Tales from a Social Engineer – Phishing

Gyles Saunders


Gyles is a consultant at Pentest People who is passionate about Social Engineering, the methods used and how they work by manipulating the human mind.

Tales from a Social Engineer – Phishing

Phishing is arguably the single most common topic discussed when Social engineering is mentioned. Therefore, I felt like it would be a disservice to not cover it as the first real blog topic for the series.

Every single one of us has received a phishing email. It is one of the reasons the spam folder exists, and something that I think we all accept as part and parcel of having an email address. But is that all there is to phishing? The Nigerian Prince wanting to pay me all the monies (for a small upfront fee), mail order brides, or all too common DPD parcel tracking pages. These are basic forms of phishing emails or scams, but there is so much more than that.

July 2014, San Francisco California. An internal IT security team start work just like any other day, but this day would not be like any other. The IT team discovered something was wrong and discovered evidence of an attack. This was not just any attack, this attack at the time was one of the largest corporate data breaches to date. The company was JP Morgan Chase…. Over 90 of the company servers had been “rooted”, meaning that attackers had achieved root-level privileges, the holy grail of pwning. They owned them servers! But how did a big secure bank like JP Morgan get breached? In a word, they got Phished. The breach lead to the attackers obtaining cleartext credentials for many employees of the bank. They then used these credentials to access accounts and intercept data that would normally be encrypted, giving them persistence and lateral movement while they quietly attacked and took ownership of servers.

JPMorgan Chase & Co. Cyberattack

All of this from employees using a link in an email, which is a scary thing to wrap your head around. That one of the most secure corporate institutions in the world was breached by staff reading their emails. Crazy.

So lets quickly back up a second as these phishing emails were obviously not your normal Nigerian Prince or DPD Delivery ones.

What is Phishing?

Phishing is a term that comes from ‘fishing’, as in fishing for information from a target. The PH part dates back to the early hackers on the phone phreaking scene back in the 1960s and 1970s, but really came into how it is more well known with the hacker scene in the late ’80s and early ’90s. It was a form of telecommunications fraud. Starting to see the link? Cyber fraud and scams started around this time in the early hacker scene, but in 1996 a new term was coined Phishing, which was scamming over email by fishing for information from targets.

What is Spear Phishing?

Spear phishing is, in essence, a more targeted phish. Think of phishing as the act of casting a wide net. The audience is anybody with an email address, the complexity is low, and it is all about volume. The greater the net, the more chance of catching a phish. Where a spear phish attack takes time and a degree of planning; the attacker needs to understand more about the intended target(s) and make a more coherent and convincing email. This was most likely the method employed against JP Morgan. I suspect (from experience) that the email was crafted to look like an internal email, and then had a link that when clicked would re-direct the target to a well-crafted login page that looked like the company staff login page.

What is Whale Phishing?

Whale phishing is the next level, think net, spear, then Moby Dick. Whale phishing is that high-level target. For an attacker to use whale phishing as an attack vector, a large degree of planning and research is used. You would need to know everything you can about your intended target, and you would conduct vast amounts of OSINT to find that one weakness, and craft that very personal phishing email unique to the individual. In short, it is a real testament of exploiting human nature. That email could be about your hobby, children’s school, or something so personal to you that it just must be legitimate… right? Because a hacker would not know such unique personal details about you.

Video/Audio Transcript