The Power of OSINT & How it Can Improve Phishing Campaigns
This blog highlights the power of OSINT and how OSINT can improve the quality of phishing campaigns. Often phishing attacks can be very general, which can make them less effective, but with the power of OSINT investigating, more targeted campaigns can take place.
What is Phishing?
Phishing is a type of cyber attack that uses social engineering to trick people into giving away sensitive information. This can include passwords, credit card numbers, or other personal information. Attackers will often send fake emails, texts and social media messages in order to get the victim to click on a link or download an attachment that contains malicious software.
How does OSINT Improve the Nature of a Phishing Campaign?
OSINT (Open Source Intelligence) is a form of intelligence gathering that uses public information from the internet to gain insight about an organisation, individual or other entity. OSINT can be used to create more directed phishing campaigns for ethical hackers with a motive. Through the use of OSINT tools and techniques, organisations can gather data on employees, competitors, and other entities that can be used to craft more effective phishing campaigns.
For example, attackers can use OSINT techniques to understand the target’s past communication patterns, interests, job role and location. This information can then be incorporated into a campaign that is specifically designed for the victim. This results in a much higher success rate than a general phishing campaign.
By using OSINT, ethical hackers are able to become more efficient, effective and knowledgeable about their targets which leads to improved campaigns that have greater success rates.
How does this Create more Effective Phishing Campaigns?
OSINT can be used to create more sophisticated phishing campaigns. By using this technique, victims of these phishing campaigns are proposed with a more personal and trusted set of information, leaving them more likely to fall victim. For example, if a phishing campaign was related to a software they use, this would encourage them to click the link as it breaks down the walls of paranoia.
What is Vishing?
Vishing is a type of Phishing which is conducted over the phone, a hacker tries to gain a users trust through social engineering practices to elicit confidential data, extract funds, or harm the individual in any other way.
For example, The fraudster calls the victim saying they are from their bank or another institution and informs them that there is a problem with their account or credit card. The false alert may also arrive by SMS initially, asking the person to call a number to resolve the issue.
How to Report a Phishing Scam
If you have received an email which you’re not quite sure about, forward it to email@example.com.
The purpose of a scam email is often to get you to click a link. This will take you to a website which might download a virus to your computer, or steal passwords or other personal information. This is sometimes known as 'phishing'.
The National Cyber Security Centre (NCSC) has the power to investigate and remove scam email addresses and websites. It's free to report a suspicious email to us and it only takes a minute. By reporting phishing attempts you can:
- reduce the amount of scam emails you receive.
- make yourself a harder target for scammers.
- protect others from cyber crime online.
OSINT improves the nature of a phishing campaign by allowing ethical hackers to become more efficient, effective and knowledgeable about their targets. This leads to improved campaigns that have greater success rates. It is important for individuals to be aware of how dangerous phishing scams can be, as well as what steps they should take if they receive an email which appears to be a phishing attempt. By reporting any suspicious emails to the NCSC, individuals can help protect others from cybercrime.
Welcome to another Dark Invader Deep Dive. Today's threats use multiple means of leverage. And one of the most common reason cyber criminals leverage our sins is for social engineering purposes. These complex threats rely on threat actors, they will often gather the personal information of potential victims, for example, social media profiles or other online activities to create a profile of the individual that can then be used to customise phishing attacks. We'll be discussing this in more detail today. Gav, shall we start with you?
So I think it's about the difference between the types of Phishing I think that that's the important important thing. To clarify. When people talk about fishing attacks, the most common out there are these large scale attacks that involve millions and millions of recipients. And you know, this is old stuff, we've all come across these very, very basic emails with spelling mistakes and things like that, and you see them and you think, how would anyone fall for that, but when it when it's a numbers game, when you're going out to millions of people, that they're just expecting those, you know, those few to kind of fall for. And that's, that may be all that's required, that that may be all that the attackers are looking for. So broad scale phishing is kind of the first level. And then then you have the situation where a particular company is targeted, or maybe a particular sector or group of companies. And that's when the phishing attacks start to become more effective and more dangerous. So and this is where open source intelligence gathering starts to come into play. So for example, the attackers may scrape LinkedIn for all of the names of people working in a particular company, to convert them into emails, send emails and spoof emails to look like somebody that company works with. And it's so they're not really targeting individuals that they're targeting the company. That because it's targeted, because it has these, these bits of these little bits of information like that they're spoofing someone that company works with, that gives it a little bit of credibility. And that might be all that's required for, for an employee that business to fall for that.
And then you have kind of the third level, I guess, which is what I would refer to as a spear phishing. And this is when it's targeted right down to the individual level. And this is where OSINT really starts to come into play. So that individual, you know, will be researched, trying to find anything that could be used to gain a really good amount of credibility in an email, just to get that user to click that link or to download an attachment potentially, or, you know, with with these with these phishing emails, it may be to, you know, it could be like bank Monday for like, you know, change account details, or there's lots of different scams, but it really is very much targeting that specific person. And yeah, as, as a pen tester, where we're often targeting businesses, but there are the occasions where we have the opportunity to target individual employees, and it might be on a, like a red team engagement or something along those lines, where we've got more time to to do the research. Andto give you like a quick example of when we, when we targeted an individual SEO, we did the usual websites and like social media accounts and things and as we were going through, we could see this, this particular individual would ride motorbikes and post videos and photographs of him sat on various bikes and showing showing them off and you could see the registration number of the motorbike. So we thought that might be quite useful. So I looked side looking up information on that registration, and we found bits and pieces, we actually found information on some collisions that it had been involved in. So we fashioned an email basically impersonating kind of like, along the lines of like the deal with the deed the DVLA was there wasn't a deal, they would impersonate them as long those kind of lines basically saying that this is in reference to a collision that happened on this day involving this, motorbike and things like that.
Yeah, this is the we require you urgently to follow this link and put this blog posts information, blah, blah, blah. And the our brief was to prove that we could get employees to click links. And, you know, obviously, this guy did. And when we're, you know, after the engagement, we got to have a chat with him. And he said, there was just, there's no way he wouldn't have fallen for it. He just didn't, didn't think in a million years that anyone would look at these photos and get that kind of information out, you know, when he read it, His heart sank, and click, click the link panicking figures. Now, something bad is going to come out with it. And I think that's the that's the danger here. That's why this phishing, this, the spear phishing attacks are so, so powerful is because of that, that disconnect that people put this information online, but then don't think that it could be used in in this way that don't connect the dots. In that way. I think another quick example, again, not really individual more kind of along the business. But again, it's just kind of emphasising that kind of disconnect.
We had a business that we were researching, and we could see on their website and pictures and things like that, that they had their own food van. So in, in our phishing attack, it was just a new menu had come out for this particular food store all of this stuff, we're just so excited, you know, that had the same meal for, you know, from the same lunch for the past year. And finally, some new food have come on, and it was, obviously it was a complete scam. They never did, none of them made that that connection that that information is all online. I think, literally loads of phishing attacks recently, recently, there must be some kind of similar, similar cases, the individual level that you've looked at, sorry, to threaten to throw you under a bus line.
Please throw away.
No, and you're absolutely right. I think there's there's a number of incidences of where I've been conducting phishing campaigns, where we've used personal connections like that personal trust relationships as they are known. In order to add credibility to our campaigns. In fact, one specific instance, we were doing telephone phishing, phishing, vishing is the shorthand. And I was doing some research or I'd been given time to do some research on the targets before I was picking up the phone to them in order to add credibility to the story. And we noticed that one of the targets on some of their social media, one, they had a very large friend group, they were quite active on sites like Facebook and Twitter. And the second was that they were, they'd been posting quite regularly about wanting to help, you know, young people get into their industry by either apprenticeships or on graduate courses. We use that information so that when we called up we purported to be from a rather I purported to be the son of a friend of theirs are granted all that informations available on their social media.
And off the back that we gained massive amounts of information about the organisational structure, the line managers, various other members of the business, we now had a trust relationship with that person so that when we were pivoting off to ask other people for pieces of information, or in email chains that we then went on to kind of try and perform, we were had the ability to leverage that relationship in order to create other relationships with other members of the business. And that was very successful when we went off and did that. And it's only due to that very targeted niche research or that kind of allowed us to perform this spear phishing attack so, so efficiently and again, harking back to a point that I know myself and I've raised many, many times is really need to be careful what you're putting out there online. The same horror stories that you we tell children growing up, you know, as they're starting to go out into the world, about how they need to be careful about what links they click on what websites they visit. The same is very much true. Once you're once you're an adult. And once you've been beginning to interact with people online, in a more adult capacity, everything you put online is there. It's pretty much there permanently. And most of the time, people are kind of benign users, they're your friends, you want to share the elements of your life with them. As soon as somebody slightly less benign comes along, such as myself or have in the various capacities we've held before that information can be incredibly valuable.
Oh, absolutely, I think it can be really tricky cant it.
And if you imagine this kind of hypothetical situation where you were super paranoid, and you decided that you didn't want to have anything out there that could be used in a phishing attack like this. And so you know, you removed all your social media accounts, you didn't post anything online, you didn't have a blog, you didn't go on Instagram, anything, anything like that.
But then then you start losing history start to think about in terms of what can actually be used, like, a friend of mine was scammed over the over the phone like a previous neighbour this scammer got gained credibility, because they said, you know, this is a weird way from your ISP, we're from virgin or something. And I'm unable saying, Well, how could they have known that, like, we can look at anyone online, you can go online, there's a map that shows you what providers are there? And who's if they can even see your MAC address, things like that?
How do you remove that, you know, how do you get rid of that kind of information. And it's like, almost anything can be used to to gain credibility. And I think in that case, they actually knew, like the last four digits of his card or something, something like that. They had like a scrap of information, and you think, how on earth did you get that, but then, then it's like, you know, the dark web has lots of things they know, that they can get so. So it's absolutely about making sure there's no, there's no easy wins for them, there's no sort of low hanging fruit that they can get from social media and things like that. But ultimately, even the simplest fragment of information that you can't get rid of, can be used. And it's also strongly about awareness. It's, it's, you know, it's, it's having an email come through and not just jumping to the conclusion that it is legitimate to, you know, to actually validate it, hover over the link, see where it goes to check where it came from this is to try and encourage you to log in somewhere to download something. I think that's, you know, that's, that really is important that and information going online is as just the way things are going. So it's the sign of the times, you know, and I think for the newest generation, that's something that's always concerned me is that, you know, that's, that's the norm, that's the expectation that they put their entire life online, in order to all of these various social media platforms. So it's gonna get harder to defend against this with this kind of thing. And I think we have to make sure that we that we educate the younger generation and distress those when it's those there permanently, and to be careful, you know, what, you know what you what you do online. And obviously, it's not all doom and gloom, you know, we will find a way to kind of cop to to combat these things. God, also, when you mentioned hackers, they're not really targeting individuals, they're more targeting towards companies, what can these companies do to protect themselves? Oh, gosh, was defence in depth, isn't it really, I mean, it's there are technical controls companies can put in place if they haven't already, such as really good email filters.
Obviously, we're not going to recommend any here, but there are various product products out there. And that can reduce the risk I can filter out a lot of the sort of simple phishing attacks but if it's a targeted attack, then chances are the emails be coming from a legitimate domain that's that is established and the content won't be anything untoward. And so often, often these these type of attacks can get through. So technical solutions definitely can't be relied on. And that's when you have to, then that's when you start having to rely on awareness training. And to keep on top of that it's so it's not just a boilerplate, you know, video, when people come on board about watch out phishing emails, it's got to be something regular and constant, you know, every, every month or whatever, whatever it takes, you know, to remind people and to do internal phishing tests, you know, send targeted emails to your own employees try and trick them better than better protect them from you then you know, from from a real attacker and send out examples of phishing attacks, and also to try and promote the culture of, you know, it's not a blame thing, because often people have to get these emails that they click the link or data attachment. They don't want to say anything because they want to get in trouble and it's trying to stress that the most important thing is to report it even if you click that link, especially if you click that link, especially if you've downloaded that thing is to say what happened and you're not going to get in trouble.
Is it important that there there is that kind of damage control in place?
And then also it's about reducing the risk in terms of the general security of your workstations, your network, you're having to build a view on the workstation, how, if an attachment was downloaded and the malware was executed? Would it work? Would it be able to exploit that system? You know, are there vulnerabilities there that it could use to, to move around the network. So it's this kind of, it's the as it says, defence in depth lots and lots of things that you need, there needs to be done very much. So just to kind of echo that sentiment. If you only have one of those five or six controls that then generally we'll be able to find a way around them. If you start to have four or five, or even six or seven of these, then it becomes increasingly difficult to actually perform these attacks. And ultimately, most of the people who are going after these businesses are looking for a path of least resistance into that business, and not necessarily interested in your business specifically, I mean, they might have done a bit of research about among a couple of members of staff in order to make the click rate higher. But ultimately, if you if it's months and months and months, or it's even, like incredibly difficult to get anything onto a box or if you do get something onto a box that's not able to exploit it, then you're again, you're less likely to be continually targeted by by these organisations. I think you both have mentioned really good key information and leveraging Osen into phishing attacks. That has been very informative. Thank you both for your time today. Follow Darkinvader Spotify page for more