Crafting sophisticated phishing campaigns is a necessary part of offensive tradecraft for testing security conscious and complex environments. The old adage goes “a chain is only as strong as its weakest link”. Historically this chain has been people, but with increased resources and focus on testing, attackers have worked to find ways to increase their chances of gaining a foothold through techniques such as spearphishing. Spearphishing is the act of performing targeted phishing campaigns against a small group of people who have undergone additional research and evaluation as targets. We will explore the use of Machine Learning to classify potential spearphishing candidates as well as share some ideas around automating and scaling these attacks. This may lead to an opportunity to augment spearphishing efforts as well as allow offensive security teams to conduct larger attacks with lower levels of effort.
Targeted Phishing
A brief introduction to personality classifiers
We won’t dive deep into what personality classifiers are, but think of this along the lines of the Myers-Briggs type indicators you may have seen in a psychology class. Metrics such as extraversion vs introversion, thinking vs feeling, sensing vs intuition, and judging vs perceiving can be used to describe an individual’s approach to interaction in the outside world. They are not meant to be concrete and they don’t need to be for our application. Individuals with a certain personality characteristic may be more prone to persuasion. Public tools and models that use recurrent neural networks to classify an individual’s personality from the context of their messages are publicly available, but we will specifically be using IBM Watson. https://cloud.ibm.com/apidocs/personality-insights
We will be using these models to analyze target’s social media information and tune our own model based on the success of these campaigns. Below is a visualization created from a hand full of tweets a popular musician shared then sent to IBM Watson’s personality insights. Some subcategory highlights may be particularly useful within Agreeableness such as Susceptibility to stress, Cooperation, and Trust.
Getting started
To select our targets we use a personality classifier to score traits for each user identified during OSINT (Open Source Intelligence Gathering). The traits from these users are then compared to those that were susceptible in previous campaigns and the personality classifiers they were assigned. These users are given a score from the susceptibility classifier. To begin training the Susceptibility Classifier we can use data from previous campaigns. Post-campaign we then evaluate the effectiveness of phishing using these personality type indicators and the susceptibility classifier will update this framework. Below is a simple diagram showing the entirety of the process for now:
This framework is relatively simple and we hope to apply additional user characteristics and classifiers such as user roles, locations, and other pieces of publicly accessible information.
Evasion
Proof Pudding
Some spam filters use classification models to detect and prevent spam. Proof Pudding is a Proof Point evasion tool developed by Will Pearce and Nick Landers from Silent Break Security https://github.com/moohax/Proof-Pudding. Proof Pudding leverages scored datasets and creates machine learning models that use language from those datasets to evaluate, score, and then improve upon the likelihood of a malicious email being inboxed by including key phrases and avoiding others. This tool has been successful in our own external penetration tests against proof point and other spam filtering tools that rely on analyzing the language used within an email. More information on how spam scores are evaluated can be found here: https://warroom.rsmus.com/spam-filter-evasion-with-king-phisher/
Initial Opportunities for improvement
- Additional “Transforms” or data points that can be used to provide data surrounding targets.
- Categorizing URLs and URIs that people are likely to click based on interest and generating user specific links.
- User correlation based on organizational roles as well as position susceptibility.
Beyond Text
These personality classifiers can be generated based on inputs beyond text. Complex classifiers have been developed that use images, audio, and video. This can be trivial when omitting tone and using speech to text or OCR technologies, but it becomes more complicated when creating classifiers around media that is abstract (e.g. cheering at a baseball game). These types of classifiers are relatively young but will likely be useful as sophisticated learning models become more prevalent. Vishing and WebEx video chat attacks leveraging deep fakes, some of which have recently become nearly indistinguishable from reality and only rely on a single image of an individual:
https://aliaksandrsiarohin.github.io/first-order-model-website/
Defense
Honey Pot users are an effective way for organizations to track bad actor activity. Crafting users that appear to be highly susceptible to phishing based on these models may allow defenders additional opportunities for cyber deception. As always, we should be providing employees with guidance around limiting their public social media presence where possible.
Conclusion
This is a new initiative and very much in the early stages of development. Personality classifiers in use for this program at this time relies on personality insights provided by IBM Watson. This program will require supervision at this time but with time and data, it would be encouraging to see the resulting model able to predict the likelihood of a user being phished given a sample of their external presence. Given the nature of phishing as well as the preferences and experience of different operators it is important to note this will be an ongoing project that does not intend to be a perfect science but hopefully will be guiding over time.