With the upcoming release of King Phisher v1.1, there will come a new way to Phish through calendar invites.
“Why calendar invites?” you might ask.
Well, when you get a typical calendar invite, how likely are you to thoroughly read through it? People tend to check the sender and, maybe, their availability and then accept. Only when it’s time for the meeting do most recipients open the invite and follow the instructions to attend.
Just like an email vector, there are many different ways this kind of delivery system will prove useful when conducting phishing engagements:
- An attachment can be include with the invite. Perhaps a meeting list or a document to review before the meeting?
- You can include a website. We’ll dive a bit deeper into this scenario later on as we step through my latest campaign.
- Vishing can become immensely easier. Simply create a conference call style meeting where the target contacts you at a specified time rather than making the call yourself only to be left to voice mail or an unknown recipient.
This new addition to the tool, which has all the original functionality of a regular email, will deliver a calendar update to the target with all the typical information you would expect from a normal calendar invite:
- Meeting Coordinator
- Date of the meeting
- Time the meeting is scheduled
- Length of the meeting
The only limitation we’ve encountered so far is through the HTML message of the actual invite. Apparently, MS Outlook doesn’t process any CSS formatting tags via calendar invite, so you’ll have the option of text colors, and that’s about it. Fortunately, this is not a particularly limiting factor considering the majority of calendar invites aren’t really that fancy.
I take special interest in social engineering. For my latest assessment, knowing the new edition to King-Phisher was being rolled out, I decided to unleash the kraken and design a fake online-meeting company called MeetMe and create a variety of pages for use with the new calendar invites.
This template includes a join page, where users submit a fake number you make up for the meeting, then a login page, if you so choose to gather credentials. After that, the user is presented with a status bar, where eventually, it’ll say they need to download the client which when run, of course, will drop a shell. What more could you ask for in a phish?
The setup is very easy:
- Download King Phisher or update the client
- Download the template from our templates repo
- Configure King Phisher
- Host the www/ folder on your webserver
- On the King Phisher client, use the Calendar Invite Settings drop-down to configure your settings
- Add the normal message.html, source emails, alias and subject line.
Testing’s always important. Make sure your message looks good, both on OWA as well as Outlook, or whatever client you’re using and make sure the website works!
That’s pretty much it. Calendar invites are a great, innovative way to phish and excited to see how successful it will be in the future. As of right now, this feature is available with the development branch but will be fully available with version 1.1 shortly.