How to conduct a phishing attack on the class

The Results

  • Classmates (41)
    • Copies of the same email to 41 individual emails sent out.
    • 70% click through rate (29)
  • 1 spear phishing email
    • High profile target (Tutor)
    • Targeted and individualised email
    • Success

Victim's Feedback

  • There were a few suspicious flags that have been noticed, but these seem to be more clear in retrospect
    • There's a bit of survivor bias here as I've only received feedback from those that clicked through

Key Takeaways

  • The first phishing email I sent after testing it on myself had some technical issues (sorry!) so I wonder if that person clicked or was it an obvious giveaway?
  • Phishing is a numbers game
    • Should not expect a 100% hit rate
  • Lots of ways to increase click-through rate

Factors of Success

  • Timing - it was planned and crafted. I carefully selected the day/time and window of opportunity.
  • Spear phishing takes a lot more effort + thought. Would say it was a lot more difficult and a lot more recon was needed. Recon is actually quite difficult, and once the window of opportunity presented itself, I have a very small window to get it done.

Factors of Failures

  • Some students don't actually check their email so it gets lost in their inbox.
  • The first phishing email i sent after I had tested it on myself had some technical difficulties (sorry!) so unsure if that person clicked or was it an obvious giveaway?

The details:

Step 1. Gather emails

Consent

Exercising professionalism, I checked the rules about consent with the tutor.

Only send your emails to fellow students in this course, or to people you know and who have given you consent to try to try to trick them.

and if they are not fellow classmates email them first letting them know you are going to try to trick them and get their consent.

He also gave me an invitation and challenge to target himself.

That being said (and I will announce this to my case study group on OL), I encourage you to try to phish me at ANY TIME during this course. Even beyond week 2! I've found that I still get tripped up even as a facilitator for a year who's done this activity every time.

"Malicious links" were generated by the RickRolling Web App created for the class: https://zzen9201---rick-roller.web.app/login#

It is there to track the user's clicks.

Email Database

From Moodle, we can get a list of all students enrolled into the course. In the spirit of professionalism, we will limit the attacks to these classmates. From there, we can get the corresponding student numbers. These can be transformed into email student addresses by formatting this as: z123456@blah.unsw.blah

There is also an email format with firstname.lastname@blah.unsw.blah but I thought this might not be reliable.

For each classmate's email, I generated a separate link and prepared to package the malicious (RickRolling) link.

Step 2. Figuring out how to phish

The most basic email one could send is straight from your email account. This could be as simple as:

Hey, I have something you might be interested in. Have a look here: >insert malicious link<

The issue with this is that it would work on some students who are off guard, but our clickthrough rate would be very low.

To get more success, we need to be more sophisticated.

We can do this by adding more urgency, relevance and authenticity in our plot.

Step 3. Identifying Vulnerabilities

Window of Opportunity

While other students are busy working and submitting on their Job Application on the Sunday night, I had to think ahead for a plausible scenario that might lead to the classmates to click into a link.

The most urgent matter for students on Sunday is their Job Application. The submission day is where the students tunnel vision into their goal of making the Sunday deadline. No emails would be checked that day.

However, an email with updates would be believably sent out the next few days. This is when we strike!

Cognitive Vulnerabilities

We learned about a variety of cognitive vulnerabilities in our study.

We can exploit a few of these in our classmates to increase our success.

Blind-spot Bias

We as uni students, even us mature age ones, are guilty of being reactive when it comes to uni work.

I took advantage of the first mover initiative with the expectation that some students were not aware of this exercise at all.

This will bring down their guard.

Confirmation Bias

Second, the expectation of updates to the recent Job Application would be a confirmation bias that masks some of the red flags that might come up.

Recency Bias

Third, if we portray our message as a new update, then we can use this kind of bias to make it more believable.

Step 4. Forging The Email

The copy that was crafted to target the classmates leverages their involvement with the course.

I drafted up an announcement email similar to the OpenLearning platform's announcement and created a fictional honeypot for them to gravitate towards.

Once the target has bought into the narrative, I left the message on a cliffhanger to create some kind of discomfort which I hope would create more drive to irrationally click through.

I believe that the ones that were more engrossed in the course were more susceptible to this attack than the students than those that were not.

This was later confirmed by the anecdotes of a few classmates who do not check their emails.

One final nuance was that, since I am privy to some of the earlier correspondences by the Tutor, I am able to impersonate him by copying his style of greeting (“Hey all,”) and phrasing.

Well Designed Call To Action

After digging a little into why graphic design can create buttons that make you want to click on it, I came across the idea of “call to action”.

In short, the blog post notes that things like wording, placement, colours and sizing of the button would subconsciously draw the user into clicking.

HTML emails are able to help us to utilise these non-textual cues to create a subconscious pull towards clicking elements.

In particular, this can be things like the size and colour of the “Read full announcement” button.

By copying the same formatting of the existing emails and meticulously ironing out the grammatical errors, I was able to forge a very similar looking format to the ones sent out by the OpenLearning system.

Step 5. The Tech

Forging a believable looking email message is useless if the target notices that the sender is from a random email address.

This led me down the research into the email protocol, how to spoof email addresses, the technical defences and workarounds.

SMTP protocol

The protocol is how email is sent out.

I didn't realise how simple it is. A bunch of text is sent out to the target server and they just accept it and process it. (there are now extra checks but I will go through them later)

Here is an example from Wikipedia:

Email spoofing

Because the protocol is really simple and trusting, any of these fields can be doctored.

If that's the case, then the MAIL FROM field can be anything you want it to be. This is troublesome as you can masquerade as admin@google.com.

Spam filtering

There is now very sophisticated systems set up by email providers on their servers to detect this kind of behaviour.

I had a look at a tool called Espoofer.

Unfortunately, this tool was very technical and a bit out of my depth in terms of coding knowledge to execute, but it was helpful in understanding how spam filtering works at a high level.

Source: ESpoofer

The main systems at play are:

  • SPF: Looks up a sender's domain name and verifies whether the sender's IP address matches what the domain name allows.
  • DKIM: Emails are signed with a key and verified to determine whether a the email sender is authentic.
  • DMARC: This system I couldn't really understand fully but, it is used when SPF and DKIM fall through.

I found this Youtube video to be a good summary of the technologies designed to catch email spoofing.

There were a few methods I found that did spoofing emails.

Here are my findings:

NameComment
EspooferVery technical, built using Python
TelnetSomewhat technical. Tried some tutorials, Port 25 is blocked on most IP addresses. I got put on a Spamhaus blacklist. 😭 (I don't know how to get off it!)
https://emkei.cz/Online form that sends anonymous email that somehow gets passed the filters.

Domain white lists

After testing out Emkei's Fake Mailer, I was able to successfully send fake mail to my student email inbox.

It seems that there's a whitelist of domains that are allowed to pass through.

Emails from random domain names like: x@dovetail.com automatically get sent into the Junk Email folder.

However, official domain names related to the course like @openlearning.com seem to get passed directly into the inbox.

Step 6: Launch the attack

Catching the students

Having crafted the email the night before, I launched the hour long attack on 41 classmates from Monday morning from 9:30am till 10:30am while the kids played with their dad.

By 11:30am, 11 links were triggered. It seems there were a few classmates who check their emails in the morning.

Over the week, one or two more would trickle in, with a large number of students falling victim on Tuesday (perhaps something done during the Tues case study group)

Here's an email from a fellow classmate notifying me of getting tricked:

I attribute a large portion of the success of the attack to abusing the trust of the tutor and automated emails from Open Learning.

Catching the Tutor

If I had sent the same email to the Tutor, there would have been red flags since I was using his name. From his perspective, it's activity he had not done, and though he may be curious, there is suspicion and raised awareness.

I did not want this if it can be helped.

By impersonating someone the Tutor deems as a higher authority, like the lecturer, I could exploit the same vulnerability as I did with the other students.

The challenge was a bit more difficult since he is ready for an attack like this, but I was determined to try… There's nothing more satisfying than aiming for your tutor.

This is where leveraging the benign and mundane comes in handy.

For this attack, I prepared for a new window: the end of the webinar.

Sometimes, lecturers send out an email post-webinar. The lecturer hadn't done so before, so I was taking a gamble.

My trick here was to use the announcement to address the classmates but casually reference the Tutor's involvement in something else.

Just like how I used older communications to impersonate the Tutor's speech, I wanted to do the same for Sushmita. However, there were only two posts from her on the forums.

Here are my drafts:

Here, the text is a single line and it didn't feel super compelling. Most cutoffs seem to be on at least line 2. the Tutor does not facilitate both case studies so the logic breaks down a little.

Here's a different angle that I ended up using.

I wanted to use selective perception for him to fixate on his name and disregard warning bells like the RickRolling link.

Turns out he was reading the email on his mobile which doesn't have the hover over link which could have thwarted my efforts.

Confirming the catch

The Results

  • Classmates (41)
    • Copies of the same email to 41 individual emails sent out.
    • 70% click through rate (29)
  • 1 spear phishing email
    • High profile target (the Tutor)
    • Targeted and individualised email
    • Success

The Reflection

  • Timing, believability and cognitive biases are huge factors in the success of this kind of attack.
  • I've spent more time on this exercise than the other activities which might degrade the quality of those blog posts.
  • Having sent out emails to all the classmates I could find, everyone is now on high alert. I acknowledge that this would make it much harder for the other students trying out this activity. Sorry! 🙏
  • I found this to be a really enjoyable task to learn about the technologies and psychology behind these kinds of attacks.
  • It was most rewarding seeing people fall for it. I can see that if we were using genuinely malicious links, it would be extremely valuable.
  • Once bitten twice shy: If I were to repeat the attack, the efficacy will not be as high. By sending emails like this, I have eroded the overall trust in this email type. Victims will be highly suspicious of these regular emails in a boy who cried wolf scenario.