Hacker dishes advanced phishing kit to hook clever staff in 10 mins

Kiwicon Michele Orru has released an automated phishing toolkit to help penetration testers better exploit businesses.

The well-known FortConsult hacker, better known as Antisnatchor (@antisnatchor), dropped the phishing kit at the Kiwicon hacking event in Wellington New Zealand last week, offering hackers tips to more successfully target businesses through the world's most popular attack vector.

Dubbed "PhishLulz", the Ruby-based toolkit builds on Orru's expertise in phishing. It spawns new Amazon EC2 cloud instances for each phishing campaign and combines a GUI from the PhishingFrenzy kit with the popular BeEF browser client-side attack framework for which he is a core developer.

It also sports a self-signed certificate authority, additional new phishing templates for various scenarios a hacker may encounter, and will in the future be even more powerful with automatic domain registration, for now limited to registrar NameCheap.

All told hackers using the toolkit will be able to send more convincing and much faster phishing emails from seemingly legitimate domains, be alerted immediately when login credentials are received, and send exploits and gain user target configuration information such as operating system and browser versions along with other running software via BeEF.

It also includes MailBoxBug which handles the fistful of popped email accounts that Orru says typically flows in at a rate of one a minute. It works on Office365 accounts with more support to follow.

Phishing emails developed with PhishLulz are designed to trick discerning targets. An impressive 40 percent of staff at an unnamed Australian Government agency opened Orru's phishing emails and sent him corporate VPN credentials during a previous security test engagement.

Michele Orru. Image: Darren Pauli / The Register.

It took only two days for the hacker to gain domain administrator credentials after employees at the agency handed over VPN logins via Orru's phishing campaign.

"I was in Poland, and they were in Australia, so I had to send the emails at the right time," Orru told the hacking conference.

"With five minutes to run the PhishLulz VM, five minutes to start modify the template and upload the certificates you need, you're ready to go."

Orru says PhishLulz will help hackers get past the first time-sensitive hurdle of obtaining and utilising stolen credentials, saying that attackers will have perhaps an hour to exploit the dozen or so logins they receive before it is revoked by administrators.

You need to automate as much as possible and speed is key once you have access to credentials

He offered further pointers; the best times to send phishing emails are in the morning or just after lunch when staffer's wits are less sharp. Few staff can identify dots from dashes in URLs, nor do they pick .co vs .com.

Most phishing emails need to be highly customised to work, Orru says, unless the target is "dumb".

Orru, an open source advocate, invited interested hackers to contribute to the project. ®