Phishing emails are an increasingly popular attack vector for hackers targeting businesses. Happily, many of them are so unrealistic they can be spotted by a reasonably savvy employee.
The more sophisticated hackers use techniques such as spoofing the email address of one of the target's colleagues or friends.
The problem with that technique is that we are attuned to writing styles and likely topics on conversation of people we know. Most us can tell, for example, that our boss is not likely to email us about amazing Viagra prices in broken English.
Today, at the Black Hat security conference in Las Vegas, two ethical hackers will present a tool they have developed to make phishing emails more realistic by mimicking an individual's language on Twitter.
SpiderLabs is the penetration testing division of security firm TrustWave. Companies hire its ethical hackers to find a way to break into their IT systems, so they can plug any security vulnerabilities.
The company often uses phishing emails to gain remote access to one of its clients' systems, says Ulisses Albuquerque, security consultant at the company. Employees are becoming more savvy, though, and he and colleague Joaquim Espinhara sought to find a way to make them more effective.
"We wanted something that would support our efforts in forging emails," Alburquerque explains.
The tool they build, called "MicroPhisher", applies natural language processing to analyse a specific individual's postings on Twitter.
Using Stanford University's open source NLP toolkit, it assesses characteristics of the way they write, such as typical sentence length and structure, as well as topics they like to talk about.
They have built this into a user interface that analyses a sentence as it is being typed, compares it to the target's linguistic profile, and advises the user how to make it more realistic.
So how well does it work? "Currently, it can be a bit hit and miss," says Alburquerque. The problem is that a sentence might match the target's language statistically, despite being transparently meaningless to a human being.
MicroPhisher will therefore never be able to write believable phishing emails automatically – it would be quite a feat of artificial intelligence if it could – but it can help a human operator write more them more effectively.
SpiderLabs is already using MicroPhish internally. It is available as open source software, which Alburquerque hopes will lead developers to expand the tool to cover more social media sources.
But, you might ask, why are ethical hackers developing technology that could be used maliciously? Firstly, Alburquerque argues, making ethical hacking more effective makes businesses more secure.
And secondly, the tool can also be used defensively. "The same tricks can be used to evaluate whether emails are realistic, if you know the sender's Twitter account," he says.
