During recent months more and more need for conducting social engineering campaigns arose from customers and in-house alike. To give an insight into how we work with our customers to ensure that they receive the best possible service we decided to publish parts of our efforts.

A new data collection server

To provide the best support for our customers, we were looking into a new way to collect the data we capture during our phishing attacks. Since this is a public-facing infrastructure, it needed to have special care put into it, which led us to gather all the requirements that we have for such a platform:

  • Confidentiality
  • Adaptability
  • Ease of Cleanup

Those, especially the first two, are crucial for our use-case. However, the currently available tools all either don’t fulfill our needs or generally do quite different things, such as providing email-template handling, payload generation or just a pretty front-end. This made us realize, that we needed to build our own server to handle this problem.

Solving our requirements

High Confidentiality

High Confidentiality of our customers' data is of utmost importance, which is why we realized that we needed to tackle it on its root, at the point that generates the data.

Since there needed to be a trade-off between security guarantees and implementability for things like VBA macros in office documents, we decided on the following guideline for a cryptographic workflow.

Each customer campaign that we run uses a unique asymmetric key pair as master keys. The public key is then deployed to the malware, copied sites and other data-grabbing applications that are will be used during the campaign.

As soon as an application then gathers sensitive data, it will create a temporary symmetric key per data-packet, encrypt the data with the symmetric key, and encrypt the symmetric key with the public campaign key. Both are then combined into a standardized structure and sent to our collection server.

The server can therefore never directly access the customer information, building another layer of defense for a public-facing infrastructure, keeping with defense in depth.

Adaptability

Adaptability is key to allow us to react to our customers' needs since each company has widely varying infrastructure, which means we have to be able to tailor our approaches.

For this, we developed what we call the Listener and Handler concept. This allows us to split communication from “business logic”, giving us the ability to use whatever means can escape a customers network.

As can be seen above, the data is received via a listener, which then passes it on to the handler responsible for the specific payload used on the client. The listener provides black-box communication, being a simple pipe between payload and handler.

The handler then takes the data, writes the already encrypted collections to the relevant campaign database and, if needed, requests additional actions from the client-side application.

This flexible approach makes it possible to build a large number of both payload handlers and communication listeners, without duplicating our efforts, thus allowing us to spend more time polishing and actually using them.

Ease of Cleanup

Last but definitely not least, Ease of Cleanup is important, since after a campaign has been completed, all relevant data needs to be cleaned according to internal regulations. To be able to delete data of a campaign without interfering with another, as well as to generally keep the campaigns apart, we decided to use one database per campaign and one management database which only contains non-sensitive metadata needed to manage the campaigns.

For maximum portability and ease of setup and we decided to use SQLite databases for the task, due to their small size and support.

With this new server, we can provide our customers with an even more advanced portfolio for all phishing needs than before. Want us to use this to test your company for safety against phishing? Read on!

How Offensity and A1 Digital can help

We are experts in our fields and besides our in-house developed Offensity product for continuous monitoring of your external infrastructure, we offer professional services like social engineering, penetration testing and more. Do you want to know more about this? Contact ask.security@a1.digital or visit our website at https://a1.digital/.

Additionally, follow us on Twitter for future updates!