The other day I got a phone call from my father asking me about an email that he got. The content seemed weird to him. It was asking strange questions that he didn’t know the answer to but he seemed to have the feeling of ‘they know this much about me therefore it must be legit.’ After I told him it was a phishing scam and to leave it alone we got into a conversation on ‘how do they know this much about me?’ Rather than rattle on at him like a boring annual training video I decided to show him in a ‘how-to’ style. It gave him a good understand of how to identify a phishing email, and also outlined the need for privacy settings and caution with social media. I thought it would be good to share.

How To Make A Phishing Email

The first step in making a spear phishing campaign -a.k.a., the ones that seem to be written just for you- is to do some research. What are they interested in? Where do they work? Hobbies? Family? Recent events? Basically, what topic could you use to get their attention and make them want to act before really thinking about it? For fun, I’ll use my own social media profiles and assume I have no privacy settings on them what so ever.

Lets start with Facebook.

I intentionally took a picture from only the top part of my profile because it really has all the information I need. My ‘about’ section shows where I went to school, where I live, and where I work. If you look through the rest of my posts you may see that I do aerial silks, and I have a dog named Bozley but not much more. For some people, a Facebook profile is enough because it can contain family pictures including one of your children in front of their elementary on the first day of school. I have seen this quite a lot. That right there is enough for a dangerous phishing email with a high level of success. Unfortunately, my profile doesn’t give that much information but it does give me a good next step. I use the information about where I have worked and go to LinkedIn.

image2My search for ‘Kati Rodzon MAD’ returns nothing but luckily my last name is unique enough that I get a hit when I just search ‘Rodzon MAD.’ My LinkedIn profile shows that I went to school for almost 10 years. If I am like the majority of people in the US I had to take out student loans for that and am probably just starting to pay those off. Right now there is a lot of legislation on student loan forgiveness, reduction in interest, etc. It wouldn’t seem weird, and would probably grab my attention, if my spear phishing email focused on this topic. Lets get writing.

 

‘To: Katrina Rodzon

From: Robert Hinks <bob@bobinc.co>

Dear Katrina Rodzon,

On March 25th President Obama passed a bill that significantly reduces student loan interest, and in some cases complete loan forgiveness, for those that received financial aid after 2009. Follow the link to register and see if you can benefit from this new legislation.

 

http://myfederalloanforgiveness.com ‘

 

Bear with me guys. I don’t write the phishing campaigns I just research them. 😉

The link actually leads to ‘www.bobinc.com’ and asks for all types of information about my student loans. If this email is successful it will get several pieces of valuable PII that are very dangerous in the wrong hands. Information like how much I have left in student loans, my SSN, birthday, etc. etc. It also is vague enough that it could be sent to anyone else that is in a similar situation and still be very successful.

There you have it. A phishing email that seems to be written to me specifically and it only took two social media profiles and about 10 minutes.

Want more from Kati? Check her out on twitter and at spaghettimemoirs.com/work.

 

Katrina Rodzon

Security Program Manager at Bugcrowd, Inc
With an extensive background in behavioral science and influence, Katrina Rodzon applies this unique perspective to the conception and design of effective content, messaging, user experience research and analytics. Kati manages the methodology creation for assessing an organizations culture, and assists in creating effective social engineering tools and testing scenarios for penetration testing teams.