Automation for red teams as businesses wise up to email phishing threat

TapIt is a framework for automating SMS phishing campaigns

A framework for automating large-scale SMS phishing campaigns, including SMS tracking, web payloads, and credential harvesting, has been showcased at this year’s Black Hat Europe.

TapIt is a framework suited to “red teamers seeking novel ways of conducting phishing campaigns”, said security researcher Samuel Pua ahead of his presentation on the Arsenal track.

While email phishing is still creating an initial path to compromise – familiarity of the attack vector is starting to breed competence in an organization’s defense infrastructure.

“In more mature organizations, the people, processes, and technologies have matured to handle email phishing,” Pua told The Daily Swig.

“This means there is a lower ROI for email phishing campaigns, as additional effort is required to circumvent these preventive measures.”

SMS phishing, or 'SMiShing', offers attackers a path into the corporate world’s less monitored underbelly: smartphones.

Read more of the latest news from Black Hat Europe

Acknowledging that mobile phishing has its “own limitations,” Pua thinks it could be a “feasible alternative” for red team engagements.

“With an appropriate alphanumeric sender ID, SMS phishing can be a convincing social engineering tool,” he said.

It’s unfortunate, then, that, according to Pua, 37 countries don’t support alphanumeric sender IDs in order to help reduce the likelihood of SMS phishing scenarios.

Scratching the surface

The TapIt framework could be improved with additional templates and more process automation to simplify setup and make “scenarios and simulations more realistic”, suggests Pua.

“Truly aspirational offensive teams would likely automate this framework as part of their existing workflows,” he said.

Pua said the TapIt team are currently grappling with how to further automate the setup of campaigns without restricting the work of pen testers.

Noting that “red team engagements tend to be very customized” to a client’s infrastructure, he said any automation must not limit an attacker’s scope.

TapIt developers are planning to add template data and further SMS service providers, Pua said. Git Repo is also in the pipeline.

With SMS phishing expected to grow in popularity among attackers, Pua feels it “isn’t being utilized as much as it could be” by red teamers.

The techniques embedded within TapIt are “just scratching the surface of what can be done”, he said.

READ MORE A guide to spear-phishing: How to protect against targeted attacks