This is a work of satire, we do not condone any of the actions described here – it is meant to be a somewhat comical example of the process that an attacker would go through to gain access to business systems. From this perspective, we can see many points that would disrupt the attackers ability to successfully compromise a business. We have intentionally left out detail and crucial steps in these processes so that this information is not used for nefarious purposes.
Alright folks, [email protected] here with a simple new guide. Use these tricks to get whatever you want.
It doesn’t really matter what you want, if you do it right – this will get it for you:
- Company Secrets
- Even… complete control
Now, it goes without mentioning that I’d only advise doing these things from somewhere safe – you’ll want to set up your hacker tools so that you can’t be tracked, otherwise you could get in some serious trouble.
First step – Target finding
The first thing you have to do is know your target. If you’re going after a specific company you can skip this step, but for everyone else it’s important to find soft targets. Here’s what we’re looking for:
We want a business that has whatever it is you’re after, and looks like it doesn’t have a lot of investment into IT. That’s pretty much it! There’s a few shortcuts to finding these, so if you don’t want to go find them yourself feel free to take a shortcut:
- Buy a list of known good targets, they’re surprisingly inexpensive for the return you’re about to get
- If you’re really lazy, just buy access to infected machines from dark web forums. Pretty easy for you hackers to find, so I won’t list any here – they’re always changing anyways
- Use lists published by other third parties – such as government agencies that register businesses
- Use a list of targets from one of your previous exploits, such as contacts you gathered from previous phishing attempts.
Second step – Recon
The next step is debatable, you might skip around if you’re heavily automating, but we won’t be so we’re going to gather our own information.
Once you have your list of companies, you’ll want to gather some fundamental information about them.
- Hours of operation
- When they were founded
- Key employees names, phone numbers, and email addresses
- Social media history of the company and its key employees
- Knowledge of any vendors or major clients
If you can’t get the information above, you can try calling them and just asking – most people will willingly give you this information when asked the right way. For example, if you’re looking for the boss’ information – just call and pretend to be a sales person looking to talk to him. Make sure you sound as scummy as possible so they don’t pass you on and instead give you his email address, it’d be a waste of time to actually talk to him if you’re only looking for his email address.
Take a quick look in your leaked password database to see if any of those key employees passwords have been leaked – as of this writing you should have around 450 major breaches loaded in there, so the odds are good. Go ahead and try those passwords to see if you can get in their email, but if not don’t worry – we can still send email as them in a couple ways.
If you find out during Recon that they’re not a soft target, I’d advise just skipping it entirely. There’s no sense wasting time on people that are either going to catch on too quickly – or have equipment/policies that stop your attack from being successful. Just one of these won’t stop you, but if you see a lot of them then it might be game over. Here’s what to watch out for:
- Corporate firewalls
- Emails pass through a dedicated spam filter
- Internal website is fully updated and runs security plugins
- Website doesn’t contain any employee email addresses, shows someone there is aware of our bots
- None of the leaked passwords match, even recent ones, indicating they might do deep web scanning
- All of their passwords in the database are randomly generated, indicates a password manager
- Key employees have an IT security background
- They have an IT vendor handling IT security
- Quick note on this one, not all vendors are competent – I’d check them out too, but cautiously
- You gain remote access to a computer and find that it has high end endpoint security software
- Or worse – endpoint detection and response software
Third step – The phish
Ok, now that we have spent about 15 minutes gathering some baseline information we’ll put together the email.
If you got access to one of the key employees email accounts, but you don’t have what you’re looking for yet – just send the emails from their account.
If not, we’ll send the mail from some other account and just change the display name to theirs. The email might list something else as the from address, but tons of people just read the display name anyways.
Now, I’m not going to write your email template for you – too many people would use it and spam filters would adapt, that’d be useless. Instead, Here’s some guidance on writing your own:
- If you’re sending a lot of these make sure your email template has at least a few grammatical errors and other red flags, it’ll cut down the amount of wasted effort on your part – there’s no sense trying to phish people who are too smart to fall for it, we want soft targets for easy wins.
- Make sure you establish urgency in your email, it has to be something that needs done right now
- Be ready for a response, if you get one you’re most of the way home – they already probably believe you are who you say, now you just have to convince them to take action. The faster you respond the less time they have to think about it and doubt themselves.
- Here’s some common tropes:
- I have a big deal going through and need you to wire money here: an account you control
- Can you plug your password in to see if single sign on is working on this site I’m testing: a website you’ve set up to collect passwords
- I’m at a conference/event/whatever (look at their calendar), I need you to purchase some gift cards and send me the codes for prizes
- I’m having trouble opening this file – could you give it a try?
Fourth step – Wait
Just remember, there’s no need to be hasty – most people don’t find breaches for 200+ days. If you get partial access but you need to wait for some other event to pull off the phish – don’t worry about it, you have plenty of time! Need to wait for the boss’ big trip so you can ask the finance officer to send a western union – no problem! Need to wait for IT to all be at a convention so you can get free reign over the network and lock them out without a fight, no problem! Especially if you haven’t gone past the recon stage, you can always just wait and keep them on the backburner – waiting for a vulnerability to pop up.
If you’re going to be taking remote control, it’s always a good idea to do it when everyone is going to be asleep or otherwise occupied away from the office. There’s no need to be doing it in the day time when someone could see what you’re doing. As long as there’s nothing stopping you from logging in and doing your work at unusual times you might as well not take the extra risk.
Fifth step – Automate
Once you’ve pulled off a few of these, you should have enough funds to tide you over while you automate some of your workflow. You might want to start with a bot that crawls the web looking for outdated websites with email addresses just sitting on the contact page – that’s usually a great sign that they’re ripe for the picking. After that, here’s some suggestions:
- Automate looking up breached passwords in your leaked password database by domain of the ripe website or email address you found
- Automate trying to log in to email with those passwords
- Automate sending a generic phishing email – even if all you get is other users passwords that’s still great. Download their contacts and send the phish on to every one of them, when this chain reaction goes off those email addresses add up quickly – and you can sell the addresses! This is basically free monthly recurring revenue with little to no effort after you write the scripts!
Anyways, there’s way more you can do if you get full remote access – and we haven’t even touched the fun stuff like DeepFake and social engineering. So stay tuned, fellow hackers – til next time *tips fedora*.
//[email protected] out.