When looking at entry points used by APT groups and cyber criminals, a large number of these compromises use phishing as the initial delivery vector. It makes sense, email is now an intrinsic part of how we interact with the world and therefore it is expected that we will regularly see communication from people we know and people we don’t landing in our inbox right on our front door step.
So how do you as a business really stop phishing attacks as a viable vector. Despite the best types of controls, training and profiling, we still see that phishing attacks are effective across a wide range of industries and sectors. The reality is that modern business communication is built on email structures and therefore removing it would be preventing the main interface between new or existing customers and the business, therefore it wouldn’t be realistic to remove it and so phishing is here to stay. My aim is to discuss some ideas around effective use of language in a phishing pretext, how a user evaluates this language and ultimately why people draw the conclusion that an attack appears to be legitimate and if it’s something that they should or should not interact with.
These types of attacks are “solicitation” approaches as they rely on a human triggering an action. The language used when asking for this action is important and a range of styles can either be effective at meeting this objective or not. The context has to be relevant. It’s no surprise the global COVID-19 pandemic has triggered lots of phishing attacks around this subject as attackers know that fear is a powerful catalyst. Attacks reporting to be “track and trace” tap into a targets fear for personal health whereas attacks linked to business processes, for example HMRC, banks etc, build on a targets fear about their livelihood. Fear creates distraction. Curiosity, compliance and consequence are also effective catalysts. If you consider this from a recipient perspective, the first thing to consider when receiving this is the initial reaction to what an attacker is asking them to do.
Does it pass the “sniff” test?
So let’s assume for a moment that you bypassed some of the technical controls frequently encountered when delivering phishing and have landed at the inbox, that is where the title of this article kicks in….what makes someone click something? They need to make a decision. We all make decisions every second of the day, both consciously and unconsciously. Our experience will add to our bias of how we evaluate things, for example, this was fine yesterday so should be fine today. This is one reason why internal phishing is so powerful as this essentially builds on the history of the communication two people have had. I will latch onto one concept here as I think it is useful to consider the basis of why people click things. I highly recommend a book by Daniel Kahneman called “Thinking Fast and Slow” where he showcases his ideas on systems within the brain that are constantly sparring for control over our behaviours and actions. He refers to these as System 1 and System 2 and these ideas are relevant as the initial evaluation of our email designed to solicit a response, will essentially be validated by one of these systems so let’s just spend a few minutes exploring this if you don’t mind?
System 1 is our automatic response. Our impulsive gut reaction to danger and part of our evolutionary journey. It’s the reason we are so good at evaluating facial expressions in literally milliseconds. It’s fast and instinctive.
System 2 is deliberate thinking mode, giving something our full attention, like absorbing this article, finding ways to gain money, and other complex sequences of decisions and evaluations. Just think about the level of concentration you would need for open heart surgery. System 2 is also resource intensive as a deliberate act and therefore our biology will always look to regulate and conserve resources as much as possible. The path of least resistance. Both systems have their place and function so we need them, but sometimes we don’t get to chose which one is invoked.
To illustrate this, Daniel Kahneman introduces a number of thought experiments throughout his book.
“A baseball bat and a ball cost $1.10. The bat costs $1 more than the ball. How much does the ball cost?”
This is a great example of how our brain invokes the system it thinks best to deal with the evaluation (decision) before it moves onto the next one on the list. I’ve respected the “$” currency, but if your immediate answer is $0.10, then I’m afraid that is incorrect. You saw the two numbers, $1.10 and $1 and instinctively knew that this was a calculation. The bat is $1 more expensive than the ball but if you instinctively thought $0.10, then that would make the overall total $1.20, which we know is wrong. The actual answer is that the ball costs $0.05. The bat is $1 more, so $1.05 + $0.05 matches the supplied total of $1.10. I also think the type of calculation required is inferred from the language used, “How much does the ball cost?” which supports your bias that this is quick maths as there are only two objects and you know the total. All the information is there, but the language focuses on the ball, whereas the r00t of the solution is in the relationship with the bat and the total (cost). The language creates a clever distraction and your instinct may have been that you know the price of the bat being $1 as an explicit value rather than a ratio. This is because System 1 evaluated this and decided the outcome before System 2 got a chance to really considered it, and then your brain moved onto other more important things like breathing etc.
If you got this correct off the bat (I had to) then the “force is strong” with you. Either way, I enjoyed reading his book and highly recommend it.
When performing solicitation attacks such as phishing, language is a powerful tool for consideration. This is a broad topic so I will focus on how and why I think some points are important. I’m sure you have received a poorly worded email in your time which has then prompted an instinctive judgement. Spelling is a big one because it validates our standard. If you (legitimately) receive an email from what you consider to be a professional company which is full of blatant spelling mistakes you will question their standards. One email might make you consider if this is actually real and a number of them might make you wonder why the standards are so poor, which then makes you evaluate whether you trust this company. Public breach reports are always sobering reading about practices that go on behind closed doors. Phishing circa 2000 was far more about mass spraying where it’s a percentage game and attention to detail was less important. Whilst this is still an issue, I think that our providers (ISP’s, mail providers, co-ordinated spam and built-in security protections) remove some of this obvious stuff, it’s it still worth keeping a close eye on your spam as it can be enlightening to see the varying levels of effort applied when phishing. The world is also embracing the effectiveness of language and therefore, new services such as Grammarly are establishing themselves as a tool for more enriched communications and they are raising the bar. There is a renewed focus on effective communication and word choices that convey more directly what the author is trying to sell. Things like spelling choice can also imply a country for example, this maybe an unconscious bias such as the using “s” instead of “z” in spelling. You could have crafted the greatest pretext and then created suspicion purely on the dictionary choice. Paying attention to the language choices within a pretext is a skill worth developing.
If you are using a spoofing vector and the delivery is reporting to be from an individual, use all publicly accessible writing that is available in the context of that user. This process informs the type of language, word choice, delivery etc they would use. You essentially need to understand their style and try to replicate that. Spoofing is a powerful approach because if you can get this delivered and match the tone and style the spoofed individual would send, you are building off established trust. It’s hard to communicate emotion without face to face interaction where System 1 will be evaluating facial expressions, and we know that when communicating, a huge part is based on body language and tone. So you need to use words to solicit emotions and try to play out how you think the responses might go.
From a red team perspective, standards need to be high in my opinion. I often think carefully about the choice of words I use when delivering these types of attack. Here are some examples from some pretext snippets I have come across …
“You are required to install this software package on your computer”
“Login using your username and password”
These are direct statements that create an unconscious response. System 1 at work evaluating the threat and the language choice doesn’t help as it creates new questions… “required by who?” for example.
In the first example we can refit this ….
“Once you have registered the software package this process will automatically complete.”
This sounds much less direct in my opinion, registering a software package seems less threatening. The sentence starts with “Once you have”, which is still conveying that the user is required to do something and is a better fit than “You are required” as it implies collaboration rather than dictatorship. There is also a completion to this as well, it resolves. The first approach didn’t state what would happen, no reference to the outcome. Now we say that this will then essentially be off your todo list and there is nothing else we need from you.
We have been drilling users about the importance of usernames and passwords so the very fact that this second example is a blatant instruction to use them, should be a trigger. Sadly, corporate environments force these types of things upon users which is counter productive. Protect your credentials is the key message and then the next day, this has been setup by HR (without any backstory) so make sure you authenticate by this date or else. How about this for the second example …
“Your access rights have now been enabled. After you authenticate to the new portal you will be presented with your customised dashboard view with details about your current performance, preferences, contacts and the ability to disable link sharing.”
I spent a bit of time here trying to implement what I have been saying. Firstly, if I was effective, like the bat and ball, your attention was drawn to the portal. I also didn’t mention passwords at all. Using the words “access rights” and “authenticate” work well together because they convey permission. We have “enabled”, this is for “you” and I’ve built on that implication by telling you about something custom, something tailored that is directly relevant just to “you”. We are constantly measured in every-way in modern society, performance reviews, grades, money, physiological measurements, instagram likes, followers etc, so access to current performance stats about ourselves is a powerful draw, especially if this has a direct influence on our career. System 2 cares about this stuff and would probably win this fight. Curiosity is also a big factor, the lure of what this customised dashboard about “you” looks like. There is also a statement at the end that may create some questions, first, “what is link sharing?” and second, “Do I want link sharing enabled?”. “Disable” is a deliberate choice here, it’s enabled by default and the responsibility is on you to know what it is and whether you want it on. It’s saying that we empower you to manage these things by talking about “preferences”, but you need to be informed to make these choices and you can find that information on your dashboard view.
Before I wrap this section up, I want to briefly discuss one more aspect related to the use of questions. I recommend reading a book by Chris Voss who was a former FBI negotiator. Seems pretty off tangent for a piece about red team phishing, but bear with me. In his book “Never Split the Difference“, Chris goes over negotiation tactics in hostile and pressure situations. Interesting stuff in my opinion but some of this is around face to face or phone conversations. There is cross over, especially around the use of language but one thing that really stuck with me is how powerful it is to allow people to say “no” to questions when they are asked. He advocates making the other party the direct focus of the conversation and leading them which seems very relevant to phishing attacks. We are conditioned to say “yes” from early evolutionary standpoints, “hey, a few of us are off to hunt some wholly mammoths and could do with an extra spear. If you come along and we bag it, you can have the ass cheek…you down?”. Hard to say “no” to that amount of meat if you are hungry and it’s a tough gig for a solo mission. Collaboration for the win. There is a lot of power in saying “no”. Society has conditioned “no” as a negative response, but as with everything, even “yes”, it depends on the context. Chris highlights how understanding the freedom of saying “no” in an interaction can be used as a basis for achieving a central goal in his book. Careful consideration of how questions can be used is beneficial to us. Words that elicit questions we can then answer “no” give a sense of empowerment and if we then need to take action, i.e. access a portal to disable these things, it could be another factor that ultimately supports our goal of soliciting an action from a target.
I’ve asked some questions in this writing piece so far, the first question was one we are exploring together, “what makes someone click something?” As the reader, you may have an opinion on this question but it’s a more open style of question. The second question was directed to you as the reader, “let’s just spend a few minutes exploring this if you don’t mind?” When I asked you this question, you answered, consciously or not, probably via System 1, and the question was phrased to empower you to answer “no”. If you chose to answer “no”, then you didn’t mind, this is the reason you have got this far. Answering “yes” would mean that you either stopped reading and didn’t get here, or you carried on in protest. The second “yes” option, is less than desirable, but you are still here and there maybe hope to influence your opinion.
Then there are questions (evaluations) you have asked yourself. The code bit just before “Vocabulary”. A number of paths appear from this. The first being what is this and why is this here? I’m sure the IT people amongst us recognised this as Python code, but if you didn’t immediately see this as code, you may have just skipped over that part (System 1 – quick check, this is not important to me). In any case, you could probably work out what it is implying, even if you don’t know how to code using Python, unless you had some unique life experience, you have a good idea that “naughty” and “Santa” in the same context mean presents and re-enforces the previous suggestion of grabbing a copy of the book.
What I also hope happened for those that know how to code, is that I invoked System 2, you wanted to pay attention to this code and evaluated this more closely. You probably made some judgements on what I was doing. You may have considered the use of list comprehension as efficient and the fact that you know the function “santa_list(all_people)” returns a list to use in this comprehension. You could have also inferred even without it being stated directly that “person” is an object based on the “person.naughty” being an attribute. You also know that “goodlister” is an object and the “goodlister.ask_santa_for_book()” method is expecting a dictionary as a parameter. What you can’t state explicitly without seeing the full code is whether “goodlister” is an instance of a parent class and therefore the “ask_santa_for_book()” method belongs to this. Actually, you don’t know explicitly from this snippet what the actual object class names are, but you may have been considering these details if you love code. Finally, the uber focused “pythonistas” will see some clangers related to PEP8 (best practices for writing Python code) in this dictionary declaration. Whilst you can use either single or double quotes, PEP8 recommends sticking to one or the other wherever possible and I have mixed both types in the string declaration pushed into the function.
To tie this back into the rewrite of vocabulary example and to show how these concepts could be woven into a narrative, the last statement “and the ability to disable link sharing.” is also a deliberate “no” question without being explicit, in other words, we didn’t ask the target whether they wanted this enabled. The choice of words created the question. If the target asked, “do I want link sharing to be enabled?” and then answered an empowered “no”, the action to take is to authenticate to this portal and disable this assuming that they already believe this to be a valid destination of course. If they hit a portal, authenticate and then there is no option to disable the link sharing feature, then this may burn your operation so the best course of action when using these types of approaches, is to make the portal real and functional. If you are providing an option, meet that expectation.
As much as I have labored about the importance of the language in phishing attacks and the potential effects, this is one aspect. How the attack looks is vital in my opinion to support the evaluation of it’s legitimacy. This includes embedded images in phishing attacks using CDATA tags, graphics, colour schemes and things that generally suggest an effort. We can learn from email marketing here. If you think about the purpose of email marketing, it is essentially the old practice of “door to door” sales. A whole backend of complicated metrics, delivery standards, click rates etc have been implemented to track the best time to send, demographics, styles and preference. It’s basically science. It’s also much harder to stick a sign up on your email box saying “cold callers not wanted” once you have engaged in a service. It’s the same deal we spoke about in our vocabulary examples, things are “enabled” by default, but you are empowered to control your preferences. Just click here to manage. Again, we are conditioned to the influx of well designed, marketing emails from all the popular brands. Amazon telling what you should look at next, Netflix about what you should watch tonight, what you should eat next, who you should follow, etc etc. These are all well presented, professionally designed solicitation attacks. Spend more money or more time here. HTML email is very useful here as this gives you the freedom to build something that looks professional which ultimately in my opinion, adds to it’s legitimacy. It doesn’t feel out of place, and therefore on the face of it, creates certainty.
Phishing for credentials that can then be used to authenticate to exposed services, cloud services, VPN etc are common and rely on the target believing that what they are authenticating to is real. MFA is also an artificial barrier here. An effective one but not impossible to get past. When using approaches that introduce new services that integrate into the business, new HR hub, documents stores etc, you often have more control over the design/layout as opposed to cloning a well known portal such as Microsoft365. This is essentially r00ted in web design principals at this point so an understanding of how the modern web is constructed is vital. Your sites also need to be mobile friendly as you cannot assume email interaction will originate from a desktop. If your portal understands mobile, then you can essentially deal with that edge case depending on what the goal is. If it’s credentials, it may well be mission accomplished. However, if you are serving a payload you may need to reflect back a call to action that this needs to be performed from an alternative, i.e. a desktop machine or certain type of browser. Again this is open to your creativity and the flexibility you have built into your attacking infrastructure.
When designing clone portals like Microsoft365, it’s all about the domain and whether that triggers some suspicion as the portal design itself is already familiar and doesn’t leave any room for design influence. An example of how design principals in your own portals can be effective, especially for new services where perhaps you want to transfer the attention away from the address bar like a “typo domain” style attack, is to push the credential input fields to the right hand side of the screen. In the following example the submission form is right aligned and naturally draws the eye away from the address bar. This moves the focus away from the top left and potentially further scrutiny. The ADFS portal in a real implementation actually does this and all the login form fields are aligned on the right hand side taking your focus away from the address bar.
Again, there are lots of resources related to visual design practices and research about user habits. I found some of the eye tracking stuff interesting that shows where a user will focus on a page and what happens when we break the expectations. You should also consider auto focus for input fields as this adds to the influence of leading towards a goal. It’s only a case of clicking in an input field sure, but if the end user doesn’t need to do that, that is one less thing to decide to do. These small details have a compound effect and so it’s best to focus on the user experience and draw best practice from real implementations.
I think this is one aspect of red teaming that gets less attention. We almost assume that it’s a given that red teams performing phishing attacks will get a successful execution every time. That maybe true depending on the situation, but as with all things, focusing on the details makes all the difference and dependant on the threat actor sophistication you’re trying to simulate. Most of the stuff I see covers post exploitation and all that good stuff but it can also be useful to focus on the initial point of entry. Phishing is only effective if you can solicit the action that aligns to the goal and still stay under the radar. Its all good and well getting into an organisation with a click, but if that is then raised to the security team, your time in the environment may be limited.
More and more of our inboxes are full of emails demanding attention. The priorities that we inevitably have to face mean that the “skim” factor can be a route to success if we focus on those initial appraisals of our campaign legitimacy, aiming for unconscious, impulsive System 1 decision making approaches. If we can tailor phishing campaigns that use considered language for effective direction towards the types of responses that attackers look for, then this ultimately feeds into a more effective attack scenario. Phishing is constant and as the scale of the organisation increases, the attack surface gets bigger. Technical controls can only go so far, but with an increased emphasis on performing regular phishing campaigns internally, I question whether people could become desensitised to the process. These do need to constantly evolve in terms of language and how people come to the conclusion that this latest ping in their inbox is something legitimate and indeed something they should or should not click.
- What happens when brain feels fear – https://www.smithsonianmag.com/science-nature/what-happens-brain-feel-fear-180966992/
- Daniel Kahneman – https://en.wikipedia.org/wiki/Daniel_Kahneman
- Chris Voss – https://www.blackswanltd.com/home
- Web UI Design Principals – https://www.nngroup.com/articles/ten-usability-heuristics/
- Eye Tracking – https://www.tobiipro.com/applications/marketing-user-research/ux-research/