Welcome back, cyberwarriors. In this article we’ll walk you through creating phishing emails and building effective phishing campaigns to target Russia. Our goal is to create a practical guide to help you craft your own campaign. The focus will be on the methods used in real phishing attacks. This articles won’t go into the specifics […]

The post Social Engineering: Delivering Phishing EMail to Russian Companies and Government first appeared on Hackers Arise.

Welcome back, cyberwarriors.

In this article we’ll walk you through creating phishing emails and building effective phishing campaigns to target Russia. Our goal is to create a practical guide to help you craft your own campaign. The focus will be on the methods used in real phishing attacks. This articles won’t go into the specifics of email payloads, advanced HTML attachments, or the use of modern LNK files. The focus of this article is the psychology behind emails that get employees to click on a phishing link.

Preparation

Email Subject Lines

Let’s look at how to write subject lines that build trust with the recipient:

1. Add “Re:” or “Fwd:” to make the email look like a reply or forwarded message. For example: “Re: Regulation”





2. Mention the organization name, e.g., “AO Gazprom” Seeing their company name makes people more likely to open the email.





3. Use the recipient’s full or partial name. Example: “To: Ivanov A. I.”





4. Emotional or work-related topics like: “New Year bonuses”, “Corporate gifts”, “Salary increase”





5. Combine multiple elements: “Fwd: Layoff List AO Gazprom – Ivanov A. I.”
   The only reason someone wouldn’t open an email like that is if they simply didn’t see it. Also, unless you’re imitating mass spam, avoid emojis or symbol clutter in the subject line, people in office environments rarely communicate like that.

Signature and Format

Email signatures within one organization can be standardized or completely freestyle. You can use different formats depending on who you’re imitating:

1. If you’re mimicking an external contact, include a logo. Logo generators like logo.com or logoza.ru can help. Although logoza is a russian website, it can easily integrate russian text in your logo to make it look more authentic.





2. If you’re impersonating an internal employee, stick to the company’s typical email format. You can discover this by sending a harmless email to something like info@ you’ll likely get a reply showing the expected style.

Choosing Context

Context refers to the reason you’re writing to the user. We used the Russian site gen.stopphish.ru that was designed for crafting phishing emails to helps create phishing scenarios . It’s better than using AI or foreign resources because the language it uses is more appealing and natural. Strike the enemy with their own weapon.

Context is the core of phishing. Around 80% of success depends on how familiar the employee is with the topic. For example, if they know there’s a corporate party on December 21 and you start the message with, “As you know, our company party is on December 21. Click here to…” it’ll almost definitely work.

Now imagine you target a company lawyer. They know that contracts for review come only from the procurement department. So if a “sales manager” emails asking to verify a purchase contract, it’ll feel off. This kind of inconsistency raises flags and will put the organization on guard.

Strengthening Context

Once you have a reason for writing, boost it with emotions and psychological tricks. Here’s a list, which we’ll later explore with examples:

1. Emotions: sympathy, fear, anger, conservatism, curiosity, joy





2. Pressure: authority, request for help, urgency, threat





3. Desire: free stuff, savings, money





4. Deception: fake conversations, fake documents, false claims





5. Coincidence: shared name, school, or background

Now let’s get into practical message types and scenarios.

Event Based Attacks

1. Emergencies

Newsworthy events work well as bait. The COVID-19 pandemic is a great case study. Imagine a virus is back in the news, here’s how phishing could exploit that:

1. Example 1: Download an app to track infected people nearby.





2. Example 2: Corporate support during the pandemic. To apply for a credit deferral, fill out the attached form and send it back.





3. Example 3: IT instructs employees to download secure software. The link leads to a file-sharing site or directly to an executable file.





4. Example 4: Employer-sponsored 0% interest loan during hard times. Sample application form is attached.





5. Example 5: New quarantine rules require a digital pass. A link goes to a fake public service form to collect data.





6. Example 6: Fill in your data here to get your remote work bonus.

2. Holidays

With national holidays coming up, consider subject lines like:

1. Work schedule during holidays





2. Triple holiday pay as part of an employee loyalty program





3. Holidays canceled

3. Politics

Politically charged people tend to click on links aligned (or clashing) with their views. The more emotional the user, the more likely they are to engage. Caps lock, exclamation marks, insults – these traits make them easy targets.

Below is an example from the internet, it should give you an idea of what it looks like.

Above is a real example addressing a sensitive topic related to counter-terrorism. Although this email is legitimate, the subject matter can still be exploited, especially during times of war. In the case of Russia, you can tailor your emails to the ongoing conflict in Ukraine or to local news relevant to the targeted region.

Reason-Based Attacks

Something did or didn’t happen, and now the sender’s writing to you about it.

1. A response was never received, so the sender is resending the files.





2. Tech support directed them to this specific employee.

In a corporate context, you can create an email that reads like this:

“Colleagues, we found unauthorized access in the corporate network. Some accounts were compromised. Check if your email is listed below. If it is, change your password immediately at this link (link).

The list of compromised emails:

[email protected]

[email protected]

To increase your chances, list legitimate emails. In the list of recipients your main target should be placed towards the end of the list. If the attack is interactive (when you are expecting replies), ask users to confirm they changed their password by replying.

Regulator Audit

If a company is part of a self-regulated organization, they may receive formal-looking audit emails. Use this on the russians.

Example message:
“Due to recent complaints and in line with financial protection standards, an audit has been scheduled for your microfinance organization. Request #222-1\20 is attached. Be ready to provide documents by [date].”

The message cites actual financial laws and comes from a domain similar to the real one, e.g., [email protected] (instead of the real [email protected]).

Failed Login Attempts

Similar to scam call centers saying someone tried to drain your bank account, here’s the email version:

“Dear user,

Login detected to your account

Location: Sweden

IP: 165.236.212.115

If it wasn’t you, change your password here (link).”

Be sure to mention that this message was generated automatically, no reply needed.
To hide the destination URL, make the link plain text using Unicode tricks. This makes it unclickable, forcing the user to copy and paste it into their browser and thereby bypassing the email security filters.

Notifications

Useful templates for the finance sector are simple alerts or automated notifications.

Unusual Location Login

A typical email using this technique reads:
“We noticed a login from an unusual location: Brazil. If this wasn’t you, cancel the login via the link.”

The link leads to a fake password reset form asking for the old password and a new one. Add a line about how to create strong passwords for realism.

Requests

Ask for a quote, invoice, bill, statement, contract, or confidential info.
Examples:

1. ”Please send the quote. Attached is the scope.”





2. “Please provide a reconciliation report for [company]. Previously paid invoices are attached.”

Questions

Opening with a question is great for multi-stage phishing or basic recon. If the user replies, your address often gets whitelisted. Ask things like:

1. “Is this email active?”





2. “Are you available?”





3. “Are you the right contact for [issue]?”

Questions With Attachments

You can fake a reply-style message with a malicious link. The user will wonder what they supposedly sent and click it.

What Is This You Sent Me?

You can write: “What is this link you sent me?” . The message will look like a reply to something supposedly sent by the target and inside there’s a malicious link. The idea is that the target gets curious, clicks the link, and ends up on a phishing site.

Email Context

As we mentioned above, context is the core of phishing. Around 80% of success depends on how closely your phishing email matches the content of the target’s typical emails. We’ll review the areas where you should strengthen context.

1. Sending

You can send your exploit either in the body of the email or as an attachment. Names for attachments should include technical specifications, commercial offers, statements, invoices, questionnaires, surveys, requirements, policies, orders, rules, invitations, or thank-you notes (for work or some action), notifications, or recommendations.

In the email body, refer to things like questionnaires, surveys, requirements, or policies but provide a link instead of a file. For example, you might say the document is available on the corporate portal and provide your malicious link. It does not matter if the targets don’t know the portal exists, or if it doesn’t exist at all. Many will still click the link.

Changes

Organizations often update their procedures, schedules, or rules. This provides a opening for phishing. You can send something like this: “Due to an update to the remote work policy, please review the order attached.”

Here’s another example: the message referenced a known project to appear convincing. In this case, 100% of employees who opened the email clicked the link and 30% of them submitted their information on the phishing form. This illustrates the point perfectly: context drives results.

Desire

Many people are driven by financial gain. You can capture this desire by sending emails about saving money (discounts, sales, replacements with better options), getting something for free, or money in general (a raise, a bonus, an extra payment). Here’s an example of such a message:
“Due to a change in product assortment, items from the warehouse will be sold to employees for 1 ruble. We can’t go lower because of legal requirements.”

Here is another example.

Anna Nikolaevna is a real employee in the organization. The message was designed to appear as sensitive information accidentally sent to the wrong person.

Confusion

Another method to capture the target’s attention is to create confusion. These emails are simple, often without a call to click anything. The target will figure that part out on their own.

Message with just a link

In the simplest case, you send the recipient a message like: “Okay!” and insert the link they’re supposed to click. That’s how it looks in the Yandex Mail interface, for example.

The bottom line to “show full conversation” includes the malicious link. Once the link is clicked, you can collect information about the user’s device or fake a session timeout to make them re-enter their login details, but now on a phishing page.

Single file

Similar to the idea as above, you send a file attachment and don’t write anything in the body. Just a subject and a file. Choose a neutral subject that looks serious enough not to be spam. You might use the company’s name or the name of a department (like “For the Marketing Department”).

With a custom payload, you can add things like Meterpreter to bypass AV. If you set it up right, you can get a Meterpreter session as soon as the target opens an attachment.

On app.any.run , among other things, you can download attachments used in real phishing attacks and analyze samples of recent malware.

Emotions

Adding emotional triggers strengthens the context. This means just adding a sentence or hint in the subject line. Now add pressure. What emotion are you causing?

Sympathy
For example, pick an employee who’s on leave and write: “Sending the last of the documents. They fired me while I was out on vacation. But it’s all right. My email’s getting blocked today, so don’t reply. Wishing you all the best.”

Fear
This could mean punishment, firing, loss of value. Example: “Due to restructuring, a draft list of employees to be laid off has been published.”

A simpler fear-based example: “Andrey Nikolaevich is angry, this has to be filled out ASAP.”

Anger
Comes from a boss, client, partner, or even a friend. For example: “Fill this out immediately. I don’t want to see this again.”

Conservatism
Keep the tone formal. In business messages we don’t get creative. Example: “Also sent a copy to sales@… Please don’t let this happen again: (phishing link here).” This method works well on people who tend to assume a message was meant for another department and forward it there.

Interest
Offer a gift or some other benefit to boost employee interest or loyalty.

Joy
Example: “Due to the successful year-end results, employees whose commute to work takes more than 20 minutes will be provided with taxi rides at the organization’s expense during the first quarter. To receive this benefit, a form must be completed.”

Context Booster: Pressure

Pressure is emotional and effective. Here’s how it’s commonly used:

 – Mention a boss or send a message from them.
 – Ask for help: “Could you help me with this, I need…”
 – Add urgency: “Please read the order by the end of the day.”
 – Add consequences: “Those who don’t fill out the form will lose their annual bonus.”

Emails From Government Agencies

These often scare individuals, but they also work well in corporate settings. It’s more effective to pretend to be an agency like this:

“In connection with a scheduled review for money-laundering compliance, you must prepare the documents listed in the attached file. Deadline for submission: 2 working days.”
 — Rosfinmonitoring

The structure for these emails are simple:

1. Think of an agency your target could interact with.





2. Look up what that agency does and choose a relevant reason for contact.





3. Write a message using that reason and attach the malicious content, link or file.

Don’t forget: Government emails don’t just scare, they can also offer opportunities. In the example below the Arbitration Court of Amur Krai in Russia announces an unscheduled procurement. They attach the application form to the email. For security reasons, the file is encrypted with a password, which is provided in the message.

Urgent Update Needed

Here’s an example of a message using the “do it now” format:

This phishing email claims that your Microsoft account is about to expire. It instructs you to click a link to update your account, warning that failure to do so will result in account termination. The message also urges immediate actions upon reading the email.

Context Booster: Lies

This one is simple: add lies to boost impact. Social engineering is mostly lies anyway, but this just pushes it further. Mention a boss and say an issue was discussed with them.

You can mention an employee, such as an assistant to the production manager, who allegedly instructed you to make this request to the target. It can also be a fake employee if the company is big.

One more way to lie is twisting facts. For example, send a message saying:
“Because we’re planning our annual company foundation day event, please fill out the survey.”
Or:
“Due to the upcoming merger with OAO ‘…’, please complete the following…”

Fake Email Thread

Insert a fabricated email thread into the message, pretending there was prior communication with an employee. Then add a request to do something. For example:

“From: Head of Design Bureau
Email: [email protected]
Subject: Fwd: NDA for employees

Good afternoon,
 Please review.
 Best regards,
 Babanov V.V.
 AO “Alpha”
 https://org.gov.ru
 +7 985 777-44-11
 Moscow, Sredniy Ovchinnikovsky Lane, 21

— Forwarded message —
 From: Igor Perlov [[email protected]]
 Sent: Thursday, July 22, 2021 2:45 PM
 To: Babanov V.V. [email protected]
 Subject: Re: NDA

Sending the NDA. It needs to be distributed to all employees today.
Best regards,
Viktor Perlov”

Fake Forward

Just like the previous case you can create a fake forwarded email. Write on behalf of a department head, with a message like “Do this today.” Below, include an order from the CEO stating what exactly needs to be done (click a link, download a file, etc.). The forwarded CEO message is not commented on, just forwarded.

Another variation: forward an email supposedly from a client. In the message, ask the employee to take a look or respond to what the sender wants. Below that, include a fake client message referencing the recipient or containing a complaint. The embedded message contains a malicious link or an infected file.

Context Boost: Matching Identity

When part of the victim’s identity overlaps with that of the fake sender, trust levels increase. This can include first name, last name, profession, hometown, or hobbies. For instance, if someone is named Andrey Ivanov, works as a lawyer, and lives in Vorkuta, the sender can be introduced as Andrey Petrov or lawyer Sergey Zhukov, also from Vorkuta.

Usable identity elements:

1. Same first name





2. Same last name





3. Same profession





4. Similar political views





5. From the same region or city





6. Shared hobbies





7. Attended the same school or university





8. Completed military service
   

Highlight this match in the message. Such details boost trust and engagement.

Conclusion

Phishing attacks succeed, not because of complex technical tricks, but because they exploit human behavior. Real attackers use emotional triggers and well-crafted messages to manipulate behavior. The purpose of this articles was to give you a guide on how to craft phishing emails because, in our experience, phishing gets much better results than scanning random IPs. We’ve included tactics we use ourselves, but these are only a few of the phishing techniques used in real attacks. The examples should serve as inspiration. Best of luck!

The post Social Engineering: Delivering Phishing EMail to Russian Companies and Government first appeared on Hackers Arise.

Source: HackersArise
Source Link: https://hackers-arise.com/social-engineering-delivering-phishing-email-to-russian-companies-and-government/