Targeted Psycho-Science Phishing

Creating high yield phishing campaigns using psychological profiling and data science.

A multitude of nation state actors have taken phishing to an advanced level in which they are using targeted detailed to create more high-yield campaigns somewhere upwards of 30%. They are doing this by spending more time creating accurate geographical, psychological warfare, and data science aspect. Even using things such as the Milgram experiments which suggests the power of obedience and the lengths someone would go to if instructed by an authority figure. Psychology such as the “Milgram experiment,’’ is a very interesting experiment on obedience that was conducted before the modern rules about what you’re allowed to do during a psychological exam was implemented.”

Starting off with Advanced Persistent Actors, also referred to as APT’s, use highly targeted phishing campaigns at times when open source information is not limited as such as some targets. One of these APT actors is OilRig, a supposedly Iranian backed hacking group whose targets widely range but always align with Iran’s currently geopolitical goals. This group also has a wide range of open source collection methods in which to locate targeted individuals behavior, by using these tools the group is able to locate outside resources such as social media, forums, Reddit, etc to get sentiment analysis to be able to understand their behavior. By understanding a user/groups behavior gives you the ability to craft a more successful campaign to be carried out against phishing targets for client engagements.

One example of how intelligence collection and open source intelligence frameworks is to locate targeted individuals by being targeted by their current position in the company. One of the following examples shows a 78% success rate of over 338 emails in which the client provided and gave permission to carry out said Phishing Campaign within a week time frame.

The client is located in a leased office building in the middle of a major metropolitan area with limited parking, until the month of the actual penetration test. There was a parking structure being built by the same leasing company in which the current office was located in. By understanding, and grouping the emails into different modifiers such as; “name,location,vehicles, registered,” within a tool such a TLOxp, we are able to see the amount of vehicles in which the employees actually use to commute. Seeing that less than 12% of employees commute via their own vehicle, we see that a psychological reward would be that of free parking. Confirming this with social media posts from a number of employees and contractors of said company, it is seen as one of their top concerns.

So once the psychological profile was created, a phishing email was created and filtered through several tools to confirm it would not be filtered by the Email filter that is currently implemented (which was confirmed via a LinkedIn profile by a security admin on what type of phishing gateway was currently being used). Looking to make sure that certain keywords, domain registered dates, etc would not be a cause for the email to be flagged for phishing email. Once this test was completed, the email was sent and was detailed as the following:

In a 2 hour time frame, over half of the emails had already downloaded the attached PDF and completed the requested data and replied to the email with said PDF. In the following 19 hours the other 28% of users had done the following. This phishing email had a success rate of 78% due to the intelligence and psychology was used to help create the accuracy and usability of the phishing campaign.

This is a current attack method that companies both small and large need to be aware of, some of the ways you can help limit this type of attack (outside of user security awareness training) is limiting the professional social media outlets such as LinkedIn in which an employee can list specific details about the type of technologies are being used. As well as setting your phishing gateway to monitor large amount of emails being sent all at once to large amount of members, and to have it test the domain of the sender emai.

N4IT is a leader in such attacks, and would love to walk you through more in details on how this type of test can help protect your from nation state actors as well as cybercrime actors. Please visit us at:

https://attack.mitre.org/groups/G0049/

https://attack.mitre.org/techniques/T1119/

--

“I am always ready to learn although I do not always like being taught.” — Winston Churchill

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rhett Greenhagen

“I am always ready to learn although I do not always like being taught.” — Winston Churchill