In 2008, I started operating as a hacker for hire. Since the hottest thing on the market is always catching a cheater, I was hired to investigate whether my client’s fiancé was faithful or if he was having secret conversations on a German social networking site.
There are a dozen different ways I could have uncovered the truth, the easiest being social engineering him from a fake profile. But that wouldn’t prove anything that might have happened before.
My weapon of choice? Phishing. It gets the job done and isn’t daunting, even for lesser-skilled hackers. The case was closed as soon as he fell for the phishing link I made and entered his credentials.
When phishing started trending in the 2000s, I saw every hacking group and lone bad actor getting behind it because the blueprint for building and launching phishing attacks was easy.
This is because it doesn’t require intricate knowledge of how web pages work, although that’s a huge plus. It’s important to note that every hacker, true to the hacker spirit, is going to be inquisitive about how things work, regardless of their skill level.
Nevertheless, to contrast the ambition of my generation with the present, while my own phishing campaigns involved innumerable victims, I never used these attacks to steal money, which is the driving factor behind phishing attacks today and, consequently, why they are so popular and dangerous.
Little has changed in nearly two decades, especially in defending against it and when users aren’t paying attention.
Defenses against phishing
Years ago, I used to be able to answer the security questions associated with email accounts to gain access. An attacker could easily find the answers online or through social engineering unsuspecting users. While everyday users haven’t evolved much regarding security practices, security standards have. However, these standards only work when the public uses them.
Three formidable defenses came out that complicated phishing attacks:
1. 2FA/MFA Authentication
When Two-Factor Authentication (2FA) became available to the general public in 2011, attackers faced new challenges. Multi-factor authentication added an additional layer of security that has frustrated scammers from successfully hijacking accounts.
Most users opt to have their 2FA/MFA codes sent to their phones. This is relatively safe but not bulletproof due to SIM swap attacks, which aren’t that sophisticated to carry out. Instead of answering security questions on a screen, the attacker simply has to impersonate their victim by providing the security questions over the phone to an operator on the victim’s mobile service provider.
This attack vector is often discussed among hacker groups I’ve been a part of. Most are too intimidated by the idea of having to talk to a live operator, whereas some welcome the challenge.
If you have adversarial competitors or ambitious enemies, or if you’re just an everyday internet user, don’t over-share on the web. Remember, a threat actor can’t perform a SIM swap attack if you don’t over-share on social media.
If necessary, write a list of the accounts you use that require security questions/answers and avoid sharing information that could compromise their security. It's also important to use a password manager to avoid having your 2FA messages read by a threat actor.
2. HTTPS
This stands for Hypertext Transfer Protocol Secure. Every time Firefox users see a lock in the upper left corner of their browser, this means the domain is listed among other trusted domains, and your connection to the site is encrypted, which ensures web traffic isn’t de-anonymized or manipulated by a third party.
Trusted organizations such as Certificate Authorities (CAs) verify websites' identities and issue digital certificates, which are then used to establish secure HTTPS connections. Web browsers come with a pre-installed list of trusted websites. Sites that do not contain a digital signature fall under untrusted domains and will not contain the HTTPS protocol.
If a bad actor tries to trick you into logging into a fake Facebook login page, you’re going to see that the domain in the address bar doesn’t look right. If the fake page doesn’t support HTTPS and you try to visit it, regardless of your flavor of web browsers, it will prevent you from visiting it, offering a warning that the webpage you’re trying to visit isn’t secure.
If you have encountered a suspicious link and aren’t sure if it’s authentic, there are a couple of steps you can take to verify its authenticity. There are free online tools where users can verify if a website is safe for browsing.
3. Google Safe Browsing
This Google service is described as a technology that “examines billions of URLs per day looking for unsafe websites. Every day, we discover thousands of new unsafe sites, many of which are legitimate websites that have been compromised. When we detect unsafe sites, we show warnings on Google Search and in web browsers. You can search to see whether a website is currently dangerous to visit.”
WHOIS records
I have been using DomainTools.com's free service since the mid-2000s, and its been my go-to tool for inspecting domain registration. If you suspect that a URL or link isn’t authentic, you can check to see who owns it. In other words, if the link looks like www.authenticate.facebook.com it’s time to check that HTTPS indicator, and then head over to https://whois.domaintools.com/ enter the suspicious URL, and hit ‘Search’.
When the WHOIS record shows that a domain registration has no relationship to a web address masquerading as something else, it’s a clear indication that a malicious actor is behind it.
I personally use Avast Premium Security to warn me when I have visited an untrusted site it doesn’t like. Just today, I stumbled upon a phishing site, and it immediately notified me that it detected a phishing page. Having a visual warning reminds me of the dangers out there, waiting for just the right conditions to compromise my device or accounts.
Simulating a phishing attack
Assuming your company has trained its workforce to know about phishing and how to avoid it, I think it’s important for every employer to test the integrity of their employees to determine whether they have been paying attention to the security policies. This could be an important Red Team exercise you can coordinate with your Incident Response Team.
The Flipperzero has an excellent phishing tool called Evil Portal, which can be found in the apps section of the GPIO/ESP32/Marauder WiFi modules. This tool is compatible with darkflipper firmwares like RogueMaster and contains a wide variety of phishing pages imitating commonly used websites. It can be launched directly from the device. Uploading your own custom phishing templates to the module isn’t difficult, making it perfect for simulating a phishing attack.
While there are plenty of GitHub scripts that can contain the whole architecture needed for a phishing campaign, however, many of the fraudulent templates are outdated, and the malicious URLs lack believability.
Phishing campaign tools like ZPhisher can be used to monitor any user interaction with the phishing links and the captured keystrokes, including their IP addresses.
The good news is that any one of these modules can be edited, and their code updated. In fact, you could also modify the source code of any of these modules by replacing the original index file with your company’s website login form to make the attack more autonomous.
There are plenty of tutorials on the internet that offer step-by-step instructions on how to create your own phishing web page - which is how we used to do things back in the day, and how expert criminal phishing campaigns work.
All a threat actor has to do is copy your website's source code and alter the ‘action’ element, which is server-side code that processes form submissions. The attacker modifies the web form and instructs it to send the login form data to an off-site server under their control in order to capture the credentials.
Simply put, don’t click stuff.
Your email address will not be published. Required fields are markedmarked