How Toofr checks email addresses

What we can learn from how cyber criminals run phishing campaigns

Smart and competent IT managers are responsible for protecting websites, servers, and other network devices. They use modern tools and techniques. However, the protection and security training of end users, support staff, secretaries and other workers leaves a lot to be desired.

As numerous reports show, phishing is often the most common option for cyber criminals to access the target system. In this article, we're going to look at specific techniques and tools used in phishing to help your business better understand and combat the threat.

Let's start from the beginning, or rather with the definition of phishing. Phishing is a type of scam designed to access sensitive user information, such as usernames, passwords, and PIN numbers.

What methods do crooks use? The most popular methods are;

  • Sending fake emails with malicious links or attachments;
  • Creating fake websites;
  • Fake personal messages on social networks and other means of communication;
  • "Scattering" flash drives (physical layer)

Let's take a closer look at the process of creating web resources for phishing. This process is one of the most widely used and an integral part of other cyber attacks.

This article looks at the order of actions in a phishing campaign, as well as assistance tools.

See also: 50+ Phishing Statistics and Facts for 2017-2018


Select a domain

First, hackers register a domain that hosts their malicious web service \ resource.

  • Common techniques include replacing visually similar characters: i -> l
  • Character substitution with Punycode
  • Register any domain name using a subdomain with a target name that appears at the beginning, such as It is very effective for mobile clients where the address bar is shrunk in most of the cases due to the screen size.
  • Register the exact same domain in a different zone, e.g. B.
  • Use something "original" like
  • Using special software that implements some of the methods described, e.g. B. EvilURL and DomainFuzz.

Company employees should be instructed at all times Check the domain for inconsistencies both in the URL bar of your browser and after the @ symbol in e-mail addresses.

After selecting the site name, hackers bind it to an IP address and configure additional functions.

It is common for hackers to use popular hosting services that allow access to the admin panel where everything can be configured with a few clicks. For example, they can rent a VPS from DigitalOcean for $ 5 per month.

In the next steps, SPF, DKIM and DMARC are configured:

  • SPF (Sender Policy Framework) is a DNS text record that displays a list of servers that are allowed to send email for a given domain.
  • 2) DKIM (DomainKeys Identified Mail) should instead be viewed as a method of verifying whether the content of the messages can be trusted. This means that once the message left the original mail server, it was not changed. This additional level of trust is achieved by implementing the standard public / private key signature process.
  • 3) Domain-based Message Authentication, Reporting and Conformance (DMARC) allows SPF and DKIM to set a unique policy that is used both for the above tools and for setting an address to send reports on email message statistics should be collected from recipients against the specific domain.

If you want to send phishing messages via email, you need to add domain-associated email accounts. The actual sending tasks can be delegated to third party services, which can be helpful in some cases. For example crooks use legitimate services like SendGrid, Mandrill, GMail for Business.

The next step is to issue an SSL certificate for the phishing domain. This allows the hacker to enable HTTPS on their fake website, which gives the victims more confidence in the website. In the past, HTTPS was usually indicative of a legitimate website. However, this is no longer always the case and the company's employees should be made aware of this.

Let's Encrypt works great for this. There are many deployment scripts for this, depending on the web server used.

To enable HTTPS on your website, the hacker must obtain a certificate (a type of file) from a Certificate Authority (CA). Let's Encrypt is a certification authority. To get a certificate for the domain of your website from Let's Encrypt, all you have to do is demonstrate control of the domain. In addition, numerous hosting providers offer free integrated support for Let's Encrypt.

Making fake copies of legitimate websites

Phishing relies on fake websites that are identical to legitimate websites to trick victims into entering private information such as a password. The first option is to copy the authentic site either manually using the browser or using GNU Wget. It requires changing links, copying styles and images, determining what requests are being sent when users try to authenticate on the page, and creating a script that copies the data sent to them.

At the end, some of you may redirect to the original page. There are many examples of such scripts on the internet.

With this in mind, the company's employees should be made aware of this Phishing websites can look completely identical to the authentic website They pretend to be such. Hence, appearance is not a good way to judge whether or not a website is legitimate.

The second option is to use the social engineer toolkit. In general, this is not the best option as it is its own web server. Phishing frameworks include Gophish and King Phisher

Sending phishing emails

Phishing scammers have to collect many email addresses. Where from? There are many opportunities:

  • From the target website. Software and services include: Free Online Email Extraction, Email Hippo Email Extraction, Email Grabber.
  • Use a service such as MxToolbox, for DNS and Whois data
  • Simple brute force.
  • From social networks like LinkedIn, Facebook.
  • Specialized email databases: Hunter, Toofr.
  • From popular search engines.
  • From all types of leaked databases (sometimes email addresses go together with a valid password): Snusbase, We Leak Info.
  • Special OSINT software, for example Maltego.

The topic of an OSINT (Open Source Intelligence) is beyond the scope of this article, but I will give you some links where you can learn more about the services, approaches and tools available: OSINT Framework, Awesome OSINT Good OSINT can be used for targeted phishing Attacks can be very helpful, but the labor cost is quite high and rarely used in low-level attacks.

Company employees should assume that all of their email addresses are publicly available and anyone, including cheaters, can attack them.

Create phishing emails

Once the email addresses have been collected, it is time to run a test email campaign. Crooks usually do this through a separate domain. Test campaigns help to understand what a typical corporate email message looks like, what signatures look like, the general format of the message, its headings, any anti-spam tools, the email client used, and other things.

Most companies use their own signature design that includes the employee's full name, position, contact information, etc. Hackers just copy it, paying attention to the structure, visual design (color, font), etc.

Each email contains headers that indicate whether a filtering system is being used, or information about specific email clients or web interfaces.

Speaking of spam filters, scammers test their messages with SpamAssassin on a separate system before sending new emails. SpamAssassin provides a "score" - a subjective assessment of the likelihood that a particular email is spam. At this point, you can make changes before actually sending any emails to make sure it doesn't get caught in spam filters.

As for that Subject From the email, simple and common are used:

  • Please sign the documents
  • survey
  • Work schedule for holidays

If the letter is in HTML format and there are links to third-party resources (styles, images), some email clients block this content by default, although it can be unblocked by the user. Hackers use social engineering tricks to get users to click. For example, a message can prompt users to view an infographic or a coupon.

Company employees should be instructed to look out for these common tricks andNever click on links or attachments in unsolicited email.

Sometimes crooks specify multiple recipients (the Cc header) within the same company. Sometimes they use Fwd or re in the subject line - all of this builds trust.

See also: Common phishing scams

Email attachments

Once the text is ready, it's time to move on to the attachments. Hackers may not just be interested in getting victims to open emails. They may also want to infiltrate the recipient's device with malware, and email attachments are a great way to do this.

What do crooks usually send? Basically, Microsoft Office documents and sometimes archives. Sending typical executable extensions (.exe) is almost 100% stopped by a spam filter. It's strange, but companies filter almost all potentially dangerous file extensions in attachments, however Loop through RAR, ZIP and other archives.

The following options are used for Office documents:

  • All kinds of public security vulnerability exploits;
  • Macros;
  • Dynamic data exchange;
  • OLE;
  • Less common file formats like HTA. Sometimes it is possible to find exploits or vulnerabilities.

When hackers just want to register one attempt to open a file, they have a few options:

  • Access to an external source (sometimes with the possibility of losing useful data)
  • Sign the document with a digital certificate
  • Monitoring of contact with the CRL or timestamp servers.

Again,Employees should never click on attachments in unsolicited email Be especially careful with Microsoft Office documents and compressed files.

Social networks

For social networks and other means of communication, the approach is not that different from general email phishing. Darknet forums contain dumps with copies of personal correspondence and chats. These are aimed at establishing a trustworthy relationship with a victim that will result in a malicious link or file being sent to them.

Company employees should be aware that they can be contacted through both social media and email.

Physical media

Hackers could leave USB sticks or other physical media lying around to trick victims into plugging them into their personal devices. Tactics vary widely, but there is usually one form or another to interact with employees. For the most part, crooks use Rubber Ducky or its cheap replicas from AliExpress.

CompaniesIT staff should establish a policy that prohibits the use of personal USB devices in the office.

The effects of phishing

Things usually get out of hand when a user is caught by crooks, especially when the target is a company employee. After obtaining confidential credentials, the attacker can steal intellectual property and other proprietary materials. In addition, they can damage the company's reputation by exposing some internal communications. This would ultimately undermine customer confidence in the brand. In some cases, hackers start blackmailing organizations. To top it off, in some scenarios, companies may have to pay additional direct costs when they breach regulations like HIPAA and pay compensation to employees or customers who fail to protect their identities.

Regular users run the risk of losing their money to phishing if the criminals gain access to their bank account. A successful attack can also trigger blackmail attempts, in which the perpetrators demand a ransom for not disclosing some embarrassing information about the victim. Installing malware on recipients' computers is another possible vector for the wrongdoer's activities.

Ultimately, phishing attacks always lead to negative consequences for companies and private users. Be on the lookout for the red flags listed above and treat suspicious emails with a little reasonable paranoia to keep them safe. For more tips on avoiding phishing, check out our guide here.

See also: What is spear phishing?

Sorry! The author has not filled his profile.