• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > Phishing for Days: Utilizing the King Phisher Calendar Invite

Phishing for Days: Utilizing the King Phisher Calendar Invite

November 17, 2015 By Jeremy

kp_whiteBG

With the upcoming release of King Phisher v1.1, there will come a new way to Phish through calendar invites.

“Why calendar invites?” you might ask.

Well, when you get a typical calendar invite, how likely are you to thoroughly read through it? People tend to check the sender and, maybe, their availability and then accept. Only when it’s time for the meeting do most recipients open the invite and follow the instructions to attend.

Features

Just like an email vector, there are many different ways this kind of delivery system will prove useful when conducting phishing engagements:

  • An attachment can be include with the invite. Perhaps a meeting list or a document to review before the meeting?
  • You can include a website. We’ll dive a bit deeper into this scenario later on as we step through my latest campaign.
  • Vishing can become immensely easier. Simply create a conference call style meeting where the target contacts you at a specified time rather than making the call yourself only to be left to voice mail or an unknown recipient.

This new addition to the tool, which has all the original functionality of a regular email, will deliver a calendar update to the target with all the typical information you would expect from a normal calendar invite:

  • Meeting Coordinator
  • Date of the meeting
  • Time the meeting is scheduled
  • Length of the meeting

The only limitation we’ve encountered so far is through the HTML message of the actual invite. Apparently, MS Outlook doesn’t process any CSS formatting tags via calendar invite, so you’ll have the option of text colors, and that’s about it. Fortunately, this is not a particularly limiting factor considering the majority of calendar invites aren’t really that fancy.

Practical Example:

I take special interest in social engineering. For my latest assessment, knowing the new edition to King-Phisher was being rolled out, I decided to unleash the kraken and design a fake online-meeting company called MeetMe and create a variety of pages for use with the new calendar invites.

This template includes a join page, where users submit a fake number you make up for the meeting, then a login page, if you so choose to gather credentials. After that, the user is presented with a status bar, where eventually, it’ll say they need to download the client which when run, of course, will drop a shell. What more could you ask for in a phish?

MeetMe – Join Meeting Page

The setup is very easy:

    1. Download King Phisher or update the client
    2. Download the template from our templates repo
    3. Configure King Phisher
      • Host the www/ folder on your webserver
      • On the King Phisher client, use the Calendar Invite Settings drop-down to configure your settings
      • Add the normal message.html, source emails, alias and subject line.
    4. Test!
KingPhisher Calendar Invite Configuration
KingPhisher Calendar Invite Configuration
Meeting Invite in Inbox

Testing’s always important. Make sure your message looks good, both on OWA as well as Outlook, or whatever client you’re using and make sure the website works!

That’s pretty much it. Calendar invites are a great, innovative way to phish and excited to see how successful it will be in the future. As of right now, this feature is available with the development branch but will be fully available with version 1.1 shortly.

Happy hunting!

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Jeremy

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.