Social Engineering - Phishing Emails: Part II
Social Engineering Phishing MailerSend Gophish
Disclaimer: For educational purposes only.
In Part I, we learned how to create a fake phishing website and how to generate a link to send to a target. Now, you will understand the basics on how targets are selected and how emails can be sent on phishing campaigns.
The following guide does not provide all necessary steps to successfully carry out a phishing attack. The goal is to have a better understanding of how attacks can be pulled off, to learn how to better defend from them.
Understand your target
Let’s imagine you are targeting company.com. You can start by performing basic OSINT to find email addresses from that company. Does the company have a blog? It might be leaking company addresses at the end of each post. Search the company domain at Hunter.io and notice the patterns in email addresses, i.e. {firstname}@company.com or {firstname}_{lastname}@company.com. Then, you can use a tool like CrossLinked to generate a list of possible emails, scraping the employees of the company from LinkedIn, that follow that pattern.
When you have your list of emails you can check if they exist with emailHIPPO or Email-Checker.net. Or even better, if you suspect the company might be using gmail addresses try to sign-in with that email address. If the account exists, you will be prompted to insert the password, otherwise you will get an explicit error message stating that the account could not be found.
Send the Email
The best guarantee for an email to land in the inbox is for it to be sent from a real domain that you own or have access to. To do actual phishing you’ll need to use a real domain that looks legit for the purpose of the campaign or to find a SMTP server or relay that allows sending emails from unverified domains. You can also setup your own SMTP server. To notice that your own server might be blocked by email filters because emails are not sent from a regular SMTP server. To use a SMTP server to send an email you can follow this guide.
The emails can also be sent using an API from companies that provide that service. Please find an example below. It is a Python script that I used to send an email, using a free domain configured on MailerSend, to a test gmail account:
from mailersend import emails
mailer = emails.NewEmail('API_KEY')
# define an empty dict to populate with mail values
mail_body = {}
mail_from = {
"name": "Your Name",
"email": "your@name.com",
}
recipients = [
{
"name": "Your Client",
"email": "your@client.com",
}
]
cc = [
{
"name": "CC",
"email": "cc@client.com"
}
]
bcc = [
{
"name": "BCC",
"email": "bcc@client.com"
}
]
mailer.set_mail_from(mail_from, mail_body)
mailer.set_mail_to(recipients, mail_body)
mailer.set_subject("Hello!", mail_body)
mailer.set_html_content("This is the HTML content", mail_body)
mailer.set_plaintext_content("This is the text content", mail_body)
mailer.set_cc_recipients(cc, mail_body)
mailer.set_bcc_recipients(bcc, mail_body)
mailer.send(mail_body)
If you prefer to work with a graphical interface, instead of using scripts or the terminal take a look at Gophish.
A lot of methods seen online no longer work due to required domain validation (e.g. Sendinblue/Brevo) or because the emails end up in the spam folder. So, do not trust any content creator blindly without actually testing it. The method could have worked when the tutorial/video was made but might no longer work today.
A couple of interesting articles on this subject: Phishers exploit Google’s SMTP Relay service to deliver spoofed Emails and Two Ongoing Phishing Campaigns Using Microsoft’s Azure Blob Storage.
In Part III, I’ll provide some guidance on how to identify a phishing attack and on basic defensive measures that can be applied to prevent them.
If you find the website useful, please feel free to share it on social media and get in touch!