By: Jawady Muhammad Habib
July 19, 2017
Hands-On Social Engineering Tutorial: Whaling
By: Jawady Muhammad Habib
July 19, 2017
Hello, Cyber Security enthusiasts to another article in s3curi7y.tn. Today, we will talk about whaling and some of the techniques an attacker may use. We will cover the implementation of several commonly used effective methods of social engineering (SE) in phishing CEOs. This is known as 'whaling'.
As usual, we will get our feet wet with a quick definition of terms we will need you to understand before diving in the real thing.
What is Social Engineering?
- Social Engineering
Social Engineering aka SE, is nothing more or less than manipulating individuals into revealing data or acting based on a social engineer commands. It is the art of hacking human beings, the weaker ring in the security chain for the purpose of information gathering, fraud, or gaining system access. I would recommend that you read about this huge section of InfoSec and in the end of this article I will add some good sources.
It is the attempt to obtain the credentials of a victim : usernames, passwords in the purpose of gaining the proprietary level of access to a social media/computer system account, or credit card details if the type of fraud is financial for a malicious reason by exploiting the trust of a victim to serve him/her an "authentic" page to collect data .
Whaling is a term used to name the operation of targeting executives and other high profile targets such as politicians and celebrities with spear phishing attacks, commonly by creating serious-form well-customized due to the low number of targets in order to increase efficiency.
The term whaling is a play-on-words because an important person may also be referred to as a "big fish." In gambling, for examples, whales describe high-stakes rollers who are given special VIP treatment. - techtarget.com
Aware of the basic concepts of this tutorial, we will also need some materials and tools:
1- an AWS account (Amazon Web services)
2- a web hosting account/server + domain name (the name depends on the case)
Also, the familiarity with IDN homograph attacks (you can read about it here)
- First, a successful attacker starts with a planning phase in which he/she decides what type of information is needed in order to choose which is the needed victim position let's say a CEO in a company X .
- Second, a preparation phase is needed to prepare the required tools : the fake page if needed - the victim contact - the spoofing tool if needed
- Lastly, the active attack in which the attacker uses the tools to implement the planned scenario using the available tools .
I will not present a real target in this demo, however, I will try to show screenshots as much as possible to help you follow along.
Let's say I want to gain access to a company's CEO computer in order to take a look at a private project the company is working on so the type of information I need is system login credentials of that CEO.
- Scenario 1: Spoofed Email from sys administrator + fake page (most common).
Requirements: Authentic Email template + fake page + email spoofer.
- Scenario 2: Spoofed SMS from sys administrator + fake page; implementing IDN homograph attack (more advanced).
Requirements: well-crafted SMS text + fake page + AWS account (SNS service) + domain name which looks authentic.
Here is some handy information which may help:
- In order to spoof Emails you may use what is called a mailer :
You can also use an SMTP account or make use of SET: Social Engineering toolkit
- In order to generate a fake page, you can use SET or use HTTrack
- In order to generate an authentic email template you can use MailChimp
- In order to find the victim e-mail: a simple google search or email guesseng like what follows gets the job done:
3- Active attack:
- First scenario:
1/3: Generate a list of targets - example above.
2/3: Create a template:
For this step, I will be using "SimplyTemplate" a tool which aims to automate 80% of the template generation process. Be aware that this is a modular Recon-ng like framework used to generate email templates to be sent. Please take a look at my Recon-ng hands on the article to familiarize yourself with such frameworks. However you can use MailChimp.
- We can use the (search) command to search for modules by sophistication or core options of the templates, which are categorized as Internal (Templates that would come from internal departments or employees) and External (Templates that would most likely come from external sources).
- Execute the (use) command with the corresponding number and you will be presented with the relevant module menu. If more information is required, the (info) command can be used to template variables and a more in-depth explanation.
- After setting options, the "render" command will be used to visualize the result.
Let's take our template source code:
And paste it in the message field of the mailer, or SMTP sender ...'Show more redirects to the fake page'
3/3: Send the template to the victim and it should look something like this:
- Second Scenario:
1/4: Create a fake page as shown above.
2/4: rent a domain name with hosting as shown in the IDN homograph exploitation in phishing article .
3/4: upload your fake page.
4/4: Log in to your AWS account and visit the console.
- Navigate to SNS Home:
- Click on Publish message:
- and fill the form with the message and include the scam page URL.
Let's talk protection:
Even though phishing, in general, isn't that complicated, it still represents a real threat. Whaling or high-profile fraud, for instance, continues to grow by 67 percent mainly by email-based campaigns designed to con and steal money and to target finance departments with emails that look like they are coming from a company's chief.
Thus implementing solutions is definitely something companies must do in order to try to prevent such damage. We're talking about protection in every layer!
In fact, companies should agree on a conventional method to communicate in order to make it easier to sense intrusion. Likewise, more strict email filtering rules should be applied in order to prevent spam email from finding a way into the employees' inboxes.Furthermore, every email should be treated as a potential threat and handled with caution.
As for individuals, I advise you to read this article by Norton called '7 essential tips to beat phishing scams'
To sum up this tutorial:
- We learned what SE, phishing attacks, and whaling are.
- We learned how attackers exploit publicly available tools to conduct successful whaling campaigns in two methods.
- We learned how both companies and individuals must protect themselves from the malicious attempts of fraud before they occur.