A new tool that is being released at the Black Hat security conference in Las Vegas by security researchers from Trustwave aims to improve social engineering attacks with more targeted and convincing spear-phishing messages.
The tool uses online activity as a digital fingerprint to create a better spear phisher. Spear-phishing messages are highly targeted, socially engineered attacks designed to trick a user into thinking that a message that is a fraud is in fact legitimate.
Trustwave security consultants Joaquim Espinhara and Ulisses Albuquerque, built their tool to help users improve IT security.
The goal of the Microphisher tool is to help craft messages that are similar in appearance, style and language usage to a given person of interest, Espinhara told eWEEEK. The general idea is to be able to write and send a message to the spear-phishing target that looks as though it legitimately came from a known contact, he said.
The system uses the open-source MongoDB database, Albuquerque said, adding that Microphisher doesn’t normalise the data it pulls in, rather it just ingests the raw data from various online sources, including social media sites.
The tool then helps the security researcher craft a legitimate-looking message using the same language tone and style that the target has been using in their online lives.
So does it work?
“It has been hit and miss mostly,” Espinhara said. “But we tested it mostly on security guys, so that’s not the best audience, but that’s what we had access to at this point.”
Trustwave provides social-attack engineering services that aim to check the readiness of an organisation, said Espinara, who said he sees Microphisher as a useful tool for penetration testing overall.
“This helps us to produce content that looks legitimate,” Espinhara said.
There are a number of things that users can do to protect themselves against Microphisher and phishing attacks, in general.
Espinhara recommends that people don’t click on random, unknown links, even if the link appears to have come from a known source.
“You can’t realy trust content from someone just because it’s someone you know,” Espinhara said. “You can’t assume that just because it’s a message that looks legitimate, that it came from the right place.”
Are you a security pro? Try our quiz!
Originally published on eWeek.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…