathering, such as LinkedIn and Facebook, allowed the engineer to get the personal information of the client’s vice president of human resources. The engineer used a combination of organizational information and the vice president’s personal information to build a phishing campaign that targeted internal employees. Simply asking employees to verify that all their information was correct in the newly updated Employee Directory was all it took to encourage interaction with the phishing email.


The engineer sent a total of 23 phishing emails to employees. Eight different employees clicked on the “Here” link, which immediately sent client IP information to the SBS engineer to investigate further. Clicking on the link within the email redirected employees to a landing page that SBS CyberSecurity owns.
 

Sample phishing email used in this assessment.

Image 1: Sample phishing email used in this assessment.

 

The landing page was populated with the client’s logo and the page title was changed to resemble a bank-owned site. Here, the login page entices employees to provide credentials to view the newly “Updated Employee Directory.” Of the eight original employees that clicked the link within the email, three employees then provided their credentials on the landing page. Usually, frustrated that the login page would not take them to an “Updated Employee Directory,” they would enter different credentials, thinking they had initially provided the wrong ones, thus giving the engineer multiple sets of credentials for each employee.

 

Sample landing page used in this assessment

Image 2: Sample landing page used in this assessment.

 

Internal Network Access from Phishing Email

As part of the full audit conducted by the SBS engineer, VPN portals were identified as part of the client’s external network footprint. Using the employee’s supplied credentials, the engineer attempted to login to the VPN portal.

 

Sample VPN portal used in this assessment.

Image 3: Sample VPN portal used in this assessment.

 

Expecting to be met with a multi-factor authentication (MFA) prompt, the SBS engineer was surprised to find that the employee whose credentials were being used had not set up MFA yet. This allowed the engineer to set up MFA on his own device.

 

Sample multi-factor setup used in this assessment.

Image 4: Sample multi-factor setup used in this assessment.

 

After setting up MFA, the engineer was prompted to download the VPN client to his device, which he configured with the VPN server’s information. The successful launch of the VPN client then gave the engineer a VPN portal into the client’s internal network.

 

Sample VPN portal used in this assessment.

Image 5: Sample VPN portal used in this assessment.

 

Once inside the client’s internal network, the engineer began testing to see how much access to the network had been gained. Using free-to-use tools like Net Scanner, NMAP, and EyeWitness, the engineer could see and test the entire subnet that he landed on.

 

Controls to Combat Phishing Attacks

There are controls that can be put in place to help combat phishing attacks. Start by ensuring your mail server is configured correctly to reject spoofed emails and your spam and quarantine settings are set up to stop the delivery of emails to your employees that appear to be phishing. Additionally, having MFA enabled for all external login pages and ensuring that it is configured correctly can prevent a hacker from gaining access to your internal network using credentials that may have been stolen from a phishing email. There are ways to enforce user enrollment, depending on the app or service in use. Cloud services like Microsoft Azure, Office365, Amazon Web Services, etc. have MFA enforcement policies that can be configured to require MFA setup before the user’s next login or within 14 days of policy enforcement. Teaching users of MFA to always deny anything they didn’t initiate directly is a necessary piece of the puzzle too. The SBS DFIR team has seen credential thefts when the client had MFA installed just because the user thought they were getting logged out automatically, so they approved the MFA when an attacker initiated the action with stolen credentials.


Layered security is always a best practice in protecting your network. Employee education through training is a significant first step in giving your personnel the right tools when dealing with a potential phishing email. Products such as KnowBe4 allow organizations to simulate phishing attacks, train employees, and use assessments to gauge user proficiency in handling phishing emails.


Written by: Mitch Myers, Network Security Engineer/Regional Director
SBS CyberSecurity


SBS Resources:

  • {Service} Network Security: SBS network security tests are tailored to the size and complexity of your organization, providing a personalized experience from start to finish. Working with an SBS network security engineer following our proven methodologies will ensure thorough and consistent testing results and a more secure network.
  • {Blog} Ten Tips to Avoid a Phishing Attack: Follow these ten tips and look for the red flags to avoid falling victim to a phishing attack.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a complete list of certifications.
Certified Banking Security Manager   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, April 12, 2022
Categories: Blog