Bengaluru, Karnataka, INDIA 560042
+91-9784367546, +91-8839669785
support@cyberwarfare.live

Phishing(T1566)

A Real World Adversary Labs

Phishing(T1566)

Overview:

Even though the internet is one of the man’s great creation, but it has remained as a root cause for many cyber attacks. Let us discuss about cyber punk who is the root cause for many data breaches that has happened till date.

Phishing is a type of social engineering attack, where the attacker generally tries to impersonate as a legitimate person to get some sensitive credentials like [username, passwords, etc] of the target. It is the most common and widely used technique to gain initial access or to intrude into an internal network of an organisation. These attacks generally target financial service companies, cooperative employees, top management. Phishing technique is a root cause for many data thefts, and the reason for this lack of awareness among the employees.

The Covid-19 epidemic has increased the registration of phishing messages. More than 32% of data breaches have occurred in the year 2020, according to the survey. 

An attacker generally targets the victims via some common communication mediums such as:

  1. Email
  2. SMS
  3. Social media
  4. Telephone 

More than 1,300 simulated phishing campaigns involve more than 360,000 emails across a wide customer base. 

“Phishing remains a basic, viable, and effective threat,” – Palmer said.

An attacker impersonates from a legitimate company in an attempt to steal victim’s personal data or login credentials or else in some cases poses as a trustworthy party to trick people into handing over personal details. The success rate of phishing attacks keeps on increasing, it has become the most common methodology to gain sensitive information from the target users. 

Phishing can be executed on various platforms like Windows, Linux, Mac, even android. Many publicly available tools like Weeman, social engineering toolkit which makes our job(attacker’s job) easier.

Note: phishing was initially coined in the year 1996 [used to steal online account password]

Working: 

Adversaries send maliciously crafted email attachments to the victim, typically to execute some malicious programs on the victim’s machine to gather sensitive information, intrude into the internal network, steal credentials and etc.

Phishing typically involves both social engineering and technical trickery to deceive victims into opening the attached files.

Attackers target specific users to execute these types of attacks. After collecting all the possible information about the victim using some social engineering methods. A malicious link is sent to the targeted victim, when he/she accidentally opens the link they are automatically redirected to a fake page which seems to be a legitimate one. It is one of the toughest task for the victim to analyse and identify the fake. Once the credentials are entered, they are captured at the attacker’s end in a plain text form.

Types of phishing:

Generally, phishing can be categorised based on their working and functionality:

  1. Spearphishing Attachments (T1566.001):

Adversaries may send a crafted email with malicious attachments. When the target downloads or executes the attachment received in the email, the attacker can harvest the credentials and deliver malware on the targeted system.

Attachments are in the form of pdf,docs,xls or zip files.

Example: Attackers use spear-phishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.

Macro is a function which automates the frequently used tasks in Microsoft office.

  1. Spearphishing link (T1566.002 ):

Adversaries send the crafted URL [link] to the specific target via some email or social media platforms when the victim opens the link, it will prompt a crafted login page which requests for user-credentials, or it will redirect the victim to a compromised website which lures the target to download some malicious application. The website visited by the victim may be compromised one or victim’s web browser is hooked.

It requires social engineering tactics to target a specific individual, company, or industry

  1. Spearphishing via service(T1566.003 ):

Adversaries will create fake social media accounts and personally message employees for potential job opportunities, high cash prices and offers, In this scenario,messages will be delivered through various social media platforms like personal mail, Facebook, twitter etc. This allows an adversary to bypass some email restrictions.

we have two more phishing techniques like vishing and smishing.

  1. Vishing

Adversaries generally target the user via phone calls. Attackers can perpetuate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds.

  1. Smishing

Adversaries generally target the user via SMS. The attacker craft malicious text messages to trick users into clicking on a malicious link or handing over personal information. Smishing is generally used by the scammers.

Consequence and Impact:

Phishing stills remains a root cause for many data breaches. This attack has a severe effect on the business firms which involves money transactions. It’s difficult to identify if your information is stolen or not. In some cases it even leads to:

  1. reputation damage, 
  2. loss of company value
  3. financial loss

Attackers generally use different strategies and techniques. Phishing, in general involves manipulation, redirection, forgery, mimicking and cloning, 

Red Team: Attack Scenario

Hidden eye is an open-source tool which is used to generate phishing pages. 

We will use this in our Lab setup. Download it from github(https://github.com/DarkSecDevelopers/HiddenEye)  and follow the installation procedure.

STEP: 1Download it from GitHub(https://github.com/DarkSecDevelopers/HiddenEye)  and follow the installation procedure.

STEP 2: Run this command to start the tool

Sudo python3 Hiddeneye.py
Hidden Eye

Note: COMPLETE RESPONSIBILITY is of the END-USER. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program. Also, we inform you that some of your actions may be ILLEGAL and you CAN NOT use this software to test a person or company without WRITTEN PERMISSION from them. 

STEP 3: Set the options as per your requirement else can follow us through the setup.

STEP 4:  Do you want to use a cloud-flare protection fake page: N

Step 5: Do you want to add a keylogger in phishing page: N

In addition to the basic functionality of Hidden Eye, it can provide Cloudflare protection pages and keyloggers to the user.

STEP 5: Set the port in the prescribed range to execute the process, as per your choice.

Hidden Eye

The hidden eye offers COMPATIBILITY, where one can choose phishing websites based on one’s requirement.

Step 6: Set the redirect link, to which the you want to redirect the user.

STEP 7: Select your preferred tunneling option.

By default there are some available tunneling options:

  1. LOCALHOST
  2. LOCALXPOSE
  3. SERVEO 
  4. NGROK
  5. LOCALTUNNEL 
  6. OPENPORT
  7. PAGEKITE

STEP 8:  After setting all the configuration options, one can generate a phishing link into which the victim is lured to enter his credentials.

Step 9: Navigate to your terminal, and you can see the captured credentials of the victim.

Here, we have successfully created a phishing link. Now, we need to share it to the victim through social media platforms like:

  • Facebook
  • Gmail
  • Instagram
  • LinkedIn
  • Twitter and etc.

We should design messages in such a way that shows some emergency and which need an immediate action. We can use his/her social media accounts which will help us design the content of the message. Once, the victim enters the credentials they are successfully captured by the attacker.

This Phishing attack isn’t completed yet!!!

We will continue our techniques in our next blog. Stay tuned!!!!

Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *