Perfect Phishing Attack: A Penetration Tester’s Perspective



Even if your organization uses top-notch security solutions to keep malicious actors at bay, those efforts are in vain as long as employees keep clicking on phishing links. Cybercriminals know it’s easier to manipulate humans than it is to play with technology. Unsurprisingly, the problem has worsened considerably in light of the COVID-19 crisis which breeds fears and thus gives attackers an added advantage in creating “mental payloads” for effective hoaxes.

Here are some statistics to give you the big picture. According to a recent APWG study, the number of reported phishing attacks doubled in 2020. The average number of fraudulent bank transfer requests seen in business email scams (BECs) increased from $ 48,000 in the third quarter to $ 75,000 in the fourth quarter of the year. ‘year. Verizon says 36% of all confirmed breaches in 2021 involved phishing.

One of the best ways to build reliable defenses is to think like a phisher. Penetration testing gives White Hats actionable insight into the best tricks that get users hooked, and that knowledge can form the basis of a security awareness training that works. That said, here is a summary of the elements of phishing emails that play a major role in the recipient slipping.

Take a moment to stay tuned forever

Subscribe to receive weekly cybersecurity updates!

The lure for a scam for sure

Generally speaking, every phishing email is aimed at persuading a user to click on a tricked link or download a harmful attachment. In a typical testing exercise, security professionals send employees messages with a link to a credential phishing page or a Microsoft Office document containing toxic macros.

In most scenarios, the bait is benign and only allows white hats to track every instance of the link clicking or opening the attached file. But sometimes the test attack is more realistic, and the macro-based payload gives researchers remote access to a target computer. Not only does this latest tactic shine a light on recipient safety hygiene, it also gives pentesters a sense of the reliability of the organization’s real-time automatic defenses.

One extremely important thing on the undercover “phisher” to-do list is to make scam email as realistic as possible. His story should fit into the context of a specific goal.

If the attack is aimed at gaining access to senior management correspondence, the ideal message will come across as a colleague or partner whose status in the corporate hierarchy is high enough to arouse the interest and confidence of the executive. potential victim.

If the goal is to gain a foothold in a computer used by an accounting department employee, the email will usually mimic some sort of financial report or instructions from his boss to verify the bank transfer credentials.

Most phishing emails trick people into doing something right away. This feigned urgency causes the target to lose vigilance and makes hasty decisions. Proofreading the email is also important. Spelling mistakes and other inaccuracies make some employees suspicious, which can ruin the whole plot in the blink of an eye.

Main conclusions of the pentesters

Most phishing test campaigns show that employees are more likely to open email attachments than to submit their sensitive information through a web form. Moreover, some users open these files without hesitation for a few moments after receiving the message.

The most effective email topics relate to company benefits such as employee discounts and affiliate company bonus programs. About a third of recipients engage in some way with posts like this. E-mails asking staff to read new company policies and other documents associated with the company culture come second.

The success of the attack increases dramatically if it is aligned with current events or breaking news. For example, the December shopping spree is breeding ground for scams advertising bogus promotions and giveaways. The same period is also ideal for sending files disguised as an updated work schedule for the holidays. Spring 2020 gained notoriety for the massive phishing outbreaks revolving around the coronavirus emergency.

The more targeted the email, the more likely it is to do its job. A little open source intelligence (OSINT) can reveal enough detail to create a spear-phishing message that pulls the right strings. In pentests, personalized emails that target one to three employees often have a 100% success rate. As the range of recipients widens, the topic is obviously more general and the effectiveness decreases.

Unfortunately, evaluation tests show that phishing awareness among most employees remains low despite the unprecedented risks. They often overlook red flags such as unknown senders, credential disclosure requests, and typos in the spoofed company’s domain name.

How to protect yourself from phishing?

In most cases, it is not difficult to raise the eyebrows of phishers. Some attacks are sophisticated enough to go under the radar. Either way, business leaders should keep the following in mind:

  • Every employee should take email security seriously and think twice before clicking a link or downloading a file that may contain a virus, no matter how trustworthy it seems.
  • An organization can’t go wrong with a reliable Secure Email Gateway (SEG) solution that identifies and blocks most phishing emails.
  • Safety awareness training for personnel using tools such as ThreatCop is a must.
  • Company IT teams should educate employees about latest phishing tactics and malicious email templates currently in rotation.

Written by: David Balaban

David Balaban is a computer security researcher with over 17 years of experience experience in malware scanning and antivirus software evaluation. David runs and projects that feature expert opinions on contemporary issues of information security, including social engineering, malware, penetration testing, threat intelligence, online privacy and a white hat piracy. David has a strong background in malware troubleshooting, with recent focus on ransomware countermeasures.

Get your hands on the latest DMARC report!

Discover the latest trends in email security

The Perfect Phishing Attack: A Penetration Tester’s Perspective post first appeared on Kratikal Blogs.

*** This is a syndicated Security Bloggers Network blog from Kratikal Blogs written by Kratikal. Read the original post at:



About Author

Leave A Reply