Use OSINT to ~~Investigate~~ Initiate a Phishing Scam Campaign

by Nathan C

"To every article there is an equal and opposite article" was my thought when I read the phishing scam article in 41:4 ("Use OSINT to Investigate a Phishing Scam" by Thomas J. Caliendo.  Let me begin by clarifying that this is in no way intended to diminish that article.  The article contained great nuggets of information for any blue teamer to use when conducting a phishing investigation.  However, my job is to use OSINT for social engineering and constructing phishing campaigns.  I simply use this article to show the offensive side of the world of phishing.

Learn the TTPs ~~Learn the Malicious Tactics in Use~~

As Tom rightfully states, "Most people assume that a phishing scam takes the comparatively obvious form of a suspicious email..."  The threat landscape of phishing is ever changing.  In the last several years, we have seen a rise in phishing campaigns utilizing Teams, device codes, and trusted sites.  As an offensive security professional, it is valuable to stay on top of these trends because they provide solid "use case" when presenting to managers why you need permission to carry out a specific campaign.

Building Trust versus Mass Send

The type of campaign you are conducting will determine if you need to establish trust or if you just need to launch a massive email send.  If the goal of the campaign is to gather metrics on user clicks, credentials entered, emails reported, etc., then you likely do not need to build trust.  If you are looking to use payloads or gain additional information, building trust is a great way to go.

~~Avoiding~~ Bypassing Email Filters

A major hurdle when conducting a phishing campaign is bypassing the email filters.  Outlook by default offers some protection, but companies such as Sublime are starting to make this even more challenging.  Here are some simple things to have in place to help raise the chances of slipping by the email filters.

Ensure the proper DNS records are in place.  Make sure your domain and email have records such as SPF, DKIM, and DMARC.  These are some of the first things that get evaluated when trying to determine the legitimacy of an email.

Ensure your domain is aged.  Phishing can be a long game, and aging domains are part of that process.  Newly registered domains do not go over well in campaigns.  You need to establish a safe Internet presence.

Avoid domain impersonation.  Perhaps you are a consultant being paid to phish the company Hack2600Swag.  The domain hack2600merch.com might be available, but Outlook and other email scanning services will see "hack2600" in the name and automatically flag it as domain impersonation.  Additionally, attack surface tools are starting to alert SOCs of when domains get registered that closely match that company's name.  Finding domain names that are generic and convincing is possible but can be tricky.

If all else fails, ask the SOC to whitelist.  The reality is many companies lack the resources to build out long term phishing engagements.  There is no shame in asking the SOC to whitelist your domain to speed up the process!

~~Provide~~ Think Security Awareness Training

You have likely been required to take a phishing prevention course at work.  Take the points that were made and attempt to do the opposite.  Here are some basic indicators employees at Fortune 500s likely get told to be on the lookout for:

Sense of urgency.

Unknown sender.

Generic greeting.

Poor grammar and misspellings.

Phishing becomes an art form when it goes against whatever is taught in Corporate Phishing Prevention 101.

Gather ~~Remove~~ Personal Information From Public Sources

When creating a target list, publicly available information is your best friend.  LinkedIn is phishing target heaven.  Additionally, don't neglect other forms of social media.  This current generation loves posting about their accepted internships on "the gram."  Sometimes you don't even need fancy scrapers or social media.  Sometimes email addresses are just blasted on a website (university faculty listings are insane, FYI).

Don't Be a Suspicious Email That Requires Investigating

Not everyone is going to click your phishing link.  That being said, you don't want to be so obviously a phishing email that someone actually takes the time to report it to SOC.  Your email needs to blend in and be something the end user could realistically see.  If you know a company is an AWS shop, then don’t reach out about their Azure subscriptions needing a Docusign for renewal.  Be smart about your approach.

If It Is on the Web It Gets Scanned

These are lessons that get learned the hard way.  I have had landing pages burned because they got picked up by a scanner.  Here are some initial things you can do to prevent your landing page from getting flagged:

Avoid blatantly ripping off the O365 login screen.  It makes sense, it's a prime target, but it's also easy to get flagged.

Avoid default landing pages used by public phishing frameworks.  Code your own stuff to help ensure it stays safe.

When aging your domain, establish redirects.

Establish ~~Check the IP~~ and Domain Reputation

In connection to the previous point, your domain will get scanned, which means we need to make sure that it doesn't get marked as "high-risk."  Some methods to make sure you go from "newly-registered" to "low-risk" could include a combination of things like:

Avoid buying domains that are related to current major events.  Hypothetically, if a certain EDR company causes a mass shutdown of computers, don't immediately buy the domain crowdstrikereport.com.  Otherwise, you will wake up the next day to your site being blacklisted by every security tool out there (don't ask me how I know this).

Find an expired domain that maintained a low-risk score.

Who Shares the IP Address

Where you host your phishing platform might matter.  DigitalOcean is easy to use, but that also means other hackers of the world use it, which could result in the DigitalOcean IP range getting blocked.  Not saying that it will happen, but just know it could happen.

Check Your Website Registration

In my early days of phishing, I conducted a campaign to test the response of the SOC team at my company.  Everything was in place and looking good, but then I thought to run WHOIS against my domain.  All of my information was returned there in the terminal.  My name, address, phone number, email, etc.  The SOC would have known it was my team conducting the test the moment they saw that information.  All that to say, double-check the settings on the registry information for your domain.

Collect the Data to Better the Security

I get it.  You are a hacker and not some MBA grad who cares about metrics, but being able to discuss those metrics will help ensure your job.  Additionally, it betters the chances on getting permission to do bigger and better campaigns in the future.  Phishing, like all offensive engagements, should be approached with the mindset of, "How will this better the security of the company?"

Conclusion

OSINT is a valuable thing for both the defensive and the offensive.  I hope that tom enjoys this article as much as I enjoyed his.  May the cat-and-mouse game of blue versus red always continue.  Now go think of your phishing campaign, get approval, and test the security of your company!

Return to $2600 Index